{"id": "CENTOS_RHSA-2015-1920.NASL", "bulletinFamily": "scanner", "title": "CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)", "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "published": "2015-10-22T00:00:00", "modified": "2020-04-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/86517", "reporter": "This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?da0d7a33", "http://www.nessus.org/u?aaf9e0f6"], "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "type": "nessus", "lastseen": "2020-04-01T06:49:42", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless"], "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 11, "enchantments": {"dependencies": {"modified": "2019-10-28T20:00:39", "references": [{"idList": ["SL_20151021_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "ORACLELINUX_ELSA-2015-1919.NASL", "SUSE_SU-2015-1874-1.NASL", "REDHAT-RHSA-2015-1920.NASL", "SL_20151021_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "OPENSUSE-2015-697.NASL", "REDHAT-RHSA-2015-1921.NASL", "ALA_ALAS-2015-606.NASL", "REDHAT-RHSA-2015-1919.NASL", "ALA_ALAS-2015-605.NASL"], "type": "nessus"}, {"idList": ["CESA-2015:1919", "CESA-2015:1921", "CESA-2015:1920", "CESA-2015:2086"], "type": "centos"}, {"idList": ["ASA-201510-15", "ASA-201510-16", "ASA-201510-17"], "type": "archlinux"}, {"idList": ["RHSA-2015:1920", "RHSA-2015:1921", "RHSA-2015:1919", "RHSA-2015:1927", "RHSA-2015:2086", "RHSA-2015:1928"], "type": "redhat"}, {"idList": ["DEBIAN:DSA-3381-2:F5B92", "DEBIAN:DLA-346-1:13970", "DEBIAN:DSA-3381-1:4656D"], "type": "debian"}, {"idList": ["USN-2827-1", "USN-2784-1"], "type": "ubuntu"}, {"idList": ["JAVA_OCT2015_ADVISORY.ASC"], "type": "aix"}, {"idList": ["OPENVAS:1361412562310851182", "OPENVAS:1361412562310851123", "OPENVAS:1361412562310122716", "OPENVAS:1361412562310842507", "OPENVAS:1361412562310703381", "OPENVAS:1361412562310882301", "OPENVAS:1361412562310120596", "OPENVAS:1361412562310882304", "OPENVAS:1361412562310122718", "OPENVAS:1361412562310882302"], "type": "openvas"}, {"idList": ["OPENSUSE-SU-2015:1971-1", "OPENSUSE-SU-2015:1906-1", "SUSE-SU-2015:1875-1", "SUSE-SU-2015:1874-1", "SUSE-SU-2015:1875-2", "OPENSUSE-SU-2015:1902-1", "SUSE-SU-2015:2268-1", "SUSE-SU-2015:1874-2"], "type": "suse"}, {"idList": ["ALAS-2015-616", "ALAS-2015-606", "ALAS-2015-605"], "type": "amazon"}, {"idList": ["F5:K14132811", "SOL14132811", "F5:K05534090", "SOL05534090"], "type": "f5"}, {"idList": ["ELSA-2015-1921", "ELSA-2015-1920", "ELSA-2015-2086", "ELSA-2015-1919"], "type": "oraclelinux"}]}, "score": {"modified": "2019-10-28T20:00:39", "value": 10.0, "vector": "NONE"}}, "hash": "c6ae003835e84d250150eb48caf7d12538305b2aad3c7bdc9fbc022feb15fe58", "hashmap": [{"hash": "cf5ab192321e0c9602e97a714f8a5102", "key": "published"}, {"hash": "7c656ed7880b629da6e4fb396cb49bc6", "key": "cvelist"}, {"hash": "79cdaf1ae680b7cc7301383017714554", "key": "pluginID"}, {"hash": "46bb21c1853c9999d550a0242ac21a5e", "key": "title"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "846e8207f7cb72ef99ba52615d126f11", "key": "href"}, {"hash": "f82feb6b55f329a4801a7908bc18a9d6", "key": "reporter"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "9113d4a13141e433697defd993025ea2", "key": "cpe"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "64ba37ea77e31f594b6a51428de8ac8a", "key": "sourceData"}, {"hash": "b0c02e2755a67bb9dd54f480fe0bfc83", "key": "description"}, {"hash": "cd4a586dc1a91f8067d901489deec968", "key": "references"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/86517", "id": "CENTOS_RHSA-2015-1920.NASL", "lastseen": "2019-10-28T20:00:39", "modified": "2019-10-02T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "86517", "published": "2015-10-22T00:00:00", "references": ["http://www.nessus.org/u?da0d7a33", "http://www.nessus.org/u?aaf9e0f6"], "reporter": "This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1920 and \n# CentOS Errata and Security Advisory 2015:1920 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86517);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2019/10/02 15:30:20\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1920\");\n\n script_name(english:\"CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021437.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aaf9e0f6\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021439.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?da0d7a33\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n}\n", "title": "CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified"], "edition": 11, "lastseen": "2019-10-28T20:00:39"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless"], "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "edition": 3, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "7e1dff51c4f116ca18da7ef1f7f491f5f3580b6e9813fea0157848dda70baa18", "hashmap": [{"hash": "cf5ab192321e0c9602e97a714f8a5102", "key": "published"}, {"hash": "a04dfbcd8f8fb3d3d3172edcfb44ff5b", "key": "description"}, {"hash": "7c656ed7880b629da6e4fb396cb49bc6", "key": "cvelist"}, {"hash": "79cdaf1ae680b7cc7301383017714554", "key": "pluginID"}, {"hash": "fb48b5ac7b49656e9d172e25f6357680", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "280e50c57199f20e7f685262ed457ec4", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "46bb21c1853c9999d550a0242ac21a5e", "key": "title"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "f960f1feae0ba88ece12e709454f2d30", "key": "href"}, {"hash": "9113d4a13141e433697defd993025ea2", "key": "cpe"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3f868e4d3a85df10797ad7104f54af9f", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=86517", "id": "CENTOS_RHSA-2015-1920.NASL", "lastseen": "2017-12-13T23:25:34", "modified": "2017-12-13T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "86517", "published": "2015-10-22T00:00:00", "references": ["http://www.nessus.org/u?3bb2b2e7", "http://www.nessus.org/u?22216fe8"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1920 and \n# CentOS Errata and Security Advisory 2015:1920 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86517);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2017/12/13 14:29:50 $\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_osvdb_id(129119, 129120, 129121, 129122, 129123, 129124, 129125, 129129, 129132, 129133, 129134, 129135, 129136, 129137, 129138, 129139, 129140);\n script_xref(name:\"RHSA\", value:\"2015:1920\");\n\n script_name(english:\"CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-October/021437.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3bb2b2e7\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2015-October/021439.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?22216fe8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2017-12-13T23:25:34"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless"], "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 13, "enchantments": {"dependencies": {"modified": "2019-12-13T06:41:29", "references": [{"idList": ["CESA-2015:1919", "CESA-2015:1921", "CESA-2015:1920", "CESA-2015:2086"], "type": "centos"}, {"idList": ["ASA-201510-15", "ASA-201510-16", "ASA-201510-17"], "type": "archlinux"}, {"idList": ["RHSA-2015:1920", "RHSA-2015:1921", "RHSA-2015:1919", "RHSA-2015:1927", "RHSA-2015:2086", "RHSA-2015:1928"], "type": "redhat"}, {"idList": ["DEBIAN:DSA-3381-2:F5B92", "DEBIAN:DLA-346-1:13970", "DEBIAN:DSA-3381-1:4656D"], "type": "debian"}, {"idList": ["OPENVAS:1361412562310882300", "OPENVAS:1361412562310871461", "OPENVAS:1361412562310842507", "OPENVAS:1361412562310871462", "OPENVAS:1361412562310882303", "OPENVAS:1361412562310851128", "OPENVAS:1361412562310131101", "OPENVAS:1361412562310120596", "OPENVAS:703381", "OPENVAS:1361412562310851122"], "type": "openvas"}, {"idList": ["USN-2827-1", "USN-2784-1"], "type": "ubuntu"}, {"idList": ["JAVA_OCT2015_ADVISORY.ASC"], "type": "aix"}, {"idList": ["SL_20151021_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "SL_20151021_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SUSE_SU-2015-1874-1.NASL", "ORACLELINUX_ELSA-2015-1921.NASL", "OPENSUSE-2015-697.NASL", "OPENSUSE-2015-736.NASL", "ALA_ALAS-2015-606.NASL", "SUSE_SU-2015-1875-2.NASL", "REDHAT-RHSA-2015-1919.NASL", "SUSE_SU-2015-1874-2.NASL"], "type": "nessus"}, {"idList": ["OPENSUSE-SU-2015:1971-1", "OPENSUSE-SU-2015:1906-1", "SUSE-SU-2015:1875-1", "SUSE-SU-2015:1874-1", "SUSE-SU-2015:1875-2", "OPENSUSE-SU-2015:1902-1", "SUSE-SU-2015:2268-1", "SUSE-SU-2015:1874-2"], "type": "suse"}, {"idList": ["ALAS-2015-616", "ALAS-2015-606", "ALAS-2015-605"], "type": "amazon"}, {"idList": ["F5:K14132811", "SOL14132811", "F5:K05534090", "SOL05534090"], "type": "f5"}, {"idList": ["ELSA-2015-1921", "ELSA-2015-1920", "ELSA-2015-2086", "ELSA-2015-1919"], "type": "oraclelinux"}]}, "score": {"modified": "2019-12-13T06:41:29", "value": 10.0, "vector": "NONE"}}, "hash": "e62128845e7f6cc767ef8cb6ec766ba4566e9a29f277d9d09a13437a09c37cd9", "hashmap": [{"hash": "cf5ab192321e0c9602e97a714f8a5102", "key": "published"}, {"hash": "7c656ed7880b629da6e4fb396cb49bc6", "key": "cvelist"}, {"hash": "79cdaf1ae680b7cc7301383017714554", "key": "pluginID"}, {"hash": "46bb21c1853c9999d550a0242ac21a5e", "key": "title"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "846e8207f7cb72ef99ba52615d126f11", "key": "href"}, {"hash": "f82feb6b55f329a4801a7908bc18a9d6", "key": "reporter"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "9113d4a13141e433697defd993025ea2", "key": "cpe"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "64ba37ea77e31f594b6a51428de8ac8a", "key": "sourceData"}, {"hash": "b0c02e2755a67bb9dd54f480fe0bfc83", "key": "description"}, {"hash": "cd4a586dc1a91f8067d901489deec968", "key": "references"}, {"hash": "5a7504dfe859a7ccbaf560628f6442ad", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/86517", "id": "CENTOS_RHSA-2015-1920.NASL", "lastseen": "2019-12-13T06:41:29", "modified": "2019-12-02T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "86517", "published": "2015-10-22T00:00:00", "references": ["http://www.nessus.org/u?da0d7a33", "http://www.nessus.org/u?aaf9e0f6"], "reporter": "This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1920 and \n# CentOS Errata and Security Advisory 2015:1920 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86517);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2019/10/02 15:30:20\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1920\");\n\n script_name(english:\"CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021437.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aaf9e0f6\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021439.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?da0d7a33\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n}\n", "title": "CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified"], "edition": 13, "lastseen": "2019-12-13T06:41:29"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless"], "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 12, "enchantments": {"dependencies": {"modified": "2019-11-01T02:15:28", "references": [{"idList": ["CESA-2015:1919", "CESA-2015:1921", "CESA-2015:1920", "CESA-2015:2086"], "type": "centos"}, {"idList": ["SL_20151021_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "ORACLELINUX_ELSA-2015-1919.NASL", "SUSE_SU-2015-1874-1.NASL", "REDHAT-RHSA-2015-1920.NASL", "SL_20151021_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "REDHAT-RHSA-2015-1921.NASL", "UBUNTU_USN-2784-1.NASL", "SUSE_SU-2015-1875-1.NASL", "DEBIAN_DSA-3381.NASL", "ALA_ALAS-2015-605.NASL"], "type": "nessus"}, {"idList": ["ASA-201510-15", "ASA-201510-16", "ASA-201510-17"], "type": "archlinux"}, {"idList": ["OPENVAS:1361412562310851182", "OPENVAS:1361412562310851123", "OPENVAS:1361412562310122716", "OPENVAS:1361412562310703381", "OPENVAS:1361412562310871463", "OPENVAS:1361412562310882301", "OPENVAS:1361412562310120595", "OPENVAS:1361412562310851126", "OPENVAS:1361412562310882304", "OPENVAS:1361412562310882302"], "type": "openvas"}, {"idList": ["RHSA-2015:1920", "RHSA-2015:1921", "RHSA-2015:1919", "RHSA-2015:1927", "RHSA-2015:2086", "RHSA-2015:1928"], "type": "redhat"}, {"idList": ["DEBIAN:DSA-3381-2:F5B92", "DEBIAN:DLA-346-1:13970", "DEBIAN:DSA-3381-1:4656D"], "type": "debian"}, {"idList": ["USN-2827-1", "USN-2784-1"], "type": "ubuntu"}, {"idList": ["JAVA_OCT2015_ADVISORY.ASC"], "type": "aix"}, {"idList": ["OPENSUSE-SU-2015:1971-1", "OPENSUSE-SU-2015:1906-1", "SUSE-SU-2015:1875-1", "SUSE-SU-2015:1874-1", "SUSE-SU-2015:1875-2", "OPENSUSE-SU-2015:1902-1", "SUSE-SU-2015:2268-1", "SUSE-SU-2015:1874-2"], "type": "suse"}, {"idList": ["ALAS-2015-616", "ALAS-2015-606", "ALAS-2015-605"], "type": "amazon"}, {"idList": ["F5:K14132811", "SOL14132811", "F5:K05534090", "SOL05534090"], "type": "f5"}, {"idList": ["ELSA-2015-1921", "ELSA-2015-1920", "ELSA-2015-2086", "ELSA-2015-1919"], "type": "oraclelinux"}]}, "score": {"modified": "2019-11-01T02:15:28", "value": 10.0, "vector": "NONE"}}, "hash": "ba7d28efa6f29a85de09d6e2bb6031f0433fdcb027f9f02c6916dc968bdef3cb", "hashmap": [{"hash": "cf5ab192321e0c9602e97a714f8a5102", "key": "published"}, {"hash": "7c656ed7880b629da6e4fb396cb49bc6", "key": "cvelist"}, {"hash": "79cdaf1ae680b7cc7301383017714554", "key": "pluginID"}, {"hash": "abcf9266f425f12dda38f529cd4a94bc", "key": "modified"}, {"hash": "46bb21c1853c9999d550a0242ac21a5e", "key": "title"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "846e8207f7cb72ef99ba52615d126f11", "key": "href"}, {"hash": "f82feb6b55f329a4801a7908bc18a9d6", "key": "reporter"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "9113d4a13141e433697defd993025ea2", "key": "cpe"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "64ba37ea77e31f594b6a51428de8ac8a", "key": "sourceData"}, {"hash": "b0c02e2755a67bb9dd54f480fe0bfc83", "key": "description"}, {"hash": "cd4a586dc1a91f8067d901489deec968", "key": "references"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/86517", "id": "CENTOS_RHSA-2015-1920.NASL", "lastseen": "2019-11-01T02:15:28", "modified": "2019-11-02T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "86517", "published": "2015-10-22T00:00:00", "references": ["http://www.nessus.org/u?da0d7a33", "http://www.nessus.org/u?aaf9e0f6"], "reporter": "This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1920 and \n# CentOS Errata and Security Advisory 2015:1920 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86517);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2019/10/02 15:30:20\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1920\");\n\n script_name(english:\"CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021437.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aaf9e0f6\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021439.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?da0d7a33\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n}\n", "title": "CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified"], "edition": 12, "lastseen": "2019-11-01T02:15:28"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless"], "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss3": {}, "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 17, "enchantments": {"dependencies": {"modified": "2020-03-17T22:49:38", "references": [{"idList": ["CESA-2015:1919", "CESA-2015:1921", "CESA-2015:1920", "CESA-2015:2086"], "type": "centos"}, {"idList": ["SL_20151021_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "ORACLELINUX_ELSA-2015-1919.NASL", "SUSE_SU-2015-1874-1.NASL", "REDHAT-RHSA-2015-1920.NASL", "SL_20151021_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "OPENSUSE-2015-697.NASL", "REDHAT-RHSA-2015-1921.NASL", "OPENSUSE-2015-736.NASL", "ALA_ALAS-2015-606.NASL", "ALA_ALAS-2015-605.NASL"], "type": "nessus"}, {"idList": ["ASA-201510-15", "ASA-201510-16", "ASA-201510-17"], "type": "archlinux"}, {"idList": ["RHSA-2015:1920", "RHSA-2015:1921", "RHSA-2015:1919", "RHSA-2015:1927", "RHSA-2015:2086", "RHSA-2015:1928"], "type": "redhat"}, {"idList": ["DEBIAN:DSA-3381-2:F5B92", "DEBIAN:DLA-346-1:13970", "DEBIAN:DSA-3381-1:4656D"], "type": "debian"}, {"idList": ["USN-2827-1", "USN-2784-1"], "type": "ubuntu"}, {"idList": ["JAVA_OCT2015_ADVISORY.ASC"], "type": "aix"}, {"idList": ["OPENSUSE-SU-2015:1971-1", "OPENSUSE-SU-2015:1906-1", "SUSE-SU-2015:1875-1", "SUSE-SU-2015:1874-1", "SUSE-SU-2015:1875-2", "OPENSUSE-SU-2015:1902-1", "SUSE-SU-2015:2268-1", "SUSE-SU-2015:1874-2"], "type": "suse"}, {"idList": ["ALAS-2015-616", "ALAS-2015-606", "ALAS-2015-605"], "type": "amazon"}, {"idList": ["OPENVAS:1361412562310882300", "OPENVAS:1361412562310851182", "OPENVAS:1361412562310851123", "OPENVAS:1361412562310122716", "OPENVAS:1361412562310703381", "OPENVAS:1361412562310882301", "OPENVAS:1361412562310131101", "OPENVAS:703381", "OPENVAS:1361412562310882304", "OPENVAS:1361412562310882302"], "type": "openvas"}, {"idList": ["F5:K14132811", "SOL14132811", "F5:K05534090", "SOL05534090"], "type": "f5"}, {"idList": ["ELSA-2015-1921", "ELSA-2015-1920", "ELSA-2015-2086", "ELSA-2015-1919"], "type": "oraclelinux"}]}, "score": {"modified": "2020-03-17T22:49:38", "value": 10.0, "vector": "NONE"}}, "hash": "b33c2d215e1bd403947831da78284062b7e1bffff1bd2c6985baa860816bbf42", "hashmap": [{"hash": "cf5ab192321e0c9602e97a714f8a5102", "key": "published"}, {"hash": "af24fd3fdacb4d500ae9d1e724743016", "key": "modified"}, {"hash": "7c656ed7880b629da6e4fb396cb49bc6", "key": "cvelist"}, {"hash": "79cdaf1ae680b7cc7301383017714554", "key": "pluginID"}, {"hash": "46bb21c1853c9999d550a0242ac21a5e", "key": "title"}, {"hash": "8f8213e8b86855939d5beea715ce3045", "key": "naslFamily"}, {"hash": "846e8207f7cb72ef99ba52615d126f11", "key": "href"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "9113d4a13141e433697defd993025ea2", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3f90feee04cecb73d0f561a951b7f2d0", "key": "sourceData"}, {"hash": "b0c02e2755a67bb9dd54f480fe0bfc83", "key": "description"}, {"hash": "73b406398df9301cfe2ccefc4bef882b", "key": "reporter"}, {"hash": "cd4a586dc1a91f8067d901489deec968", "key": "references"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/86517", "id": "CENTOS_RHSA-2015-1920.NASL", "lastseen": "2020-03-17T22:49:38", "modified": "2020-03-02T00:00:00", "naslFamily": "CentOS Local Security Checks", "objectVersion": "1.3", "pluginID": "86517", "published": "2015-10-22T00:00:00", "references": ["http://www.nessus.org/u?da0d7a33", "http://www.nessus.org/u?aaf9e0f6"], "reporter": "This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1920 and \n# CentOS Errata and Security Advisory 2015:1920 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86517);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2020/01/02\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1920\");\n\n script_name(english:\"CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021437.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aaf9e0f6\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021439.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?da0d7a33\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4805\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n}\n", "title": "CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)", "type": "nessus", "viewCount": 2}, "differentElements": ["modified"], "edition": 17, "lastseen": "2020-03-17T22:49:38"}], "edition": 18, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "9113d4a13141e433697defd993025ea2"}, {"key": "cvelist", "hash": "7c656ed7880b629da6e4fb396cb49bc6"}, {"key": "cvss", "hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "b0c02e2755a67bb9dd54f480fe0bfc83"}, {"key": "href", "hash": "846e8207f7cb72ef99ba52615d126f11"}, {"key": "modified", "hash": "0658bb008399a687b703257886c78457"}, {"key": "naslFamily", "hash": "8f8213e8b86855939d5beea715ce3045"}, {"key": "pluginID", "hash": "79cdaf1ae680b7cc7301383017714554"}, {"key": "published", "hash": "cf5ab192321e0c9602e97a714f8a5102"}, {"key": "references", "hash": "cd4a586dc1a91f8067d901489deec968"}, {"key": "reporter", "hash": "73b406398df9301cfe2ccefc4bef882b"}, {"key": "sourceData", "hash": "3f90feee04cecb73d0f561a951b7f2d0"}, {"key": "title", "hash": "46bb21c1853c9999d550a0242ac21a5e"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "77e2b64b163450fdb3152ffdbabcfc883f6e1daf122dc3919109fcb02fcc16fa", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2015:1928", "RHSA-2015:1920", "RHSA-2015:1927", "RHSA-2015:2086", "RHSA-2015:1919", "RHSA-2015:1921", "RHSA-2015:2518"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2015-1927.NASL", "OPENSUSE-2015-695.NASL", "CENTOS_RHSA-2015-1921.NASL", "REDHAT-RHSA-2015-1921.NASL", "ALA_ALAS-2015-605.NASL", "SUSE_SU-2015-1874-1.NASL", "REDHAT-RHSA-2015-1920.NASL", "SL_20151021_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20151021_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "ORACLELINUX_ELSA-2015-1919.NASL"]}, {"type": "centos", "idList": ["CESA-2015:2086", "CESA-2015:1920", "CESA-2015:1919", "CESA-2015:1921"]}, {"type": "suse", "idList": ["SUSE-SU-2015:1875-2", "OPENSUSE-SU-2015:1902-1", "SUSE-SU-2015:2268-1", "SUSE-SU-2015:1874-2", "SUSE-SU-2015:1874-1", "OPENSUSE-SU-2015:1906-1", "OPENSUSE-SU-2015:1971-1", "SUSE-SU-2015:1875-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310882304", "OPENVAS:1361412562310851126", "OPENVAS:1361412562310120595", "OPENVAS:1361412562310882302", "OPENVAS:1361412562310851123", "OPENVAS:1361412562310703381", "OPENVAS:1361412562310851182", "OPENVAS:1361412562310122716", "OPENVAS:1361412562310122717", "OPENVAS:1361412562310882301"]}, {"type": "debian", "idList": ["DEBIAN:DLA-346-1:13970", "DEBIAN:DSA-3381-2:F5B92", "DEBIAN:DSA-3381-1:4656D"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-1921", "ELSA-2015-2086", "ELSA-2015-1920", "ELSA-2015-1919"]}, {"type": "f5", "idList": ["F5:K14132811", "SOL14132811", "F5:K05534090", "SOL05534090"]}, {"type": "archlinux", "idList": ["ASA-201510-17", "ASA-201510-16", "ASA-201510-15"]}, {"type": "amazon", "idList": ["ALAS-2015-616", "ALAS-2015-606", "ALAS-2015-605"]}, {"type": "aix", "idList": ["JAVA_OCT2015_ADVISORY.ASC"]}, {"type": "ubuntu", "idList": ["USN-2827-1", "USN-2784-1"]}], "modified": "2020-04-01T06:49:42", "rev": 2}, "score": {"value": 10.0, "vector": "NONE", "modified": "2020-04-01T06:49:42", "rev": 2}, "vulnersScore": 10.0}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1920 and \n# CentOS Errata and Security Advisory 2015:1920 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86517);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2020/01/02\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1920\");\n\n script_name(english:\"CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:1920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021437.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aaf9e0f6\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021439.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?da0d7a33\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4805\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n}\n", "naslFamily": "CentOS Local Security Checks", "pluginID": "86517", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless"], "scheme": null}

{"redhat": [{"lastseen": "2019-08-13T18:45:30", "bulletinFamily": "unix", "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:16", "published": "2015-10-21T04:00:00", "id": "RHSA-2015:1920", "href": "https://access.redhat.com/errata/RHSA-2015:1920", "type": "redhat", "title": "(RHSA-2015:1920) Critical: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:09", "bulletinFamily": "unix", "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810,\nCVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844,\nCVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882,\nCVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-4911)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 91 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "modified": "2018-06-07T18:20:34", "published": "2015-10-22T22:20:48", "id": "RHSA-2015:1927", "href": "https://access.redhat.com/errata/RHSA-2015:1927", "type": "redhat", "title": "(RHSA-2015:1927) Critical: java-1.7.0-oracle security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:12", "bulletinFamily": "unix", "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2017-09-08T12:08:43", "published": "2015-10-21T04:00:00", "id": "RHSA-2015:1921", "href": "https://access.redhat.com/errata/RHSA-2015:1921", "type": "redhat", "title": "(RHSA-2015:1921) Important: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:48", "bulletinFamily": "unix", "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking code\ncould fail to report a revoked certificate, causing the application to\naccept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:23", "published": "2015-10-21T04:00:00", "id": "RHSA-2015:1919", "href": "https://access.redhat.com/errata/RHSA-2015:1919", "type": "redhat", "title": "(RHSA-2015:1919) Important: java-1.8.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:13", "bulletinFamily": "unix", "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835,\nCVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872,\nCVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902,\nCVE-2015-4903, CVE-2015-4911)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 105 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "modified": "2018-06-07T18:20:30", "published": "2015-10-22T22:21:17", "id": "RHSA-2015:1928", "href": "https://access.redhat.com/errata/RHSA-2015:1928", "type": "redhat", "title": "(RHSA-2015:1928) Important: java-1.6.0-sun security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:10", "bulletinFamily": "unix", "description": "The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:16", "published": "2015-11-18T05:00:00", "id": "RHSA-2015:2086", "href": "https://access.redhat.com/errata/RHSA-2015:2086", "type": "redhat", "title": "(RHSA-2015:2086) Important: java-1.6.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:49:41", "bulletinFamily": "unix", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "modified": "2015-11-02T16:35:18", "published": "2015-11-02T16:35:18", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00001.html", "id": "SUSE-SU-2015:1875-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:22:46", "bulletinFamily": "unix", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "modified": "2015-11-12T14:18:13", "published": "2015-11-12T14:18:13", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00019.html", "id": "OPENSUSE-SU-2015:1971-1", "title": "Security update for java-1_7_0-openjdk (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:21:58", "bulletinFamily": "unix", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "modified": "2015-11-02T17:11:26", "published": "2015-11-02T17:11:26", "id": "SUSE-SU-2015:1874-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00003.html", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:36:29", "bulletinFamily": "unix", "description": "java-1_7_0-openjdk was updated to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "modified": "2015-11-04T16:14:26", "published": "2015-11-04T16:14:26", "id": "OPENSUSE-SU-2015:1902-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00008.html", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:19:41", "bulletinFamily": "unix", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "modified": "2015-11-02T17:11:48", "published": "2015-11-02T17:11:48", "id": "SUSE-SU-2015:1875-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00004.html", "title": "Security update for java-1_7_0-openjdk (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:50:21", "bulletinFamily": "unix", "description": "java-1_7_0-openjdk was updated to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "modified": "2015-11-04T17:12:29", "published": "2015-11-04T17:12:29", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00010.html", "id": "OPENSUSE-SU-2015:1906-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:49:41", "bulletinFamily": "unix", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "modified": "2015-11-02T16:34:56", "published": "2015-11-02T16:34:56", "id": "SUSE-SU-2015:1874-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00000.html", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:59:17", "bulletinFamily": "unix", "description": "This update for java-1_8_0-ibm fixes the following issues:\n\n - Version update to 8.0-2.0 (bsc#955131): CVE-2015-4734 CVE-2015-4803\n CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840\n CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871\n CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902\n CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir.\n - Provide %{name} instead of %{sdklnk} only in _jvmprivdir. (bsc#941939)\n\n", "modified": "2015-12-14T17:10:33", "published": "2015-12-14T17:10:33", "id": "SUSE-SU-2015:2268-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00014.html", "type": "suse", "title": "Security update for java-1_8_0-ibm (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "centos": [{"lastseen": "2019-12-20T18:28:51", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:1920\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033475.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033477.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-accessibility\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-headless\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1920.html", "modified": "2015-10-22T00:07:57", "published": "2015-10-21T23:14:14", "href": "http://lists.centos.org/pipermail/centos-announce/2015-October/033475.html", "id": "CESA-2015:1920", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:28:51", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:1921\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033476.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1921.html", "modified": "2015-10-21T23:24:30", "published": "2015-10-21T23:24:30", "href": "http://lists.centos.org/pipermail/centos-announce/2015-October/033476.html", "id": "CESA-2015:1921", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:25:43", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:1919\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking code\ncould fail to report a revoked certificate, causing the application to\naccept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033474.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/033478.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-accessibility\njava-1.8.0-openjdk-debug\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-demo-debug\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-devel-debug\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-headless-debug\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-javadoc-debug\njava-1.8.0-openjdk-src\njava-1.8.0-openjdk-src-debug\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1919.html", "modified": "2015-10-22T00:08:18", "published": "2015-10-21T23:13:49", "href": "http://lists.centos.org/pipermail/centos-announce/2015-October/033474.html", "id": "CESA-2015:1919", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:25:54", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:2086\n\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-November/033543.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-November/033544.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-November/033545.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-2086.html", "modified": "2015-11-18T20:38:46", "published": "2015-11-18T19:46:16", "href": "http://lists.centos.org/pipermail/centos-announce/2015-November/033543.html", "id": "CESA-2015:2086", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:36:12", "bulletinFamily": "scanner", "description": "Check the version of java", "modified": "2019-03-08T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310882304", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882304", "title": "CentOS Update for java CESA-2015:1921 centos5", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2015:1921 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882304\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 07:26:20 +0200 (Thu, 22 Oct 2015)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\",\n \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\",\n \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\",\n \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\",\n \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for java CESA-2015:1921 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of java\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1921\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-October/021438.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.1.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:50", "bulletinFamily": "scanner", "description": "Check the version of java", "modified": "2019-03-08T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310882301", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882301", "title": "CentOS Update for java CESA-2015:1920 centos7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2015:1920 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882301\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 07:25:11 +0200 (Thu, 22 Oct 2015)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\",\n \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\",\n \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\",\n \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for java CESA-2015:1920 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of java\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1920\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-October/021439.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-accessibility\", rpm:\"java-1.7.0-openjdk-accessibility~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-headless\", rpm:\"java-1.7.0-openjdk-headless~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.1.el7_1\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:44", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been\ndiscovered in OpenJDK, an implementation of the Oracle Java platform, resulting\nin the execution of arbitrary code, breakouts of the Java sandbox, information\ndisclosure, or denial of service.", "modified": "2019-03-18T00:00:00", "published": "2015-10-27T00:00:00", "id": "OPENVAS:1361412562310703381", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703381", "title": "Debian Security Advisory DSA 3381-1 (openjdk-7 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3381.nasl 14278 2019-03-18 14:47:26Z cfischer $\n# Auto-generated from advisory DSA 3381-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703381\");\n script_version(\"$Revision: 14278 $\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\",\n \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\",\n \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4871\", \"CVE-2015-4872\",\n \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\",\n \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_name(\"Debian Security Advisory DSA 3381-1 (openjdk-7 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:47:26 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-27 00:00:00 +0100 (Tue, 27 Oct 2015)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3381.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(7|8)\");\n script_tag(name:\"affected\", value:\"openjdk-7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 7u85-2.6.1-6~deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 7u85-2.6.1-5~deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7u85-2.6.1-5.\n\nWe recommend that you upgrade your openjdk-7 packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been\ndiscovered in OpenJDK, an implementation of the Oracle Java platform, resulting\nin the execution of arbitrary code, breakouts of the Java sandbox, information\ndisclosure, or denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"icedtea-7-jre-cacao:amd64\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"icedtea-7-jre-cacao:i386\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"icedtea-7-jre-jamvm:amd64\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"icedtea-7-jre-jamvm:i386\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-dbg:amd64\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-dbg:i386\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-demo\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-doc\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jdk:amd64\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jdk:i386\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre:amd64\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre:i386\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-headless:amd64\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-headless:i386\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-lib\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-zero:amd64\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-zero:i386\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-source\", ver:\"7u85-2.6.1-6~deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"icedtea-7-jre-jamvm:amd64\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"icedtea-7-jre-jamvm:i386\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-dbg:amd64\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-dbg:i386\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-demo\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-doc\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jdk:amd64\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jdk:i386\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre:amd64\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre:i386\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-headless:amd64\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-headless:i386\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-lib\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-zero:amd64\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-jre-zero:i386\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openjdk-7-source\", ver:\"7u85-2.6.1-5~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:34:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-02-02T00:00:00", "id": "OPENVAS:1361412562310851182", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851182", "title": "openSUSE: Security Advisory for java-1_7_0-openjdk (openSUSE-SU-2015:1971-1)", "type": "openvas", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851182\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-02-02 17:15:47 +0100 (Tue, 02 Feb 2016)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\",\n \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\",\n \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\",\n \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\",\n \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for java-1_7_0-openjdk (openSUSE-SU-2015:1971-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1_7_0-openjdk'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60 Java SE Embedded 8u51 and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60 Java SE Embedded 8u51 and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60 Java SE Embedded 8u51 and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#95 ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"java-1_7_0-openjdk on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2015:1971-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk\", rpm:\"java-1_7_0-openjdk~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-accessibility\", rpm:\"java-1_7_0-openjdk-accessibility~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap\", rpm:\"java-1_7_0-openjdk-bootstrap~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-debuginfo\", rpm:\"java-1_7_0-openjdk-bootstrap-debuginfo~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-debugsource\", rpm:\"java-1_7_0-openjdk-bootstrap-debugsource~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-devel\", rpm:\"java-1_7_0-openjdk-bootstrap-devel~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-bootstrap-devel-debuginfo~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-headless\", rpm:\"java-1_7_0-openjdk-bootstrap-headless~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-bootstrap-headless-debuginfo\", rpm:\"java-1_7_0-openjdk-bootstrap-headless-debuginfo~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debuginfo\", rpm:\"java-1_7_0-openjdk-debuginfo~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debugsource\", rpm:\"java-1_7_0-openjdk-debugsource~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo\", rpm:\"java-1_7_0-openjdk-demo~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo-debuginfo\", rpm:\"java-1_7_0-openjdk-demo-debuginfo~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel\", rpm:\"java-1_7_0-openjdk-devel~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-devel-debuginfo~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless\", rpm:\"java-1_7_0-openjdk-headless~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless-debuginfo\", rpm:\"java-1_7_0-openjdk-headless-debuginfo~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-src\", rpm:\"java-1_7_0-openjdk-src~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-javadoc\", rpm:\"java-1_7_0-openjdk-javadoc~1.7.0.91~22.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:11", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-1920", "modified": "2018-09-28T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310122716", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122716", "title": "Oracle Linux Local Check: ELSA-2015-1920", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1920.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122716\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 08:30:57 +0300 (Thu, 22 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1920\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1920 - java-1.7.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1920\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1920.html\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-accessibility\", rpm:\"java-1.7.0-openjdk-accessibility~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-headless\", rpm:\"java-1.7.0-openjdk-headless~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.1.0.1.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.2.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:38:45", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2015-11-03T00:00:00", "id": "OPENVAS:1361412562310851123", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851123", "title": "SUSE: Security Advisory for java-1_7_0-openjdk (SUSE-SU-2015:1874-1)", "type": "openvas", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851123\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-11-03 06:08:11 +0100 (Tue, 03 Nov 2015)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\",\n \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\",\n \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\",\n \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\",\n \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for java-1_7_0-openjdk (SUSE-SU-2015:1874-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1_7_0-openjdk'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60 Java SE Embedded 8u51 and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60 Java SE Embedded 8u51 and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60 Java SE Embedded 8u51 and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"java-1_7_0-openjdk on SUSE Linux Enterprise Server 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2015:1874-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLES12\\.0SP0\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLES12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk\", rpm:\"java-1_7_0-openjdk~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debuginfo\", rpm:\"java-1_7_0-openjdk-debuginfo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debugsource\", rpm:\"java-1_7_0-openjdk-debugsource~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo\", rpm:\"java-1_7_0-openjdk-demo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo-debuginfo\", rpm:\"java-1_7_0-openjdk-demo-debuginfo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel\", rpm:\"java-1_7_0-openjdk-devel~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-devel-debuginfo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless\", rpm:\"java-1_7_0-openjdk-headless~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-headless-debuginfo\", rpm:\"java-1_7_0-openjdk-headless-debuginfo~1.7.0.91~21.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:54", "bulletinFamily": "scanner", "description": "Check the version of java", "modified": "2019-03-08T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310882302", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882302", "title": "CentOS Update for java CESA-2015:1920 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2015:1920 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882302\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 07:25:33 +0200 (Thu, 22 Oct 2015)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\",\n \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\",\n \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\",\n \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\",\n \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for java CESA-2015:1920 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of java\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1920\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-October/021437.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.2.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.2.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.2.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.2.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.2.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-14T19:00:03", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-1919", "modified": "2020-03-13T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310122717", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122717", "title": "Oracle Linux Local Check: ELSA-2015-1919", "type": "openvas", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122717\");\n script_version(\"2020-03-13T10:06:41+0000\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 08:30:58 +0300 (Thu, 22 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 10:06:41 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1919\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1919 - java-1.8.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1919\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1919.html\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4868\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.65~2.b17.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-accessibility\", rpm:\"java-1.8.0-openjdk-accessibility~1.8.0.65~2.b17.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo\", rpm:\"java-1.8.0-openjdk-demo~1.8.0.65~2.b17.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.65~2.b17.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.65~2.b17.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc\", rpm:\"java-1.8.0-openjdk-javadoc~1.8.0.65~2.b17.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src\", rpm:\"java-1.8.0-openjdk-src~1.8.0.65~2.b17.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-debug\", rpm:\"java-1.8.0-openjdk-debug~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo\", rpm:\"java-1.8.0-openjdk-demo~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo-debug\", rpm:\"java-1.8.0-openjdk-demo-debug~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel-debug\", rpm:\"java-1.8.0-openjdk-devel-debug~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless-debug\", rpm:\"java-1.8.0-openjdk-headless-debug~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc\", rpm:\"java-1.8.0-openjdk-javadoc~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-debug\", rpm:\"java-1.8.0-openjdk-javadoc-debug~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src\", rpm:\"java-1.8.0-openjdk-src~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src-debug\", rpm:\"java-1.8.0-openjdk-src-debug~1.8.0.65~0.b17.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-10-22T00:00:00", "id": "OPENVAS:1361412562310871463", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871463", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2015:1921-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.7.0-openjdk RHSA-2015:1921-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871463\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-22 07:23:03 +0200 (Thu, 22 Oct 2015)\");\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\",\n \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\",\n \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\",\n \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\",\n \"CVE-2015-4911\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for java-1.7.0-openjdk RHSA-2015:1921-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.7.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\");\n script_tag(name:\"affected\", value:\"java-1.7.0-openjdk on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:1921-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-October/msg00029.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.91~2.6.2.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.1.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:58:35", "bulletinFamily": "scanner", "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-11-08T00:00:00", "id": "OPENVAS:1361412562310120595", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120595", "title": "Amazon Linux: Security Advisory (ALAS-2015-605)", "type": "openvas", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120595\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-11-08 13:10:58 +0200 (Sun, 08 Nov 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2015-605)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in OpenJDK. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update java-1.7.0-openjdk to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-605.html\");\n script_cve_id(\"CVE-2015-4843\", \"CVE-2015-4842\", \"CVE-2015-4840\", \"CVE-2015-4872\", \"CVE-2015-4860\", \"CVE-2015-4844\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4911\", \"CVE-2015-4734\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4903\", \"CVE-2015-4806\", \"CVE-2015-4805\", \"CVE-2015-4803\", \"CVE-2015-4835\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.91~2.6.2.2.63.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.91~2.6.2.2.63.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.91~2.6.2.2.63.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.91~2.6.2.2.63.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.91~2.6.2.2.63.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.91~2.6.2.2.63.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:21:28", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3381-2 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nNovember 1, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-7\nCVE ID : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 \n CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843\n CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872\n CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893\n CVE-2015-4903 CVE-2015-4911\n\nSeveral vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, breakouts of the Java sandbox, information disclosure,\nor denial of service.\n\nThe jessie update in DSA 3381 was built incorrectly, we apologise for\nthe inconvenience. In addition the version number in jessie-security\nwas lower than in wheezy-security which could result in upgrade problems\nduring distribution updates. This has been fixed in 7u85-2.6.1-6~deb8u1.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2015-11-01T22:22:16", "published": "2015-11-01T22:22:16", "id": "DEBIAN:DSA-3381-2:F5B92", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00289.html", "title": "[SECURITY] [DSA 3381-2] openjdk-7 security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-27T02:24:04", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3381-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nOctober 27, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-7\nCVE ID : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 \n CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843\n CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872\n CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893\n CVE-2015-4903 CVE-2015-4911\n\nSeveral vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, breakouts of the Java sandbox, information disclosure,\nor denial of service.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 7u85-2.6.1-6~deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 7u85-2.6.1-5~deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7u85-2.6.1-5.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2015-10-27T21:21:47", "published": "2015-10-27T21:21:47", "id": "DEBIAN:DSA-3381-1:4656D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00280.html", "title": "[SECURITY] [DSA 3381-1] openjdk-7 security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-22T02:27:34", "bulletinFamily": "unix", "description": "Package : openjdk-6\nVersion : 6b37-1.13.9-1~deb6u1\nCVE ID : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806\n CVE-2015-4835 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844\n CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882\n CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911\n\nSeveral vulnerabilities have been discovered in OpenJDK, an implementation of\nthe Oracle Java platform. These vulnerabilities relate to execution of\narbitrary code, breakouts of the Java sandbox, information disclosure and\ndenial of service.\n\nFor Debian 6 &quot;Squeeze&quot;, these problems have been fixed in openjdk-6\nversion 6b37-1.13.9-1~deb6u1.\n\nWe recommend you to upgrade your openjdk-6 packages.\n\nLearn more about the Debian Long Term Support (LTS) Project and how to\napply these updates at: https://wiki.debian.org/LTS/\n", "modified": "2015-11-24T08:57:17", "published": "2015-11-24T08:57:17", "id": "DEBIAN:DLA-346-1:13970", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201511/msg00007.html", "title": "[SECURITY] [DLA 346-1] openjdk-6 security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-04-01T02:13:35", "bulletinFamily": "scanner", "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "modified": "2020-04-02T00:00:00", "id": "REDHAT-RHSA-2015-1921.NASL", "href": "https://www.tenable.com/plugins/nessus/86526", "published": "2015-10-22T00:00:00", "title": "RHEL 5 : java-1.7.0-openjdk (RHSA-2015:1921)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1921. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86526);\n script_version(\"2.10\");\n script_cvs_date(\"Date: 2019/10/24 15:35:40\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1921\");\n\n script_name(english:\"RHEL 5 : java-1.7.0-openjdk (RHSA-2015:1921)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1921\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4872\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4860\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4844\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4911\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4883\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4734\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4881\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4903\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4803\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4835\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1921\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T06:47:19", "bulletinFamily": "scanner", "description": "Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835 , CVE-2015-4881 , CVE-2015-4843 ,\nCVE-2015-4883 , CVE-2015-4860 , CVE-2015-4805 , CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803 , CVE-2015-4893 , CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806 , CVE-2015-4840 , CVE-2015-4882 , CVE-2015-4842 ,\nCVE-2015-4734 , CVE-2015-4903)", "modified": "2020-04-02T00:00:00", "id": "ALA_ALAS-2015-605.NASL", "href": "https://www.tenable.com/plugins/nessus/86636", "published": "2015-10-29T00:00:00", "title": "Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2015-605)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-605.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86636);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2019/07/10 16:04:12\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"ALAS\", value:\"2015-605\");\n script_xref(name:\"RHSA\", value:\"2015:1920\");\n\n script_name(english:\"Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2015-605)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835 , CVE-2015-4881 , CVE-2015-4843 ,\nCVE-2015-4883 , CVE-2015-4860 , CVE-2015-4805 , CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803 , CVE-2015-4893 , CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806 , CVE-2015-4840 , CVE-2015-4882 , CVE-2015-4842 ,\nCVE-2015-4734 , CVE-2015-4903)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-605.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.7.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.63.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-18T02:47:22", "bulletinFamily": "scanner", "description": "Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.", "modified": "2015-10-22T00:00:00", "id": "SL_20151021_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/86527", "published": "2015-10-22T00:00:00", "title": "Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20151021)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86527);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20151021)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1510&L=scientific-linux-errata&F=&S=&P=2612\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e9234869\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el5_11\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T02:13:35", "bulletinFamily": "scanner", "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "modified": "2020-04-02T00:00:00", "id": "REDHAT-RHSA-2015-1920.NASL", "href": "https://www.tenable.com/plugins/nessus/86525", "published": "2015-10-22T00:00:00", "title": "RHEL 6 / 7 : java-1.7.0-openjdk (RHSA-2015:1920)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1920. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86525);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2019/10/24 15:35:40\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1920\");\n\n script_name(english:\"RHEL 6 / 7 : java-1.7.0-openjdk (RHSA-2015:1920)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1920\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4843\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4872\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4860\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4844\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4911\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4883\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4734\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4881\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4903\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4803\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-4835\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1920\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.el6_7\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T02:02:06", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2015:1919 :\n\nUpdated java-1.8.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking\ncode could fail to report a revoked certificate, causing the\napplication to accept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "modified": "2020-04-02T00:00:00", "id": "ORACLELINUX_ELSA-2015-1919.NASL", "href": "https://www.tenable.com/plugins/nessus/86520", "published": "2015-10-22T00:00:00", "title": "Oracle Linux 6 / 7 : java-1.8.0-openjdk (ELSA-2015-1919)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:1919 and \n# Oracle Linux Security Advisory ELSA-2015-1919 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86520);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2019/09/27 13:00:36\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4868\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1919\");\n\n script_name(english:\"Oracle Linux 6 / 7 : java-1.8.0-openjdk (ELSA-2015-1919)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:1919 :\n\nUpdated java-1.8.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking\ncode could fail to report a revoked certificate, causing the\napplication to accept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-October/005463.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-October/005466.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.8.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-demo-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-demo-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-devel-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-devel-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-headless-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-headless-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-javadoc-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-src-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-src-debug-1.8.0.65-0.b17.el6_7\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-src-1.8.0.65-2.b17.el7_1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-18T02:47:22", "bulletinFamily": "scanner", "description": "Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking\ncode could fail to report a revoked certificate, causing the\napplication to accept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.", "modified": "2015-10-22T00:00:00", "id": "SL_20151021_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/86529", "published": "2015-10-22T00:00:00", "title": "Scientific Linux Security Update : java-1.8.0-openjdk on SL6.x, SL7.x i386/x86_64 (20151021)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86529);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/25\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4868\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.8.0-openjdk on SL6.x, SL7.x i386/x86_64 (20151021)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking\ncode could fail to report a revoked certificate, causing the\napplication to accept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1510&L=scientific-linux-errata&F=&S=&P=3234\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?de2ce039\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-demo-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-devel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-headless-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-javadoc-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.8.0-openjdk-src-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-demo-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-demo-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-devel-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-devel-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-headless-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-headless-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-javadoc-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-src-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.8.0-openjdk-src-debug-1.8.0.65-0.b17.el6_7\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-src-1.8.0.65-2.b17.el7_1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T02:45:14", "bulletinFamily": "scanner", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security\nissues.\n\nThese security issues were fixed :\n\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality via\n vectors related to JAXP (bsc#951376).\n\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java\n SE 7u85 and 8u60, and Java SE Embedded 8u51, allowed\n remote attackers to affect confidentiality via unknown\n vectors related to 2D (bsc#951376).\n\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and\n JRockit R28.3.7 allowed remote attackers to affect\n integrity via unknown vectors related to Security\n (bsc#951376).\n\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883\n (bsc#951376).\n\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860\n (bsc#951376).\n\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and\n JRockit R28.3.7 allowed remote attackers to affect\n availability via vectors related to JAXP, a different\n vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and\n JRockit R28.3.7 allowed remote attackers to affect\n availability via vectors related to JAXP, a different\n vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect availability via\n vectors related to CORBA (bsc#951376).\n\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835\n (bsc#951376).\n\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality via\n vectors related to JGSS (bsc#951376).\n\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality and\n integrity via unknown vectors related to Libraries\n (bsc#951376).\n\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and\n JRockit R28.3.7 allowed remote attackers to affect\n availability via vectors related to JAXP, a different\n vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881\n (bsc#951376).\n\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality via\n vectors related to RMI (bsc#951376).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-04-02T00:00:00", "id": "SUSE_SU-2015-1874-1.NASL", "href": "https://www.tenable.com/plugins/nessus/86705", "published": "2015-11-03T00:00:00", "title": "SUSE SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2015:1874-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:1874-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86705);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2019/09/11 11:22:12\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2015:1874-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"java-1_7_0-openjdk was updated to version 7u91 to fix 17 security\nissues.\n\nThese security issues were fixed :\n\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality via\n vectors related to JAXP (bsc#951376).\n\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java\n SE 7u85 and 8u60, and Java SE Embedded 8u51, allowed\n remote attackers to affect confidentiality via unknown\n vectors related to 2D (bsc#951376).\n\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and\n JRockit R28.3.7 allowed remote attackers to affect\n integrity via unknown vectors related to Security\n (bsc#951376).\n\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883\n (bsc#951376).\n\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860\n (bsc#951376).\n\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and\n JRockit R28.3.7 allowed remote attackers to affect\n availability via vectors related to JAXP, a different\n vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and\n JRockit R28.3.7 allowed remote attackers to affect\n availability via vectors related to JAXP, a different\n vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect availability via\n vectors related to CORBA (bsc#951376).\n\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835\n (bsc#951376).\n\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality via\n vectors related to JGSS (bsc#951376).\n\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality and\n integrity via unknown vectors related to Libraries\n (bsc#951376).\n\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and\n JRockit R28.3.7 allowed remote attackers to affect\n availability via vectors related to JAXP, a different\n vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality,\n integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881\n (bsc#951376).\n\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java\n SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51,\n allowed remote attackers to affect confidentiality via\n vectors related to RMI (bsc#951376).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=951376\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4734/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4803/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4805/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4806/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4835/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4840/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4842/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4843/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4844/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4860/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4872/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4881/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4882/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4883/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4893/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4903/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4911/\"\n );\n # https://www.suse.com/support/update/announcement/2015/suse-su-20151874-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c36d2eb9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-2015-781=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_7_0-openjdk-1.7.0.91-21.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.91-21.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.91-21.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_7_0-openjdk-demo-1.7.0.91-21.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_7_0-openjdk-demo-debuginfo-1.7.0.91-21.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_7_0-openjdk-devel-1.7.0.91-21.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_7_0-openjdk-devel-debuginfo-1.7.0.91-21.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_7_0-openjdk-headless-1.7.0.91-21.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.91-21.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_0-openjdk\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T06:49:42", "bulletinFamily": "scanner", "description": "Updated java-1.8.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking\ncode could fail to report a revoked certificate, causing the\napplication to accept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "modified": "2020-04-02T00:00:00", "id": "CENTOS_RHSA-2015-1919.NASL", "href": "https://www.tenable.com/plugins/nessus/86516", "published": "2015-10-22T00:00:00", "title": "CentOS 6 / 7 : java-1.8.0-openjdk (CESA-2015:1919)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1919 and \n# CentOS Errata and Security Advisory 2015:1919 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86516);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2020/01/02\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4868\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1919\");\n\n script_name(english:\"CentOS 6 / 7 : java-1.8.0-openjdk (CESA-2015:1919)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.8.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking\ncode could fail to report a revoked certificate, causing the\napplication to accept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021436.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0336b1db\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-October/021440.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c65ccdd3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.8.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-4805\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-demo-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-devel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-headless-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-src-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-demo-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-demo-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-devel-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-devel-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-headless-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-headless-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-javadoc-debug-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-src-1.8.0.65-0.b17.el6_7\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.8.0-openjdk-src-debug-1.8.0.65-0.b17.el6_7\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.el7_1\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-src-1.8.0.65-2.b17.el7_1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T03:09:30", "bulletinFamily": "scanner", "description": "Multiple vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure, data integrity and availability. An attacker\ncould exploit these to cause a denial of service or expose sensitive\ndata over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843,\nCVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4881,\nCVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data\nintegrity. An attacker could exploit this expose sensitive data over\nthe network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure. An attacker could exploit these to expose\nsensitive data over the network. (CVE-2015-4734, CVE-2015-4840,\nCVE-2015-4842, CVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to\navailability. An attacker could exploit these to cause a denial of\nservice. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-04-02T00:00:00", "id": "UBUNTU_USN-2784-1.NASL", "href": "https://www.tenable.com/plugins/nessus/86650", "published": "2015-10-29T00:00:00", "title": "Ubuntu 14.04 LTS / 15.04 / 15.10 : openjdk-7 vulnerabilities (USN-2784-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2784-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86650);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2019/09/18 12:31:45\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4868\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"USN\", value:\"2784-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 15.04 / 15.10 : openjdk-7 vulnerabilities (USN-2784-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure, data integrity and availability. An attacker\ncould exploit these to cause a denial of service or expose sensitive\ndata over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843,\nCVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4881,\nCVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to\ninformation disclosure and data integrity. An attacker could exploit\nthis to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data\nintegrity. An attacker could exploit this expose sensitive data over\nthe network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to\ninformation disclosure. An attacker could exploit these to expose\nsensitive data over the network. (CVE-2015-4734, CVE-2015-4840,\nCVE-2015-4842, CVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to\navailability. An attacker could exploit these to cause a denial of\nservice. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2784-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-7-jre-jamvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|15\\.04|15\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 15.04 / 15.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"icedtea-7-jre-jamvm\", pkgver:\"7u85-2.6.1-5ubuntu0.14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"openjdk-7-jre\", pkgver:\"7u85-2.6.1-5ubuntu0.14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"openjdk-7-jre-headless\", pkgver:\"7u85-2.6.1-5ubuntu0.14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"openjdk-7-jre-lib\", pkgver:\"7u85-2.6.1-5ubuntu0.14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"openjdk-7-jre-zero\", pkgver:\"7u85-2.6.1-5ubuntu0.14.04.1\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"icedtea-7-jre-jamvm\", pkgver:\"7u85-2.6.1-5ubuntu0.15.04.1\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"openjdk-7-jre\", pkgver:\"7u85-2.6.1-5ubuntu0.15.04.1\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"openjdk-7-jre-headless\", pkgver:\"7u85-2.6.1-5ubuntu0.15.04.1\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"openjdk-7-jre-lib\", pkgver:\"7u85-2.6.1-5ubuntu0.15.04.1\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"openjdk-7-jre-zero\", pkgver:\"7u85-2.6.1-5ubuntu0.15.04.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"icedtea-7-jre-jamvm\", pkgver:\"7u85-2.6.1-5ubuntu0.15.10.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"openjdk-7-jre\", pkgver:\"7u85-2.6.1-5ubuntu0.15.10.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"openjdk-7-jre-headless\", pkgver:\"7u85-2.6.1-5ubuntu0.15.10.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"openjdk-7-jre-lib\", pkgver:\"7u85-2.6.1-5ubuntu0.15.10.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"openjdk-7-jre-zero\", pkgver:\"7u85-2.6.1-5ubuntu0.15.10.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icedtea-7-jre-jamvm / openjdk-7-jre / openjdk-7-jre-headless / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T02:02:06", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2015:1920 :\n\nUpdated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "modified": "2020-04-02T00:00:00", "id": "ORACLELINUX_ELSA-2015-1920.NASL", "href": "https://www.tenable.com/plugins/nessus/86521", "published": "2015-10-22T00:00:00", "title": "Oracle Linux 6 / 7 : java-1.7.0-openjdk (ELSA-2015-1920)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:1920 and \n# Oracle Linux Security Advisory ELSA-2015-1920 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86521);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2019/09/27 13:00:36\");\n\n script_cve_id(\"CVE-2015-4734\", \"CVE-2015-4803\", \"CVE-2015-4805\", \"CVE-2015-4806\", \"CVE-2015-4835\", \"CVE-2015-4840\", \"CVE-2015-4842\", \"CVE-2015-4843\", \"CVE-2015-4844\", \"CVE-2015-4860\", \"CVE-2015-4872\", \"CVE-2015-4881\", \"CVE-2015-4882\", \"CVE-2015-4883\", \"CVE-2015-4893\", \"CVE-2015-4903\", \"CVE-2015-4911\");\n script_xref(name:\"RHSA\", value:\"2015:1920\");\n\n script_name(english:\"Oracle Linux 6 / 7 : java-1.7.0-openjdk (ELSA-2015-1920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:1920 :\n\nUpdated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI,\nSerialization, and 2D components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to completely bypass Java\nsandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843,\nCVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application\nusing JAXP to consume an excessive amount of CPU and memory when\nparsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to\nproperly check if a certificate satisfied all defined constraints. In\ncertain cases, this could cause a Java application to accept an X.509\ncertificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and\nRMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842,\nCVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting\nthe CVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-October/005464.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-October/005465.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.2.0.1.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.0.1.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.0.1.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.0.1.el6_7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.0.1.el6_7\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.91-2.6.2.1.0.1.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.0.1.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.0.1.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.0.1.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.0.1.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.0.1.el7_1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.0.1.el7_1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "unix", "description": "[1:1.7.0.91-2.6.2.2.0.1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.91-2.6.2.2]\n- added and applied patch500 8072932or8074489.patch to fix tck failure\n- Resolves: rhbz#1271919\n[1:1.7.0.91-2.6.2.1]\n- Bump to 2.6.2 and u91b00.\n- Resolves: rhbz#1271919", "modified": "2015-10-21T00:00:00", "published": "2015-10-21T00:00:00", "id": "ELSA-2015-1920", "href": "http://linux.oracle.com/errata/ELSA-2015-1920.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:11", "bulletinFamily": "unix", "description": "[1:1.8.0.65-0.b17]\n- October 2015 security update to u65b17.\n- Add script for generating OpenJDK tarballs from a local Mercurial tree.\n- Update RH1191652 patch to build against current AArch64 tree.\n- Use appropriate source ID to avoid unpacking both tarballs on AArch64.\n- Fix library removal script so jpeg, giflib and png sources are removed.\n- Update system-lcms.patch to regenerated upstream (8042159) version.\n- Drop LCMS update from rhel6-built.patch\n- Resolves: rhbz#1257654\n[1:1.8.0.51-4.b16]\n- bumped release to do an build, so test whether 1251560 was really fixed\n- Resolves: rhbz#1254197\n[1:1.8.0.60-4.b27]\n- updated to u60 (1255352)\n- Resolves: rhbz#1257654", "modified": "2015-10-21T00:00:00", "published": "2015-10-21T00:00:00", "id": "ELSA-2015-1919", "href": "http://linux.oracle.com/errata/ELSA-2015-1919.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:07", "bulletinFamily": "unix", "description": "[1:1.7.0.91-2.6.2.1.0.1]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Oracle Linux'\n[1:1.7.0.91-2.6.2.1]\n- added and applied patch500 8072932or8074489.patch to fix tck failure\n- Resolves: rhbz#1271918\n[1:1.7.0.91-2.6.2.0]\n- Drop patch for PR2521/RH1242587 now resolved upstream.\n- Resolves: rhbz#1271918\n[1:1.7.0.91-2.6.2.0]\n- Bump to 2.6.2 and u91b00.\n- Resolves: rhbz#1271918", "modified": "2015-10-21T00:00:00", "published": "2015-10-21T00:00:00", "id": "ELSA-2015-1921", "href": "http://linux.oracle.com/errata/ELSA-2015-1921.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:37", "bulletinFamily": "unix", "description": "[1:1.6.0.35-1.13.9.4.0.1.el5_11]\n- Add oracle-enterprise.patch\n[1:1.6.0.37-1.13.9.4]\n- Update with new IcedTea & b37 tarballs, including fix for appletviewer regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.3]\n- Update with new IcedTea & b37 tarballs, including more Kerberos fixes for TCK regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.2]\n- Update with new IcedTea & b37 tarballs, including Kerberos fixes for TCK regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.1]\n- Update with newer tarball, including 6763122 fix for TCK regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.1]\n- Drop java-1.6.0-openjdk-pstack.patch. 6310967, the upstream version, is applied in OpenJDK 6.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.0]\n- Update to IcedTea 1.13.9\n- Resolves: rhbz#1271926", "modified": "2015-11-18T00:00:00", "published": "2015-11-18T00:00:00", "id": "ELSA-2015-2086", "href": "http://linux.oracle.com/errata/ELSA-2015-2086.html", "title": "java-1.6.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2017-06-08T00:16:23", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned INSTALLER-1947 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| None\n\nIf you are running a version listed in the** Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-12-01T20:07:00", "published": "2015-11-21T01:15:00", "href": "https://support.f5.com/csp/article/K14132811", "id": "F5:K14132811", "type": "f5", "title": "Java vulnerability CVE-2015-4893", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-06-08T00:16:30", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned INSTALLER-1945 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| Java\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:33:00", "published": "2015-11-21T01:04:00", "href": "https://support.f5.com/csp/article/K05534090", "id": "F5:K05534090", "title": "Java vulnerability CVE-2015-4803", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-12-01T17:27:59", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the** Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2016-12-01T00:00:00", "published": "2015-11-20T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/14/sol14132811.html", "id": "SOL14132811", "title": "SOL14132811 - Java vulnerability CVE-2015-4893", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:09:48", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2015-11-20T00:00:00", "published": "2015-11-20T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/05/sol05534090.html", "id": "SOL05534090", "title": "SOL05534090 - Java vulnerability CVE-2015-4803", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "amazon": [{"lastseen": "2019-05-29T19:20:34", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2015-4835 __](<https://access.redhat.com/security/cve/CVE-2015-4835>), [CVE-2015-4881 __](<https://access.redhat.com/security/cve/CVE-2015-4881>), [CVE-2015-4843 __](<https://access.redhat.com/security/cve/CVE-2015-4843>), [CVE-2015-4883 __](<https://access.redhat.com/security/cve/CVE-2015-4883>), [CVE-2015-4860 __](<https://access.redhat.com/security/cve/CVE-2015-4860>), [CVE-2015-4805 __](<https://access.redhat.com/security/cve/CVE-2015-4805>), [CVE-2015-4844 __](<https://access.redhat.com/security/cve/CVE-2015-4844>))\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. ([CVE-2015-4803 __](<https://access.redhat.com/security/cve/CVE-2015-4803>), [CVE-2015-4893 __](<https://access.redhat.com/security/cve/CVE-2015-4893>), [CVE-2015-4911 __](<https://access.redhat.com/security/cve/CVE-2015-4911>))\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. ([CVE-2015-4872 __](<https://access.redhat.com/security/cve/CVE-2015-4872>))\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-4806 __](<https://access.redhat.com/security/cve/CVE-2015-4806>), [CVE-2015-4840 __](<https://access.redhat.com/security/cve/CVE-2015-4840>), [CVE-2015-4882 __](<https://access.redhat.com/security/cve/CVE-2015-4882>), [CVE-2015-4842 __](<https://access.redhat.com/security/cve/CVE-2015-4842>), [CVE-2015-4734 __](<https://access.redhat.com/security/cve/CVE-2015-4734>), [CVE-2015-4903 __](<https://access.redhat.com/security/cve/CVE-2015-4903>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.63.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n \n \n", "modified": "2015-10-27T14:14:00", "published": "2015-10-27T14:14:00", "id": "ALAS-2015-605", "href": "https://alas.aws.amazon.com/ALAS-2015-605.html", "title": "Critical: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:45", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2015-4835 __](<https://access.redhat.com/security/cve/CVE-2015-4835>), [CVE-2015-4881 __](<https://access.redhat.com/security/cve/CVE-2015-4881>), [CVE-2015-4843 __](<https://access.redhat.com/security/cve/CVE-2015-4843>), [CVE-2015-4883 __](<https://access.redhat.com/security/cve/CVE-2015-4883>), [CVE-2015-4860 __](<https://access.redhat.com/security/cve/CVE-2015-4860>), [CVE-2015-4805 __](<https://access.redhat.com/security/cve/CVE-2015-4805>), [CVE-2015-4844 __](<https://access.redhat.com/security/cve/CVE-2015-4844>))\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. ([CVE-2015-4803 __](<https://access.redhat.com/security/cve/CVE-2015-4803>), [CVE-2015-4893 __](<https://access.redhat.com/security/cve/CVE-2015-4893>), [CVE-2015-4911 __](<https://access.redhat.com/security/cve/CVE-2015-4911>))\n\nA flaw was found in the way the Libraries component in OpenJDK handled certificate revocation lists (CRL). In certain cases, CRL checking code could fail to report a revoked certificate, causing the application to accept it as trusted. ([CVE-2015-4868 __](<https://access.redhat.com/security/cve/CVE-2015-4868>))\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. ([CVE-2015-4872 __](<https://access.redhat.com/security/cve/CVE-2015-4872>))\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-4806 __](<https://access.redhat.com/security/cve/CVE-2015-4806>), [CVE-2015-4840 __](<https://access.redhat.com/security/cve/CVE-2015-4840>), [CVE-2015-4882 __](<https://access.redhat.com/security/cve/CVE-2015-4882>), [CVE-2015-4842 __](<https://access.redhat.com/security/cve/CVE-2015-4842>), [CVE-2015-4734 __](<https://access.redhat.com/security/cve/CVE-2015-4734>), [CVE-2015-4903 __](<https://access.redhat.com/security/cve/CVE-2015-4903>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.7.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.x86_64 \n \n \n", "modified": "2015-10-27T16:51:00", "published": "2015-10-27T16:51:00", "id": "ALAS-2015-606", "href": "https://alas.aws.amazon.com/ALAS-2015-606.html", "title": "Important: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:25", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2015-4835 __](<https://access.redhat.com/security/cve/CVE-2015-4835>), [CVE-2015-4881 __](<https://access.redhat.com/security/cve/CVE-2015-4881>), [CVE-2015-4843 __](<https://access.redhat.com/security/cve/CVE-2015-4843>), [CVE-2015-4883 __](<https://access.redhat.com/security/cve/CVE-2015-4883>), [CVE-2015-4860 __](<https://access.redhat.com/security/cve/CVE-2015-4860>), [CVE-2015-4805 __](<https://access.redhat.com/security/cve/CVE-2015-4805>), [CVE-2015-4844 __](<https://access.redhat.com/security/cve/CVE-2015-4844>))\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. ([CVE-2015-4803 __](<https://access.redhat.com/security/cve/CVE-2015-4803>), [CVE-2015-4893 __](<https://access.redhat.com/security/cve/CVE-2015-4893>), [CVE-2015-4911 __](<https://access.redhat.com/security/cve/CVE-2015-4911>))\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. ([CVE-2015-4872 __](<https://access.redhat.com/security/cve/CVE-2015-4872>))\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-4806 __](<https://access.redhat.com/security/cve/CVE-2015-4806>), [CVE-2015-4882 __](<https://access.redhat.com/security/cve/CVE-2015-4882>), [CVE-2015-4842 __](<https://access.redhat.com/security/cve/CVE-2015-4842>), [CVE-2015-4734 __](<https://access.redhat.com/security/cve/CVE-2015-4734>), [CVE-2015-4903 __](<https://access.redhat.com/security/cve/CVE-2015-4903>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n \n \n", "modified": "2015-12-13T14:17:00", "published": "2015-12-13T14:17:00", "id": "ALAS-2015-616", "href": "https://alas.aws.amazon.com/ALAS-2015-616.html", "title": "Important: java-1.6.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:46", "bulletinFamily": "unix", "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n&quot;user.dir&quot; system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4871 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect confidentiality and integrity via unknown vectors\nrelated to Libraries.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.", "modified": "2015-10-23T00:00:00", "published": "2015-10-23T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000419.html", "id": "ASA-201510-17", "title": "jre7-openjdk-headless: multiple issues", "type": "archlinux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:44:47", "bulletinFamily": "unix", "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n&quot;user.dir&quot; system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4871 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect confidentiality and integrity via unknown vectors\nrelated to Libraries.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.", "modified": "2015-10-23T00:00:00", "published": "2015-10-23T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000417.html", "id": "ASA-201510-15", "title": "jdk7-openjdk: multiple issues", "type": "archlinux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:44:44", "bulletinFamily": "unix", "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n&quot;user.dir&quot; system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4871 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect confidentiality and integrity via unknown vectors\nrelated to Libraries.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.", "modified": "2015-10-23T00:00:00", "published": "2015-10-23T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000418.html", "id": "ASA-201510-16", "title": "jre7-openjdk: multiple issues", "type": "archlinux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2019-05-29T17:23:19", "bulletinFamily": "unix", "description": "Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4881, CVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2015-4734, CVE-2015-4840, CVE-2015-4842, CVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911)", "modified": "2015-10-28T00:00:00", "published": "2015-10-28T00:00:00", "id": "USN-2784-1", "href": "https://usn.ubuntu.com/2784-1/", "title": "OpenJDK 7 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:21:46", "bulletinFamily": "unix", "description": "Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2015-4734, CVE-2015-4842, CVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)", "modified": "2015-12-03T00:00:00", "published": "2015-12-03T00:00:00", "id": "USN-2827-1", "href": "https://usn.ubuntu.com/2827-1/", "title": "OpenJDK 6 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "aix": [{"lastseen": "2019-05-29T19:19:13", "bulletinFamily": "unix", "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Thu Dec 10 08:51:54 CST 2015\n\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/java_oct2015_advisory.asc\nhttps://aix.software.ibm.com/aix/efixes/security/java_oct2015_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/java_oct2015_advisory.asc\n\n \nSecurity Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX\n CVE-2015-4844 CVE-2015-4843 CVE-2015-4805 CVE-2015-4860 CVE-2015-4883\n CVE-2015-4835 CVE-2015-4810 CVE-2015-4806 CVE-2015-4871 CVE-2015-4902\n CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4840 CVE-2015-4842\n CVE-2015-4882 CVE-2015-4903 CVE-2015-4803 CVE-2015-4734 CVE-2015-5006 \n\n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in IBM SDK Java Technology Edition,\n Versions 5, 6, 7, 7.1, 8 that are used by AIX. These issues were disclosed\n as part of the IBM Java SDK updates in October 2015.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2015-4844\n DESCRIPTION: An unspecified vulnerability related to the 2D component has\n complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107346 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4843\n DESCRIPTION: An unspecified vulnerability related to the Libraries\n component has complete confidentiality impact, complete integrity\n impact, and complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107342 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4805\n DESCRIPTION: An unspecified vulnerability related to the Serialization\n component has complete confidentiality impact, complete integrity\n impact, and complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107345 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4860\n DESCRIPTION: An unspecified vulnerability related to the RMI component has\n complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107344 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4883\n DESCRIPTION: An unspecified vulnerability related to the RMI component has\n complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107343 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4835\n DESCRIPTION: An unspecified vulnerability related to the CORBA component\n has complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107340 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4810\n DESCRIPTION: An unspecified vulnerability related to the Deployment\n component has complete confidentiality impact, complete integrity\n impact, and complete availability impact.\n CVSS Base Score: 6.9\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107349 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4806\n DESCRIPTION: An unspecified vulnerability related to the Libraries\n component has partial confidentiality impact, partial integrity impact,\n and no availability impact.\n CVSS Base Score: 6.4\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107350 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n CVEID: CVE-2015-4871\n DESCRIPTION: An unspecified vulnerability related to the Libraries\n component has partial confidentiality impact, partial integrity impact,\n and no availability impact.\n CVSS Base Score: 5.8\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107351 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n CVEID: CVE-2015-4902\n DESCRIPTION: An unspecified vulnerability related to the Deployment\n component has no confidentiality impact, partial integrity impact, and\n no availability impact.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107352 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n CVEID: CVE-2015-4872\n DESCRIPTION: An unspecified vulnerability related to the Security\n component has no confidentiality impact, partial integrity impact,\n and no availability impact.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n CVEID: CVE-2015-4911\n DESCRIPTION: An unspecified vulnerability related to the JAXP component\n could allow a remote attacker to cause a denial of service.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107360 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n CVEID: CVE-2015-4893\n DESCRIPTION: An unspecified vulnerability related to the JAXP component\n could allow a remote attacker to cause a denial of service.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107359 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n CVEID: CVE-2015-4840\n DESCRIPTION: An unspecified vulnerability related to the 2D component\n could allow a remote attacker to obtain sensitive information.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107353 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2015-4842\n DESCRIPTION: An unspecified vulnerability related to the JAXP component\n could allow a remote attacker to obtain sensitive information.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107355 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2015-4882\n DESCRIPTION: An unspecified vulnerability related to the CORBA component\n could allow a remote attacker to cause a denial of service.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107354 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n CVEID: CVE-2015-4903\n DESCRIPTION: An unspecified vulnerability related to the RMI component\n could allow a remote attacker to obtain sensitive information.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107357 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2015-4803\n DESCRIPTION: An unspecified vulnerability related to the JAXP component\n could allow a remote attacker to cause a denial of service.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107358 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n CVEID: CVE-2015-4734\n DESCRIPTION: An unspecified vulnerability related to the JGSS component\n could allow a remote attacker to obtain sensitive information.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107356 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2015-5006\n DESCRIPTION: IBM Java Security Components could allow an attacker with\n physical access to the system to obtain sensitive information from the\n Kerberos Credential Cache.\n CVSS Base Score: 4.6\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/106309 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n\n The following fileset levels (VRMF) are vulnerable, if the \n respective Java version is installed:\n For Java5: Less than 5.0.0.620\n For Java6: Less than 6.0.0.510\n For Java7: Less than 7.0.0.270\n For Java7.1: Less than 7.1.0.150\n For Java8: Less than 8.0.0.70\n\n Note: to find out whether the affected Java filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i java\n\n\n REMEDIATION:\n\n IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 \n Fix Pack 14 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix \n Pack 15 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix\n Pack 20 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-bit,+pSeries&function=all \n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3\n Fix Pack 20 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-bit,+pSeries&function=all \n\n IBM SDK, Java Technology Edition, Version 8 Service Refresh 2\n and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+32-bit,+pSeries&function=all \n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n Note regarding CVE-2015-4911\n This was addressed by IBM in June 2008. As a reminder, users of Java 6\n and above should refer to the IBM XL XP-J documentation for the\n javax.xml.stream.supportDTD property for information to help avoid this\n vulnerability.\n\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v2 Guide:\n http://www.first.org/cvss/v2/guide \n On-line Calculator v2:\n http://nvd.nist.gov/CVSS-v2-Calculator \n Complete CVSS v3 Guide:\n http://www.first.org/cvss/user-guide \n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0 \n IBM Java SDK Security Bulletin: \n http://www-01.ibm.com/support/docview.wss?uid=swg21969225\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Thu Dec 10 08:51:54 CST 2015 \n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n \n\n", "modified": "2015-12-10T08:51:54", "published": "2015-12-10T08:51:54", "id": "JAVA_OCT2015_ADVISORY.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/java_oct2015_advisory.asc", "title": "Multiple vulnerabilities in IBM Java SDK affect AIX", "type": "aix", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}