Oracle Java SE Multiple Vulnerabilities (October 2018 CPU)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(118228);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2018-3136",
    "CVE-2018-3139",
    "CVE-2018-3149",
    "CVE-2018-3150",
    "CVE-2018-3157",
    "CVE-2018-3169",
    "CVE-2018-3180",
    "CVE-2018-3183",
    "CVE-2018-3209",
    "CVE-2018-3211",
    "CVE-2018-3214",
    "CVE-2018-13785"
  );
  script_bugtraq_id(
    105587,
    105590,
    105591,
    105595,
    105597,
    105599,
    105601,
    105602,
    105608,
    105615,
    105617,
    105622
  );

  script_name(english:"Oracle Java SE Multiple Vulnerabilities (October 2018 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a programming platform that is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle (formerly Sun) Java SE or Java for Business
installed on the remote host is prior to 11 Update 1, 8 Update 191,
7 Update 201, or 6 Update 211. It is, therefore, affected by
multiple vulnerabilities related to the following components :

  - An unspecified vulnerability in the Java SE, Java SE
    Embedded component of Oracle Java SE in the Deployment
    (libpng) subcomponent could allow an unauthenticated,
    remote attacker with network access via HTTP to
    compromise Java SE, Java SE Embedded. (CVE-2018-13785)

  - An unspecified vulnerability in the Java SE, Java SE
    Embedded component of Oracle Java SE in the Hotspot
    subcomponent could allow an unauthenticated, remote
    attacker with network access via multiple protocols to
    compromise Java SE, Java SE Embedded. (CVE-2018-3169)

  - An unspecified vulnerability in the Java SE component
    of Oracle Java SE in the JavaFX subcomponent could allow
    an unauthenticated, remote attacker with network access
    via multiple protocols to compromise Java SE.
    (CVE-2018-3209)

  - An unspecified vulnerability in the Java SE, Java SE
    Embedded, JRockit component of Oracle Java SE in the
    JNDI subcomponent could allow an unauthenticated, remote
    attacker with network access via multiple protocols to
    compromise Java SE, Java SE Embedded, JRockit.
    (CVE-2018-3149)
 
  - An unspecified vulnerability in the Java SE, Java SE
    Embedded, JRockit component of Oracle Java SE in the
    JSSE subcomponent could allow an unauthenticated,
    remote attacker with network access via SSL/TLS to
    compromise Java SE, Java SE Embedded, JRockit.
    (CVE-2018-3180)

  - An unspecified vulnerability in the Java SE, Java SE
    Embedded component of Oracle Java SE in the
    Networking subcomponent could allow an unauthenticated,
    remote attacker with network access via multiple
    protocols to compromise Java SE, Java SE Embedded.
    (CVE-2018-3139)

  - An unspecified vulnerability in the Java SE, Java SE
    Embedded, JRockit component of Oracle Java SE in the
    Scripting subcomponent could allow an unauthenticated,
    remote attacker with network access via multiple
    protocols to compromise Java SE, Java SE Embedded,
    JRockit. (CVE-2018-3183)

  - An unspecified vulnerability in the Java SE, Java SE
    Embedded component of Oracle Java SE in the Security
    subcomponent could allow an unauthenticated, remote
    attacker with network access via multiple protocols to
    compromise Java SE, Java SE Embedded. (CVE-2018-3136)

  - An unspecified vulnerability in the Java SE, Java SE
    Embedded component of Oracle Java SE in the
    Serviceability subcomponent could allow a low privileged
    attacker with logon to the infrastructure where Java SE,
    Java SE Embedded executes to compromise Java SE, Java SE
    Embedded. (CVE-2018-3211)

  - An unspecified vulnerability in the Java SE component of
    Oracle Java SE in the Sound subcomponent could allow an
    unauthenticated, remote attacker with network access via
    multiple protocols to compromise Java SE.
    (CVE-2018-3157)

  - An unspecified vulnerability in the Java SE component of
    Oracle Java SE in the Utility subcomponent could allow
    an unauthenticated, remote attacker with network access
    via multiple protocols to compromise Java SE.
    (CVE-2018-3150)

Please consult the CVRF details for the applicable CVEs for
additional information.

Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?705136d8");
  # https://www.oracle.com/technetwork/java/javase/11-0-1-relnotes-5032023.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?278f2590");
  # https://www.oracle.com/technetwork/java/javase/8u191-relnotes-5032181.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?adc8ef52");
  # https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2fbcacca");
  # https://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?de812f33");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Oracle JDK / JRE 11 Update 1, 8 Update 191 / 7 Update 201 /
6 Update 211 or later. If necessary, remove any affected versions.

Note that an Extended Support contract with Oracle is needed to obtain
JDK / JRE 6 Update 95 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3183");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("sun_java_jre_installed.nasl");
  script_require_keys("SMB/Java/JRE/Installed");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

# Check each installed JRE.
installs = get_kb_list_or_exit("SMB/Java/JRE/*");

info = "";
vuln = 0;
installed_versions = "";

foreach install (list_uniq(keys(installs)))
{
  ver = install - "SMB/Java/JRE/";
  if (ver !~ "^[0-9.]+") continue;

  installed_versions = installed_versions + " & " + ver;

  # Fixes : (JDK|JRE) 11 Update 1 / 8 Update 191 / 7 Update 201 / 6 Update 211
  if (
    ver =~ '^1\\.6\\.0_([0-9]|[0-9][0-9]|1[0-9][0-9]|20[0-9]|210)([^0-9]|$)' ||
    ver =~ '^1\\.7\\.0_([0-9]|[0-9][0-9]|1[0-9][0-9]|200)([^0-9]|$)' ||
    ver =~ '^1\\.8\\.0_([0-9]|[0-9][0-9]|1[0-8][0-9]|190)([^0-9]|$)' ||
    ver =~ '^1\\.11\\.0_(0[0]|0?[0])([^0-9]|$)'
  )
  {
    dirs = make_list(get_kb_list(install));
    vuln += max_index(dirs);

    foreach dir (dirs)
      info += '\n  Path              : ' + dir;

    info += '\n  Installed version : ' + ver;
    info += '\n  Fixed version     : 1.6.0_211 / 1.7.0_201 / 1.8.0_191 / 1.11.0_1\n';
  }
}

# Report if any were found to be vulnerable.
if (info)
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  if (report_verbosity > 0)
  {
    if (vuln > 1) s = "s of Java are";
    else s = " of Java is";

    report =
      '\n' +
      'The following vulnerable instance'+s+' installed on the\n' +
      'remote host :\n' +
      info;
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else
{
  installed_versions = substr(installed_versions, 3);
  if (" & " >< installed_versions)
    exit(0, "The Java "+installed_versions+" installations on the remote host are not affected.");
  else
    audit(AUDIT_INST_VER_NOT_VULN, "Java", installed_versions);
}