MiracleLinux 4 : java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.AXS4 (AXSA:2013-428:03)

🗓️ 16 Jan 2026 00:00:00Reported by TenableType

MiracleLinux 4 OpenJDK runtime fixes multiple CVEs per AXSA-2013-428:03 advisory.

Reporter	Title	Published	Views	Family All 716
0day.today	Java Web Start Launcher ActiveX Control - Memory Corruption	18 Apr 201300:00	–	zdt
0day.today	Java Applet Driver Manager Privileged toString() Remote Code Execution	10 Jun 201300:00	–	zdt
IBM Security Bulletins	Security Bulletin: WebSphere Application Server - IBM SDK for Java April 2013 CPU	26 Sep 202205:45	–	ibm
IBM Security Bulletins	Security Bulletin: WebSphere Application Server Community Edition 3.0.0.3 Oracle CPU April 2013	25 Sep 202221:06	–	ibm
IBM Security Bulletins	Security Bulletin: Tivoli Storage Productivity Center - Oracle CPU February 2013, April 2013	19 Aug 202218:23	–	ibm
IBM Security Bulletins	Security Bulletin: RMI vulnerability in Java, as used with WebSphere eXtreme Scale	25 Sep 202223:13	–	ibm
IBM Security Bulletins	IBM WebSphere Cast Iron Security Bulletin: Multiple security vulnerabilities in IBM JRE 6	15 Jun 201806:56	–	ibm
IBM Security Bulletins	Security Bulletin: IBM WebSphere Lombardi Edition – Information regarding security vulnerability in IBM SDK for Java that shipped with IBM WebSphere Application Server and addressed by Oracle CPU April 2013 (CVE-2013-0169)	25 Sep 202221:06	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Security Vulnerabilities in IBM Sterling Control Center	25 Sep 202223:09	–	ibm
IBM Security Bulletins	Security Bulletin: Rational Host On-Demand clients affected by vulnerabilities in IBM JRE	3 Aug 201804:23	–	ibm

Source	Link
tsn	www.tsn.miraclelinux.com/en/node/4092
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2013-428:03.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(289556);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/09");

  script_cve_id(
    "CVE-2013-0401",
    "CVE-2013-1488",
    "CVE-2013-1518",
    "CVE-2013-1537",
    "CVE-2013-1557",
    "CVE-2013-1558",
    "CVE-2013-1569",
    "CVE-2013-2383",
    "CVE-2013-2384",
    "CVE-2013-2415",
    "CVE-2013-2417",
    "CVE-2013-2419",
    "CVE-2013-2420",
    "CVE-2013-2421",
    "CVE-2013-2422",
    "CVE-2013-2424",
    "CVE-2013-2426",
    "CVE-2013-2429",
    "CVE-2013-2430",
    "CVE-2013-2431"
  );

  script_name(english:"MiracleLinux 4 : java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.AXS4 (AXSA:2013-428:03)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2013-428:03 advisory.

    The OpenJDK runtime environment.
    Security issues fixed with this release:
     CVE-2013-0401
    The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and
    earlier, and 5.0 Update 41 and earlier allows remote attackers to execute arbitrary code via vectors
    related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013.
     CVE-2013-1488
    The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote
    attackers to execute arbitrary code via unspecified vectors involving reflection and Libraries, as
    demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.
     CVE-2013-1518
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    confidentiality, integrity, and availability via vectors related to JAXP.
     CVE-2013-1537
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    confidentiality, integrity, and availability via vectors related to RMI.
     CVE-2013-1557
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    confidentiality, integrity, and availability via vectors related to RMI.
     CVE-2013-1558
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and
    availability via unknown vectors related to Beans.
     CVE-2013-1569
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability
    than CVE-2013-2383, CVE-2013-2384, and CVE-2013-2420.
     CVE-2013-2383
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability
    than CVE-2013-1569, CVE-2013-2384, and CVE-2013-2420.
     CVE-2013-2384
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability
    than CVE-2013-1569, CVE-2013-2383, and CVE-2013-2420.
     CVE-2013-2415
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier allows local users to affect confidentiality via vectors related to JAX-WS.
     CVE-2013-2417
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    availability via unknown vectors related to Networking.
     CVE-2013-2419
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    availability via unknown vectors related to 2D.
     CVE-2013-2420
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability
    than CVE-2013-1569, CVE-2013-2383, and CVE-2013-2384.
     CVE-2013-2421
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown
    vectors related to HotSpot.
     CVE-2013-2422
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and
    availability via unknown vectors related to Libraries.
     CVE-2013-2424
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    confidentiality via vectors related to JMX.
     CVE-2013-2426
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown
    vectors related to Libraries, a different vulnerability than CVE-2013-1488 and CVE-2013-2436.
     CVE-2013-2429
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect
    confidentiality, integrity, and availability via unknown vectors related to ImageIO.
     CVE-2013-2430
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows
    remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
    ImageIO.
     CVE-2013-2431
    Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
    and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown
    vectors related to HotSpot.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/4092");
  script_set_attribute(attribute:"solution", value:
"Update the affected java-1.6.0-openjdk, java-1.6.0-openjdk-devel and / or java-1.6.0-openjdk-javadoc packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-2431");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2013-1488");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Java Applet Driver Manager Privileged toString() Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/05/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:java-1.6.0-openjdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:java-1.6.0-openjdk-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:java-1.6.0-openjdk-javadoc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:4");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 4.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.AXS4', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'java-1.6.0-openjdk-devel-1.6.0.0-1.61.1.11.11.AXS4', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'java-1.6.0-openjdk-devel-1.6.0.0-1.61.1.11.11.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'java-1.6.0-openjdk-javadoc-1.6.0.0-1.61.1.11.11.AXS4', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'java-1.6.0-openjdk-javadoc-1.6.0.0-1.61.1.11.11.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.6.0-openjdk / java-1.6.0-openjdk-devel / etc');
}

09 Feb 2026 00:00Current

7.7High risk

Vulners AI Score7.7

CVSS 210

EPSS0.86252