Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.OPENSUSE-2021-1666.NASL
HistoryJul 16, 2021 - 12:00 a.m.

openSUSE 15 Security Update : java-1_8_0-openj9 (openSUSE-SU-2021:1666-1)

2021-07-1600:00:00
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
11

5.2 Medium

AI Score

Confidence

High

JSON

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1666-1 advisory.

  • Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16;
    Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N). (CVE-2021-2163)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from
# openSUSE Security Update openSUSE-SU-2021:1666-1. The text itself
# is copyright (C) SUSE.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(151747);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/08");

  script_cve_id("CVE-2021-2163");
  script_xref(name:"IAVA", value:"2021-A-0195");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");

  script_name(english:"openSUSE 15 Security Update : java-1_8_0-openj9 (openSUSE-SU-2021:1666-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the
openSUSE-SU-2021:1666-1 advisory.

  - Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java
    SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16;
    Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to
    exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to
    compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human
    interaction from a person other than the attacker. Successful attacks of this vulnerability can result in
    unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded,
    Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments
    that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox
    for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N). (CVE-2021-2163)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1185055");
  # https://lists.opensuse.org/archives/list/[email protected]/thread/CMIXIE2QCSQNEBZOFYWWIWYINHYQA6A5/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9a5ea614");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-2163");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-2163");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/04/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_8_0-openj9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_8_0-openj9-accessibility");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_8_0-openj9-demo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_8_0-openj9-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_8_0-openj9-headless");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_8_0-openj9-javadoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_8_0-openj9-src");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.3");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item('Host/SuSE/release');
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, 'openSUSE');
os_ver = pregmatch(pattern: "^SUSE([\d.]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');
os_ver = os_ver[1];
if (release !~ "^(SUSE15\.3)$") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);

pkgs = [
    {'reference':'java-1_8_0-openj9-1.8.0.292-3.14.1', 'cpu':'s390x', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-1.8.0.292-3.14.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-accessibility-1.8.0.292-3.14.1', 'cpu':'s390x', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-accessibility-1.8.0.292-3.14.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-demo-1.8.0.292-3.14.1', 'cpu':'s390x', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-demo-1.8.0.292-3.14.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-devel-1.8.0.292-3.14.1', 'cpu':'s390x', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-devel-1.8.0.292-3.14.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-headless-1.8.0.292-3.14.1', 'cpu':'s390x', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-headless-1.8.0.292-3.14.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-javadoc-1.8.0.292-3.14.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-src-1.8.0.292-3.14.1', 'cpu':'s390x', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'java-1_8_0-openj9-src-1.8.0.292-3.14.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}
];

flag = 0;
foreach package_array ( pkgs ) {
  reference = NULL;
  release = NULL;
  cpu = NULL;
  rpm_spec_vers_cmp = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) release = package_array['release'];
  if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (reference && release) {
    if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1_8_0-openj9 / java-1_8_0-openj9-accessibility / etc');
}
VendorProductVersionCPE
novellopensusejava-1_8_0-openj9p-cpe:/a:novell:opensuse:java-1_8_0-openj9
novellopensusejava-1_8_0-openj9-accessibilityp-cpe:/a:novell:opensuse:java-1_8_0-openj9-accessibility
novellopensusejava-1_8_0-openj9-demop-cpe:/a:novell:opensuse:java-1_8_0-openj9-demo
novellopensusejava-1_8_0-openj9-develp-cpe:/a:novell:opensuse:java-1_8_0-openj9-devel
novellopensusejava-1_8_0-openj9-headlessp-cpe:/a:novell:opensuse:java-1_8_0-openj9-headless
novellopensusejava-1_8_0-openj9-javadocp-cpe:/a:novell:opensuse:java-1_8_0-openj9-javadoc
novellopensusejava-1_8_0-openj9-srcp-cpe:/a:novell:opensuse:java-1_8_0-openj9-src
novellopensuse15.3cpe:/o:novell:opensuse:15.3

Related

nessus 51
oraclelinux 4
veracode 1
ibm 60
osv 4
debiancve 1
redhatcve 1
redhat 16
openvas 31
centos 2
prion 1
amazon 1
cve 1
almalinux 2
ubuntucve 1
f5 1
alpinelinux 1
ubuntu 1
suse 8
fedora 6
kaspersky 1
debian 1
mageia 1
rosalinux 1
aix 1
nessus
nessus
RHEL 8 : java-11-openjdk (RHSA-2021:1306)
2021-04-21 00:00:00
RHEL 8 : java-1.8.0-openjdk (RHSA-2021:1299)
2021-04-21 00:00:00
RHEL 8 : java-11-openjdk (RHSA-2021:1305)
2021-04-29 00:00:00
oraclelinux
oraclelinux
java-1.8.0-openjdk security update
2021-04-21 00:00:00
java-11-openjdk security update
2021-04-21 00:00:00
java-11-openjdk security and bug fix update
2021-04-21 00:00:00
veracode
veracode
Authorization Bypass
2021-04-24 22:10:55
ibm
ibm
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - April 2021 - Includes Oracle April 2021 CPU minus CVE-2021-2163
2021-06-04 19:53:12
Security Bulletin: IBM Sterling Control Center is vulnerable to unauthenticated data manipulation due to Java SE (CVE-2021-2163)
2022-11-23 21:30:11
Security Bulletin: A security vulnerability has been identified in IBM Java SDK affecting WebSphere Application Server and WebSphere Application Server Liberty shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2021-2163)
2022-09-15 11:45:52
osv
osv
openjdk-8 - security update
2021-04-23 00:00:00
CVE-2021-2163
2021-04-22 22:15:13
openjdk-8, openjdk-lts vulnerability
2021-04-27 16:49:59
debiancve
debiancve
CVE-2021-2163
2021-04-22 22:15:00
redhatcve
redhatcve
CVE-2021-2163
2021-04-20 20:43:56
redhat
redhat
(RHSA-2021:1299) Moderate: java-1.8.0-openjdk security update
2021-04-20 20:57:45
(RHSA-2022:6755) Moderate: java-1.7.1-ibm security update
2022-09-29 15:03:21
(RHSA-2021:1444) Moderate: OpenJDK 8u292 Security Update for Portable Linux Builds
2021-04-28 12:29:11
openvas
openvas
Ubuntu: Security Advisory (USN-4892-1)
2021-04-30 00:00:00
CentOS: Security Advisory for java-11-openjdk (CESA-2021:1297)
2021-05-01 00:00:00
Debian: Security Advisory (DLA-2634-1)
2021-04-24 00:00:00
centos
centos
java security update
2021-04-29 17:56:29
java security update
2021-04-29 17:55:30
prion
prion
Design/Logic Flaw
2021-04-22 22:15:00
amazon
amazon
Medium: java-1.8.0-openjdk
2021-07-08 18:38:00
cve
cve
CVE-2021-2163
2021-04-22 22:15:00
almalinux
almalinux
Moderate: java-11-openjdk security update
2021-04-20 21:33:58
Moderate: java-1.8.0-openjdk security update
2021-04-20 20:58:47
ubuntucve
ubuntucve
CVE-2021-2163
2021-04-20 00:00:00
f5
f5
K71522481 : Java vulnerability CVE-2021-2163
2022-12-06 00:00:00
alpinelinux
alpinelinux
CVE-2021-2163
2021-04-22 22:15:00
ubuntu
ubuntu
OpenJDK vulnerability
2021-04-27 00:00:00
suse
suse
Security update for java-1_8_0-openjdk (moderate)
2021-07-11 00:00:00
Security update for java-1_8_0-openj9 (moderate)
2021-07-11 00:00:00
Security update for java-1_8_0-openj9 (moderate)
2021-05-23 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: java-1.8.0-openjdk-1.8.0.292.b10-0.fc32
2021-04-30 01:07:06
[SECURITY] Fedora 34 Update: java-11-openjdk-11.0.11.0.9-0.fc34
2021-04-26 00:27:09
[SECURITY] Fedora 32 Update: java-11-openjdk-11.0.11.0.9-0.fc32
2021-05-01 01:31:17
kaspersky
kaspersky
KLA12159 Multiple vulnerabilities in Oracle Java SE
2021-04-20 00:00:00
debian
debian
[SECURITY] [DLA 2634-1] openjdk-8 security update
2021-04-23 11:31:18
mageia
mageia
Updated java-openjdk packages fix security vulnerabilities
2021-06-29 01:51:23
rosalinux
rosalinux
Advisory ROSA-SA-2023-2133
2023-03-21 12:31:42
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2022-12-22 10:09:37

5.2 Medium

AI Score

Confidence

High

JSON
Related for OPENSUSE-2021-1666.NASL
nessus51oraclelinux4veracode1ibm60osv4debiancve1redhatcve1redhat16openvas31centos2prion1amazon1cve1almalinux2ubuntucve1f51alpinelinux1ubuntu1suse8fedora6kaspersky1debian1mageia1rosalinux1aix1