Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.IBM_JAVA_2019_07_16.NASL
HistoryApr 29, 2022 - 12:00 a.m.

IBM Java 7.0 < 7.0.10.50 / 7.1 < 7.1.4.50 / 8.0 < 8.0.5.40 Multiple Vulnerabilities

2022-04-2900:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
11

7 High

AI Score

Confidence

Low

JSON

The version of IBM Java installed on the remote host is prior to 7.0 < 7.0.10.50 / 7.1 < 7.1.4.50 / 8.0 < 8.0.5.40. It is, therefore, affected by multiple vulnerabilities as referenced in the Oracle July 16 2019 CPU advisory.

  • Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities).
    Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded:
    8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2019-2762, CVE-2019-2769)

  • Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking).
    Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded:
    8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2019-2766)

  • Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security).
    Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211.
    Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2019-2786)

  • Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking).
    Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded:
    8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2019-2816)

  • png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute. (CVE-2019-7317)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(160365);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/01");

  script_cve_id(
    "CVE-2019-2762",
    "CVE-2019-2766",
    "CVE-2019-2769",
    "CVE-2019-2786",
    "CVE-2019-2816",
    "CVE-2019-7317"
  );
  script_xref(name:"IAVA", value:"2019-A-0255");
  script_xref(name:"IAVA", value:"2021-A-0484");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");
  script_xref(name:"IAVA", value:"2021-A-0193-S");

  script_name(english:"IBM Java 7.0 < 7.0.10.50 / 7.1 < 7.1.4.50 / 8.0 < 8.0.5.40 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"IBM Java is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of IBM Java installed on the remote host is prior to 7.0 < 7.0.10.50 / 7.1 < 7.1.4.50 / 8.0 < 8.0.5.40. It
is, therefore, affected by multiple vulnerabilities as referenced in the Oracle July 16 2019 CPU advisory.

  - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities).
    Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded:
    8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple
    protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in
    unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web
    Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code
    that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be
    exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the
    APIs. (CVE-2019-2762, CVE-2019-2769)

  - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking).
    Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded:
    8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple
    protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a
    person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read
    access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java
    deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets
    (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the
    Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified
    Component, e.g., through a web service which supplies data to the APIs. (CVE-2019-2766)

  - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security).
    Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211.
    Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple
    protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a
    person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may
    significantly impact additional products. Successful attacks of this vulnerability can result in
    unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This
    vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start
    applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that
    comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be
    exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the
    APIs. (CVE-2019-2786)

  - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking).
    Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded:
    8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple
    protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in
    unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well
    as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This
    vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start
    applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that
    comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be
    exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the
    APIs. (CVE-2019-2816)

  - png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function
    is called under png_safe_execute. (CVE-2019-7317)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IJ17990");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IJ17991");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IJ17992");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IJ17993");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IJ17994");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1IJ17995");
  # https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities#Oracle_July_16_2019_CPU
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?abf5efe1");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the Oracle July 16 2019 CPU advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2816");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/04/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:java");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ibm_java_nix_installed.nbin", "ibm_java_win_installed.nbin");
  script_require_keys("installed_sw/Java");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var app_list = ['IBM Java'];
var app_info = vcf::java::get_app_info(app:app_list);

var constraints = [
  { 'min_version' : '7.0.0', 'fixed_version' : '7.0.10.50' },
  { 'min_version' : '7.1.0', 'fixed_version' : '7.1.4.50' },
  { 'min_version' : '8.0.0', 'fixed_version' : '8.0.5.40' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
VendorProductVersionCPE
ibmjavacpe:/a:ibm:java

Related

ibm 55
openvas 17
nessus 68
suse 2
redhat 13
amazon 5
ubuntu 3
f5 2
aix 1
kaspersky 1
debian 5
oraclelinux 7
osv 4
mageia 1
centos 5
photon 1
prion 1
veracode 1
cloudfoundry 1
ubuntucve 1
debiancve 1
fedora 1
rosalinux 1
redhatcve 1
archlinux 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium
2021-10-06 12:37:14
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium
2020-01-14 15:11:47
Security Bulletin: A security vulnerability in IBM SDK which affects Db2 Query Management Facility (CVE-2019-2816, CVE-2019-2766, CVE-2019-2786, CVE-2019-2769, CVE-2019-2762, CVE-2019-7317)
2019-11-14 05:05:02
openvas
openvas
Oracle Java SE Security Updates (jul2019-5072835) 03 - Linux
2019-07-17 00:00:00
Oracle Java SE Security Updates (jul2019-5072835) 03 - Windows
2019-07-17 00:00:00
openSUSE: Security Advisory for java-1_8_0-openjdk (openSUSE-SU-2019:1912-1)
2019-08-16 00:00:00
nessus
nessus
SUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2019:2036-1)
2019-08-12 00:00:00
Amazon Corretto Java 8.x < 8.222.10.1 Multiple Vulnerabilities
2022-04-01 00:00:00
SUSE SLED15 / SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2019:2021-1)
2019-08-12 00:00:00
suse
suse
Security update for java-1_8_0-openjdk (important)
2019-08-15 00:00:00
Security update for java-11-openjdk (important)
2019-08-15 00:00:00
redhat
redhat
(RHSA-2019:2495) Important: java-1.7.1-ibm security update
2019-08-15 08:51:41
(RHSA-2019:2590) Important: java-1.8.0-ibm security update
2019-09-02 07:32:56
(RHSA-2019:2737) Important: java-1.8.0-ibm security update
2019-09-11 13:12:25
amazon
amazon
Medium: java-11-amazon-corretto
2019-07-18 17:37:00
Medium: java-1.7.0-openjdk
2019-08-23 16:53:00
Medium: java-1.8.0-openjdk
2019-08-23 16:55:00
ubuntu
ubuntu
OpenJDK 11 vulnerabilities
2019-07-31 00:00:00
OpenJDK 8 vulnerabilities
2019-07-31 00:00:00
libpng vulnerability
2019-04-30 00:00:00
f5
f5
K000133456 : OpenJDK vulnerabilities CVE-2019-2766, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2842
2023-04-10 00:00:00
K000132245 : libpng vulnerability CVE-2019-7317
2023-01-26 00:00:00
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2019-10-09 13:12:20
kaspersky
kaspersky
KLA11520 Multiple vulnerabilities in Oracle Java
2019-07-16 00:00:00
debian
debian
[SECURITY] [DSA 4485-1] openjdk-8 security update
2019-07-21 18:01:49
[SECURITY] [DLA 1886-1] openjdk-7 security update
2019-08-15 21:57:38
[SECURITY] [DSA 4486-1] openjdk-11 security update
2019-07-21 18:05:03
oraclelinux
oraclelinux
java-1.8.0-openjdk security update
2019-07-30 00:00:00
java-1.8.0-openjdk security update
2019-07-22 00:00:00
java-1.7.0-openjdk security update
2019-07-24 00:00:00
osv
osv
openjdk-8 - security update
2019-07-21 00:00:00
openjdk-7 - security update
2019-08-15 00:00:00
openjdk-11 - security update
2019-07-21 00:00:00
mageia
mageia
Updated java-1.8.0-openjdk packages fix security vulnerabilities
2019-09-07 00:09:08
centos
centos
java security update
2019-07-24 20:18:47
java security update
2019-07-24 20:29:31
java security update
2019-07-24 20:27:45
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-1.0-0250
2019-09-10 00:00:00
prion
prion
Design/Logic Flaw
2019-02-04 08:29:00
veracode
veracode
Denial Of Service (DoS)
2019-04-29 11:37:35
cloudfoundry
cloudfoundry
USN-3962-1: libpng vulnerability | Cloud Foundry
2019-05-01 00:00:00
ubuntucve
ubuntucve
CVE-2019-7317
2019-02-04 00:00:00
debiancve
debiancve
CVE-2019-7317
2019-02-04 08:29:00
fedora
fedora
[SECURITY] Fedora 29 Update: libpng-1.6.34-7.fc29
2019-02-12 02:58:45
rosalinux
rosalinux
Advisory ROSA-SA-2024-2328
2024-01-23 12:26:31
redhatcve
redhatcve
CVE-2019-7317
2020-03-30 01:52:36
archlinux
archlinux
[ASA-201904-10] libpng: denial of service
2019-04-24 00:00:00

7 High

AI Score

Confidence

Low

JSON
Related for IBM_JAVA_2019_07_16.NASL
ibm55openvas17nessus68suse2redhat13amazon5ubuntu3f52aix1kaspersky1debian5oraclelinux7osv4mageia1centos5photon1prion1veracode1cloudfoundry1ubuntucve1debiancve1fedora1rosalinux1redhatcve1archlinux1