MiracleLinux 3 : java-1.6.0-openjdk-1.6.0.0-4.1.13.1.AXS3.0.1 (AXSA:2014-244:01)

🗓️ 16 Jan 2026 00:00:00Reported by TenableType

MiracleLinux 3 OpenJDK 1.6.0 vulnerable to several CVEs per AXSA 2014 advisory.

Reporter	Title	Published	Views	Family All 460
IBM Security Bulletins	Security Bulletin: Java vulnerability issue on IBM Storwize V7000 Unified system (CVE-2014-0411)	18 Jun 201800:08	–	ibm
IBM Security Bulletins	How to download interim fixes to patch IBM JRE CVEs	17 Jun 201814:48	–	ibm
IBM Security Bulletins	Security Bulletin: Rational License Key Server Administration and Reporting Tool vulnerability (CVE-2014-0411)	17 Jun 201804:52	–	ibm
IBM Security Bulletins	Security Bulletin: Information regarding security vulnerability in IBM SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server and addressed by Oracle CPU January 2014	15 Jun 201806:59	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in IBM Content Classification (CVE-2013-5879, CVE-2014-0411)	17 Jun 201811:42	–	ibm
IBM Security Bulletins	Security Bulletin: Java vulnerability issue on IBM SONAS (CVE-2014-0411)	18 Jun 201800:07	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Content Collector for SAP Applications affected by vulnerabilities in IBM SDK Java™ Technology Edition, Version 6 and Version 7 (CVE-2014-3566, CVE-2014-4244, CVE-2014-4263, CVE-2014-6457, CVE-2014-6468)	17 Jun 201812:09	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Tivoli Composite Application Manager for Transactions affected by multiple vulnerabilities in IBM JRE (Multiple CVEs)	17 Jun 201814:41	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities exist in the current IBM SDK for Java used in IBM System Networking Switch Center (CVE-2014-0411 & CVE-2014-0460)	8 Jul 201916:13	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server January 2014 CPU	15 Jun 201806:59	–	ibm

Source	Link
tsn	www.tsn.miraclelinux.com/en/node/4680
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2014-244:01.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(289735);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/16");

  script_cve_id(
    "CVE-2013-5878",
    "CVE-2013-5884",
    "CVE-2013-5896",
    "CVE-2013-5907",
    "CVE-2013-5910",
    "CVE-2014-0368",
    "CVE-2014-0373",
    "CVE-2014-0376",
    "CVE-2014-0411",
    "CVE-2014-0416",
    "CVE-2014-0422",
    "CVE-2014-0423",
    "CVE-2014-0428"
  );

  script_name(english:"MiracleLinux 3 : java-1.6.0-openjdk-1.6.0.0-4.1.13.1.AXS3.0.1 (AXSA:2014-244:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2014-244:01 advisory.

    The OpenJDK runtime environment.
    Security issues fixed with this release:
     CVE-2013-5878
    Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows
    remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to
    Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-
    party claims that the the Security component does not properly handle null XML namespace (xmlns)
    attributes during XML document canonicalization, which allows attackers to escape the sandbox.
     CVE-2013-5884
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7
    allows remote attackers to affect confidentiality via vectors related to CORBA. NOTE: the previous
    information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is
    related to an incorrect check for code permissions by CORBA stub factories.
     CVE-2013-5896
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7
    allows remote attackers to affect availability via vectors related to CORBA. NOTE: the previous
    information is from the January 2014 CPU. Oracle has not commented on third-party claims that
    com.sun.corba.se and its sub-packages are not included on the restricted package list.
     CVE-2013-5907
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE
    Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and
    availability via unknown vectors related to 2D. NOTE: the previous information is from the January 2014
    CPU. Oracle has not commented on third-party claims that the issue is due to incorrect input validation in
    LookupProcessor.cpp in the ICU Layout Engine, which allows attackers to cause a denial of service (crash)
    or possibly execute arbitrary code via a crafted font file.
     CVE-2013-5910
     Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows
    remote attackers to affect integrity via unknown vectors related to Security. NOTE: the previous
    information is from the January 2014 CPU. Oracle has not commented on third-party claims that
    CanonicalizerBase.java in the XML canonicalizer allows untrusted code to access mutable byte arrays.
     CVE-2014-0368
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java SE Embedded 7u45, allows
    remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous
    information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is
    related to incorrect permission checks when listening on a socket, which allows attackers to escape the
    sandbox.
     CVE-2014-0373
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and OpenJDK 7, allows remote
    attackers to affect confidentiality, integrity, and availability via unknown vectors related to
    Serviceability. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on
    third-party claims that the issue is related to throwing of an incorrect exception when
    SnmpStatusException should have been used in the SNMP implementation, which allows attackers to escape the
    sandbox.
     CVE-2014-0376
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7
    allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is
    from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an
    improper check for code permissions when creating document builder factories.
     CVE-2014-0411
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE
    Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality and integrity via vectors
    related to JSSE. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on
    third-party claims that this issue allows remote attackers to obtain sensitive information about
    encryption keys via a timing discrepancy during the TLS/SSL handshake.
     CVE-2014-0416
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7
    allows remote attackers to affect integrity via vectors related to JAAS. NOTE: the previous information is
    from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to how
    principals are set for the Subject class, which allows attackers to escape the sandbox using
    deserialization of a crafted Subject instance.
     CVE-2014-0422
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7
    allows remote attackers to affect confidentiality, integrity, and availability via vectors related to
    JNDI. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party
    claims that the issue is related to missing package access checks in the Naming / JNDI component, which
    allows attackers to escape the sandbox.
     CVE-2014-0423
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE
    Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and availability
    via unknown vectors related to Beans. NOTE: the previous information is from the January 2014 CPU. Oracle
    has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability in
    DocumentHandler.java, related to Beans decoding.
     CVE-2014-0428
     Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7
    allows remote attackers to affect confidentiality, integrity, and availability via vectors related to
    CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-
    party claims that the issue is related to insufficient security checks in IIOP streams, which allows
    attackers to escape the sandbox.
    Enhancement:
     Updated an expired GlobalSign Certification Authority certificate in the
    /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0[.x86_64]/jre/lib/security/cacerts file.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/4680");
  script_set_attribute(attribute:"solution", value:
"Update the affected java-1.6.0-openjdk and / or java-1.6.0-openjdk-devel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0428");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2014-0411");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/04/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:java-1.6.0-openjdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:java-1.6.0-openjdk-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 3.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'java-1.6.0-openjdk-1.6.0.0-4.1.13.1.AXS3.0.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'java-1.6.0-openjdk-devel-1.6.0.0-4.1.13.1.AXS3.0.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.6.0-openjdk / java-1.6.0-openjdk-devel');
}

16 Jan 2026 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 210

EPSS0.16596