Search...

RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0963)

2013-06-21T00:00:00

ID REDHAT-RHSA-2013-0963.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.
Modified 2013-06-21T00:00:00

Description

Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3744)

Red Hat would like to thank Tim Brown for reporting CVE-2013-1500, and US-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the original reporter of CVE-2013-1571.

All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 25 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2013:0963. The text 
# itself is copyright (C) Red Hat, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(66948);
  script_version("1.25");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");

  script_cve_id("CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2400", "CVE-2013-2407", "CVE-2013-2412", "CVE-2013-2437", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2444", "CVE-2013-2445", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2449", "CVE-2013-2450", "CVE-2013-2451", "CVE-2013-2452", "CVE-2013-2453", "CVE-2013-2454", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2460", "CVE-2013-2461", "CVE-2013-2462", "CVE-2013-2463", "CVE-2013-2464", "CVE-2013-2465", "CVE-2013-2466", "CVE-2013-2468", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473", "CVE-2013-3744");
  script_xref(name:"RHSA", value:"2013:0963");

  script_name(english:"RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0963)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated java-1.7.0-oracle packages that fix several security issues
are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having
critical security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

Oracle Java SE version 7 includes the Oracle Java Runtime Environment
and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE
Critical Patch Update Advisory page, listed in the References section.
(CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407,
CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443,
CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447,
CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,
CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455,
CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459,
CVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463,
CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468,
CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472,
CVE-2013-2473, CVE-2013-3744)

Red Hat would like to thank Tim Brown for reporting CVE-2013-1500, and
US-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as
the original reporter of CVE-2013-1571.

All users of java-1.7.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 7 Update 25 and resolve these
issues. All running instances of Oracle Java must be restarted for the
update to take effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-1500.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-1571.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2400.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2407.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2412.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2437.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2442.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2443.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2444.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2445.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2446.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2447.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2448.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2449.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2450.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2451.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2452.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2453.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2454.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2455.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2456.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2457.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2458.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2459.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2460.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2461.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2462.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2463.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2464.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2465.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2466.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2468.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2469.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2470.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2471.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2472.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-2473.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2013-3744.html"
  );
  # http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?a094a6d7"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://rhn.redhat.com/errata/RHSA-2013-0963.html"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.9");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.4");

  script_set_attribute(attribute:"patch_publication_date", value:"2013/06/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/21");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" &gt;!&lt; release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! ereg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$" && "s390" &gt;!&lt; cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

flag = 0;
if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-oracle-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-oracle-devel-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-devel-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-oracle-javafx-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-javafx-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-oracle-jdbc-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-jdbc-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-oracle-plugin-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-plugin-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"i386", reference:"java-1.7.0-oracle-src-1.7.0.25-1jpp.1.el5_9")) flag++;

if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.7.0-oracle-src-1.7.0.25-1jpp.1.el5_9")) flag++;


if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-devel-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-devel-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-javafx-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-javafx-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-jdbc-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-jdbc-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-plugin-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-plugin-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.7.0-oracle-src-1.7.0.25-1jpp.1.el6_4")) flag++;

if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.7.0-oracle-src-1.7.0.25-1jpp.1.el6_4")) flag++;



if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.0-oracle / java-1.7.0-oracle-devel / etc");
}

JSON Vulners Source

Initial Source

{"id": "REDHAT-RHSA-2013-0963.NASL", "bulletinFamily": "scanner", "title": "RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0963)", "description": "Updated java-1.7.0-oracle packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE\nCritical Patch Update Advisory page, listed in the References section.\n(CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407,\nCVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443,\nCVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447,\nCVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,\nCVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455,\nCVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459,\nCVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463,\nCVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468,\nCVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472,\nCVE-2013-2473, CVE-2013-3744)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 25 and resolve these\nissues. All running instances of Oracle Java must be restarted for the\nupdate to take effect.", "published": "2013-06-21T00:00:00", "modified": "2013-06-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/66948", "reporter": "This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.", "references": ["https://www.redhat.com/security/data/cve/CVE-2013-2407.html", "https://www.redhat.com/security/data/cve/CVE-2013-2460.html", "https://www.redhat.com/security/data/cve/CVE-2013-2466.html", "https://www.redhat.com/security/data/cve/CVE-2013-2461.html", "https://www.redhat.com/security/data/cve/CVE-2013-2400.html", "https://www.redhat.com/security/data/cve/CVE-2013-2465.html", "https://www.redhat.com/security/data/cve/CVE-2013-2446.html", "https://www.redhat.com/security/data/cve/CVE-2013-2443.html", "https://www.redhat.com/security/data/cve/CVE-2013-2455.html", "https://www.redhat.com/security/data/cve/CVE-2013-2468.html", "https://www.redhat.com/security/data/cve/CVE-2013-2451.html", "https://www.redhat.com/security/data/cve/CVE-2013-2473.html", "https://www.redhat.com/security/data/cve/CVE-2013-2412.html", "http://rhn.redhat.com/errata/RHSA-2013-0963.html", "http://www.nessus.org/u?a094a6d7", "https://www.redhat.com/security/data/cve/CVE-2013-2445.html", "https://www.redhat.com/security/data/cve/CVE-2013-3744.html", "https://www.redhat.com/security/data/cve/CVE-2013-2456.html", "https://www.redhat.com/security/data/cve/CVE-2013-2448.html", "https://www.redhat.com/security/data/cve/CVE-2013-2449.html", "https://www.redhat.com/security/data/cve/CVE-2013-1571.html", "https://www.redhat.com/security/data/cve/CVE-2013-2462.html", "https://www.redhat.com/security/data/cve/CVE-2013-2469.html", "https://www.redhat.com/security/data/cve/CVE-2013-2457.html", "https://www.redhat.com/security/data/cve/CVE-2013-2444.html", "https://www.redhat.com/security/data/cve/CVE-2013-2458.html", "https://www.redhat.com/security/data/cve/CVE-2013-2464.html", "https://www.redhat.com/security/data/cve/CVE-2013-2442.html", "https://www.redhat.com/security/data/cve/CVE-2013-2450.html", "https://www.redhat.com/security/data/cve/CVE-2013-2463.html", "https://www.redhat.com/security/data/cve/CVE-2013-2459.html", "https://www.redhat.com/security/data/cve/CVE-2013-2470.html", "https://www.redhat.com/security/data/cve/CVE-2013-2437.html", "https://www.redhat.com/security/data/cve/CVE-2013-2452.html", "https://www.redhat.com/security/data/cve/CVE-2013-2453.html", "https://www.redhat.com/security/data/cve/CVE-2013-2454.html", "https://www.redhat.com/security/data/cve/CVE-2013-2447.html", "https://www.redhat.com/security/data/cve/CVE-2013-1500.html", "https://www.redhat.com/security/data/cve/CVE-2013-2472.html", "https://www.redhat.com/security/data/cve/CVE-2013-2471.html"], "cvelist": ["CVE-2013-2468", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2462", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2400", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-3744", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449", "CVE-2013-2466"], "type": "nessus", "lastseen": "2021-01-17T13:12:37", "edition": 21, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2013:1014", "RHSA-2013:0958", "RHSA-2013:1060", "RHSA-2013:1081", "RHSA-2013:0957", "RHSA-2013:0963", "RHSA-2013:1059"]}, {"type": "centos", "idList": ["CESA-2013:1014", "CESA-2013:0958", "CESA-2013:0957"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0957", "ELSA-2013-1014", "ELSA-2013-0958"]}, {"type": "amazon", "idList": ["ALAS-2013-207", "ALAS-2013-204"]}, {"type": "openvas", "idList": ["OPENVAS:871009", "OPENVAS:1361412562310871010", "OPENVAS:1361412562310123608", "OPENVAS:1361412562310881751", "OPENVAS:881751", "OPENVAS:881752", "OPENVAS:1361412562310123607", "OPENVAS:1361412562310881752", "OPENVAS:871010", "OPENVAS:1361412562310120023"]}, {"type": "nessus", "idList": ["SL_20130620_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "MANDRIVA_MDVSA-2013-183.NASL", "REDHAT-RHSA-2013-0958.NASL", "REDHAT-RHSA-2013-0957.NASL", "ORACLELINUX_ELSA-2013-0958.NASL", "CENTOS_RHSA-2013-0958.NASL", "SL_20130620_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "ORACLELINUX_ELSA-2013-0957.NASL", "CENTOS_RHSA-2013-0957.NASL", "ALA_ALAS-2013-204.NASL"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1254-1", "SUSE-SU-2013:1257-1", "SUSE-SU-2013:1305-1", "SUSE-SU-2013:1293-1", "SUSE-SU-2013:1263-1", "SUSE-SU-2013:1238-1", "SUSE-SU-2013:1255-3", "SUSE-SU-2013:1263-2", "SUSE-SU-2013:1255-1", "SUSE-SU-2013:1255-2"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2722-1:0F82B", "DEBIAN:DSA-2727-1:34891"]}, {"type": "ubuntu", "idList": ["USN-1907-1", "USN-1907-2", "USN-1908-1"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13165"]}], "modified": "2021-01-17T13:12:37", "rev": 2}, "score": {"value": 8.4, "vector": "NONE", "modified": "2021-01-17T13:12:37", "rev": 2}, "vulnersScore": 8.4}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0963. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66948);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2400\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2437\", \"CVE-2013-2442\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2451\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2462\", \"CVE-2013-2463\", \"CVE-2013-2464\", \"CVE-2013-2465\", \"CVE-2013-2466\", \"CVE-2013-2468\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\", \"CVE-2013-3744\");\n script_xref(name:\"RHSA\", value:\"2013:0963\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0963)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-oracle packages that fix several security issues\nare now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE\nCritical Patch Update Advisory page, listed in the References section.\n(CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407,\nCVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443,\nCVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447,\nCVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,\nCVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455,\nCVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459,\nCVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463,\nCVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468,\nCVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472,\nCVE-2013-2473, CVE-2013-3744)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 25 and resolve these\nissues. All running instances of Oracle Java must be restarted for the\nupdate to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-1500.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-1571.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2400.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2407.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2412.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2437.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2442.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2443.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2444.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2445.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2446.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2447.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2448.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2449.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2450.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2451.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2452.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2453.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2454.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2455.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2456.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2457.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2458.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2459.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2460.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2461.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2462.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2463.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2464.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2465.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2466.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2468.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2469.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2470.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2471.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2472.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-2473.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-3744.html\"\n );\n # http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a094a6d7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2013-0963.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-devel-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-devel-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-javafx-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-javafx-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-plugin-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-plugin-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-src-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-src-1.7.0.25-1jpp.1.el5_9\")) flag++;\n\n\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-devel-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-devel-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-javafx-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-javafx-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-plugin-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-plugin-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-src-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-src-1.7.0.25-1jpp.1.el6_4\")) flag++;\n\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-oracle / java-1.7.0-oracle-devel / etc\");\n}\n", "naslFamily": "Red Hat Local Security Checks", "pluginID": "66948", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel", "cpe:/o:redhat:enterprise_linux:5.9", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin"], "scheme": null, "immutableFields": []}

{"redhat": [{"lastseen": "2019-08-13T18:45:35", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2400", "CVE-2013-2407", "CVE-2013-2412", "CVE-2013-2437", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2444", "CVE-2013-2445", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2449", "CVE-2013-2450", "CVE-2013-2451", "CVE-2013-2452", "CVE-2013-2453", "CVE-2013-2454", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2460", "CVE-2013-2461", "CVE-2013-2462", "CVE-2013-2463", "CVE-2013-2464", "CVE-2013-2465", "CVE-2013-2466", "CVE-2013-2468", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473", "CVE-2013-3744"], "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412,\nCVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445,\nCVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450,\nCVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455,\nCVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460,\nCVE-2013-2461, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,\nCVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-3744)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 25 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.\n", "modified": "2018-06-07T09:04:15", "published": "2013-06-20T04:00:00", "id": "RHSA-2013:0963", "href": "https://access.redhat.com/errata/RHSA-2013:0963", "type": "redhat", "title": "(RHSA-2013:0963) Critical: java-1.7.0-oracle security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:42", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2407", "CVE-2013-2412", "CVE-2013-2443", "CVE-2013-2444", "CVE-2013-2445", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2449", "CVE-2013-2450", "CVE-2013-2452", "CVE-2013-2453", "CVE-2013-2454", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2460", "CVE-2013-2461", "CVE-2013-2463", "CVE-2013-2465", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473"], "description": "These packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image attribute,\nchannel, layout and raster processing in the 2D component. An untrusted\nJava application or applet could possibly use these flaws to trigger Java\nVirtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain input.\nAn attacker could use these flaws to execute arbitrary code with the\nprivileges of the user running an untrusted Java applet or application.\n(CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the Sound,\nJDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\nuntrusted Java application or applet could use these flaws to bypass Java\nsandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\nCVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet to\ngain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage certain\nresources and that the ObjectStreamClass of the Serialization component\ndid not properly handle circular references. An untrusted Java application\nor applet could possibly use these flaws to cause a denial of service.\n(CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain errors\nrelated to XML security and the class loader. A remote attacker could\npossibly exploit these flaws to bypass intended security mechanisms or\ndisclose potentially sensitive information and cause a denial of service.\n(CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this flaw\nto gain access to potentially sensitive information. (CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or applet\ncould possibly use this flaw to disclose potentially sensitive information.\n(CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to a\nframe injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially-crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form on\nthe site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments with\ninsecure permissions. A local attacker could use this flaw to read or write\nto the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2017-09-08T12:19:38", "published": "2013-06-19T04:00:00", "id": "RHSA-2013:0958", "href": "https://access.redhat.com/errata/RHSA-2013:0958", "type": "redhat", "title": "(RHSA-2013:0958) Important: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:36", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2407", "CVE-2013-2412", "CVE-2013-2443", "CVE-2013-2444", "CVE-2013-2445", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2449", "CVE-2013-2450", "CVE-2013-2452", "CVE-2013-2453", "CVE-2013-2454", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2460", "CVE-2013-2461", "CVE-2013-2463", "CVE-2013-2465", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473"], "description": "These packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image attribute,\nchannel, layout and raster processing in the 2D component. An untrusted\nJava application or applet could possibly use these flaws to trigger Java\nVirtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain input.\nAn attacker could use these flaws to execute arbitrary code with the\nprivileges of the user running an untrusted Java applet or application.\n(CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the Sound,\nJDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\nuntrusted Java application or applet could use these flaws to bypass Java\nsandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\nCVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet to\ngain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage certain\nresources and that the ObjectStreamClass of the Serialization component\ndid not properly handle circular references. An untrusted Java application\nor applet could possibly use these flaws to cause a denial of service.\n(CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain errors\nrelated to XML security and the class loader. A remote attacker could\npossibly exploit these flaws to bypass intended security mechanisms or\ndisclose potentially sensitive information and cause a denial of service.\n(CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this flaw\nto gain access to potentially sensitive information. (CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or applet\ncould possibly use this flaw to disclose potentially sensitive information.\n(CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to a\nframe injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially-crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form on\nthe site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments with\ninsecure permissions. A local attacker could use this flaw to read or write\nto the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAfter installing this update, users of icedtea-web must install\nRHBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10. Refer to\nthe NEWS file, linked to in the References, for further information.\n", "modified": "2018-06-06T20:24:18", "published": "2013-06-19T04:00:00", "id": "RHSA-2013:0957", "href": "https://access.redhat.com/errata/RHSA-2013:0957", "type": "redhat", "title": "(RHSA-2013:0957) Critical: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:03", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2407", "CVE-2013-2412", "CVE-2013-2443", "CVE-2013-2444", "CVE-2013-2445", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2450", "CVE-2013-2452", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2459", "CVE-2013-2461", "CVE-2013-2463", "CVE-2013-2465", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473"], "description": "These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image attribute,\nchannel, layout and raster processing in the 2D component. An untrusted\nJava application or applet could possibly use these flaws to trigger Java\nVirtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain input.\nAn attacker could use these flaws to execute arbitrary code with the\nprivileges of the user running an untrusted Java applet or application.\n(CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the Sound and\nJMX components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass Java sandbox restrictions. (CVE-2013-2448,\nCVE-2013-2457, CVE-2013-2453)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet to\ngain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage certain\nresources and that the ObjectStreamClass of the Serialization component\ndid not properly handle circular references. An untrusted Java application\nor applet could possibly use these flaws to cause a denial of service.\n(CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain errors\nrelated to XML security and the class loader. A remote attacker could\npossibly exploit these flaws to bypass intended security mechanisms or\ndisclose potentially sensitive information and cause a denial of service.\n(CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this flaw\nto gain access to potentially sensitive information. (CVE-2013-2412)\n\nIt was found that documentation generated by Javadoc was vulnerable to a\nframe injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially-crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form on\nthe site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments with\ninsecure permissions. A local attacker could use this flaw to read or write\nto the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank US-CERT for reporting CVE-2013-1571, and Tim\nBrown for reporting CVE-2013-1500. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:18", "published": "2013-07-03T04:00:00", "id": "RHSA-2013:1014", "href": "https://access.redhat.com/errata/RHSA-2013:1014", "type": "redhat", "title": "(RHSA-2013:1014) Important: java-1.6.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:33:22", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2407", "CVE-2013-2412", "CVE-2013-2437", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2444", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2450", "CVE-2013-2451", "CVE-2013-2452", "CVE-2013-2453", "CVE-2013-2454", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2459", "CVE-2013-2463", "CVE-2013-2464", "CVE-2013-2465", "CVE-2013-2466", "CVE-2013-2468", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473", "CVE-2013-3009", "CVE-2013-3011", "CVE-2013-3012", "CVE-2013-3743", "CVE-2013-4002"], "description": "IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2013-1500, CVE-2013-1571,\nCVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443,\nCVE-2013-2444, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450,\nCVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455,\nCVE-2013-2456, CVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464,\nCVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 6 SR14 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "modified": "2018-06-07T09:04:24", "published": "2013-07-15T04:00:00", "id": "RHSA-2013:1059", "href": "https://access.redhat.com/errata/RHSA-2013:1059", "type": "redhat", "title": "(RHSA-2013:1059) Critical: java-1.6.0-ibm security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:31:34", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2400", "CVE-2013-2407", "CVE-2013-2412", "CVE-2013-2437", "CVE-2013-2442", "CVE-2013-2444", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2449", "CVE-2013-2450", "CVE-2013-2451", "CVE-2013-2452", "CVE-2013-2453", "CVE-2013-2454", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2460", "CVE-2013-2462", "CVE-2013-2463", "CVE-2013-2464", "CVE-2013-2465", "CVE-2013-2466", "CVE-2013-2468", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473", "CVE-2013-3006", "CVE-2013-3007", "CVE-2013-3008", "CVE-2013-3009", "CVE-2013-3010", "CVE-2013-3011", "CVE-2013-3012", "CVE-2013-3744", "CVE-2013-4002"], "description": "IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2013-1500, CVE-2013-1571,\nCVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442,\nCVE-2013-2444, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449,\nCVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454,\nCVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459,\nCVE-2013-2460, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,\nCVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-3744)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR5 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "modified": "2018-06-07T09:04:24", "published": "2013-07-15T04:00:00", "id": "RHSA-2013:1060", "href": "https://access.redhat.com/errata/RHSA-2013:1060", "type": "redhat", "title": "(RHSA-2013:1060) Critical: java-1.7.0-ibm security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:33:04", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2443", "CVE-2013-2444", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2450", "CVE-2013-2452", "CVE-2013-2454", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2459", "CVE-2013-2463", "CVE-2013-2464", "CVE-2013-2465", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473", "CVE-2013-3009", "CVE-2013-3011", "CVE-2013-3012", "CVE-2013-3743", "CVE-2013-4002"], "description": "IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2013-1500, CVE-2013-1571,\nCVE-2013-2443, CVE-2013-2444, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448,\nCVE-2013-2450, CVE-2013-2452, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456,\nCVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,\nCVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,\nCVE-2013-3743)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP3 release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "modified": "2018-06-07T09:04:37", "published": "2013-07-16T04:00:00", "id": "RHSA-2013:1081", "href": "https://access.redhat.com/errata/RHSA-2013:1081", "type": "redhat", "title": "(RHSA-2013:1081) Important: java-1.5.0-ibm security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:28:08", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "**CentOS Errata and Security Advisory** CESA-2013:0958\n\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image attribute,\nchannel, layout and raster processing in the 2D component. An untrusted\nJava application or applet could possibly use these flaws to trigger Java\nVirtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain input.\nAn attacker could use these flaws to execute arbitrary code with the\nprivileges of the user running an untrusted Java applet or application.\n(CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the Sound,\nJDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\nuntrusted Java application or applet could use these flaws to bypass Java\nsandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\nCVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet to\ngain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage certain\nresources and that the ObjectStreamClass of the Serialization component\ndid not properly handle circular references. An untrusted Java application\nor applet could possibly use these flaws to cause a denial of service.\n(CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain errors\nrelated to XML security and the class loader. A remote attacker could\npossibly exploit these flaws to bypass intended security mechanisms or\ndisclose potentially sensitive information and cause a denial of service.\n(CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this flaw\nto gain access to potentially sensitive information. (CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or applet\ncould possibly use this flaw to disclose potentially sensitive information.\n(CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to a\nframe injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially-crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form on\nthe site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments with\ninsecure permissions. A local attacker could use this flaw to read or write\nto the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-June/031835.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0958.html", "edition": 3, "modified": "2013-06-20T06:46:44", "published": "2013-06-20T06:46:44", "href": "http://lists.centos.org/pipermail/centos-announce/2013-June/031835.html", "id": "CESA-2013:0958", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:26:28", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "**CentOS Errata and Security Advisory** CESA-2013:0957\n\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image attribute,\nchannel, layout and raster processing in the 2D component. An untrusted\nJava application or applet could possibly use these flaws to trigger Java\nVirtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain input.\nAn attacker could use these flaws to execute arbitrary code with the\nprivileges of the user running an untrusted Java applet or application.\n(CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the Sound,\nJDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\nuntrusted Java application or applet could use these flaws to bypass Java\nsandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\nCVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet to\ngain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage certain\nresources and that the ObjectStreamClass of the Serialization component\ndid not properly handle circular references. An untrusted Java application\nor applet could possibly use these flaws to cause a denial of service.\n(CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain errors\nrelated to XML security and the class loader. A remote attacker could\npossibly exploit these flaws to bypass intended security mechanisms or\ndisclose potentially sensitive information and cause a denial of service.\n(CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this flaw\nto gain access to potentially sensitive information. (CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or applet\ncould possibly use this flaw to disclose potentially sensitive information.\n(CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to a\nframe injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially-crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form on\nthe site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments with\ninsecure permissions. A local attacker could use this flaw to read or write\nto the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAfter installing this update, users of icedtea-web must install\nRHBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10. Refer to\nthe NEWS file, linked to in the References, for further information.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-June/031834.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0957.html", "edition": 3, "modified": "2013-06-20T06:43:01", "published": "2013-06-20T06:43:01", "href": "http://lists.centos.org/pipermail/centos-announce/2013-June/031834.html", "id": "CESA-2013:0957", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:24:36", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445"], "description": "**CentOS Errata and Security Advisory** CESA-2013:1014\n\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image attribute,\nchannel, layout and raster processing in the 2D component. An untrusted\nJava application or applet could possibly use these flaws to trigger Java\nVirtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain input.\nAn attacker could use these flaws to execute arbitrary code with the\nprivileges of the user running an untrusted Java applet or application.\n(CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the Sound and\nJMX components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass Java sandbox restrictions. (CVE-2013-2448,\nCVE-2013-2457, CVE-2013-2453)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet to\ngain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage certain\nresources and that the ObjectStreamClass of the Serialization component\ndid not properly handle circular references. An untrusted Java application\nor applet could possibly use these flaws to cause a denial of service.\n(CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain errors\nrelated to XML security and the class loader. A remote attacker could\npossibly exploit these flaws to bypass intended security mechanisms or\ndisclose potentially sensitive information and cause a denial of service.\n(CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this flaw\nto gain access to potentially sensitive information. (CVE-2013-2412)\n\nIt was found that documentation generated by Javadoc was vulnerable to a\nframe injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially-crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form on\nthe site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments with\ninsecure permissions. A local attacker could use this flaw to read or write\nto the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank US-CERT for reporting CVE-2013-1571, and Tim\nBrown for reporting CVE-2013-1500. US-CERT acknowledges Oracle as the\noriginal reporter of CVE-2013-1571.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-July/031872.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-July/031873.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1014.html", "edition": 3, "modified": "2013-07-04T10:17:25", "published": "2013-07-04T10:07:44", "href": "http://lists.centos.org/pipermail/centos-announce/2013-July/031872.html", "id": "CESA-2013:1014", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:44", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "[1.7.0.25-2.3.10.4.0.1.el5_9]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Enterprise Linux'\n[1.7.0.25-2.3.10.4.el5]\n- updated to newer IcedTea7-forest 2.3.10 with 8010118 fix\n- removed upstreamed patch1000 MBeanFix.patch\n- Resolves: rhbz#973117\n[1.7.0.25-2.3.10.3.el5]\n- reverted fix for license files owning\n- Resolves: rhbz#973117\n[1.7.0.25-2.3.10.2.el5]\n- added patch1000 MBeanFix.patch to fix regressions caused by security patches\n- Resolves: rhbz#973117\n[1.7.0.25-2.3.10.1.el6]\n- build bumped to 25\n- Resolves: rhbz#973117\n[1.7.0.19-2.3.10.0.el5]\n- Updated to latest IcedTea7-forest 2.3.10\n- patch 107 renamed to 500 for cosmetic purposes\n- Added fix for RH857717, owned /etc/.java/ and /etc/.java/.systemPrefs\n- Resolves: rhbz#973117\n[1.7.0.19-2.3.10.0.el5]\n- Updated to latest IcedTea7-forest 2.3.10\n- Resolves: rhbz#973117", "edition": 4, "modified": "2013-06-19T00:00:00", "published": "2013-06-19T00:00:00", "id": "ELSA-2013-0958", "href": "http://linux.oracle.com/errata/ELSA-2013-0958.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:55", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "[1.7.0.25-2.3.10.3.0.1.el6_4]\n- Update DISTRO_NAME in specfile\n[1.7.0.25-2.3.10.3.el6]\n- removed upstreamed patch1000 MBeanFix.patch\n- updated to newer IcedTea7-forest 2.3.10 with 8010118 fix\n- Resolves: rhbz#973119\n[1.7.0.25-2.3.10.2.el6]\n- added patch1000 MBeanFix.patch to fix regressions caused by security patches\n- Resolves: rhbz#973119\n[1.7.0.25-2.3.10.1.el6]\n- build bumped to 25\n- Resolves: rhbz#973119\n[1.7.0.19-2.3.10.0.el6]\n- Updated to latest IcedTea7-forest 2.3.10\n- patch 107 renamed to 500 for cosmetic purposes\n- improved handling of patch111 - nss-config-2.patch\n- removed patch 117, java-1.7.0-openjdk-nss-multiplePKCS11libraryInitialisationNnonCritical.patch\n duplicated with patch 108 (java-1.7.0-openjdk-nss-icedtea-e9c857dcb964)\n- Added client/server directories so they can be owned\n- Added fix for RH857717, owned /etc/.java/ and /etc/.java/.systemPrefs\n- Resolves: rhbz#973119", "edition": 4, "modified": "2013-06-19T00:00:00", "published": "2013-06-19T00:00:00", "id": "ELSA-2013-0957", "href": "http://linux.oracle.com/errata/ELSA-2013-0957.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:00", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445"], "description": "[1:1.6.0.0-1.62.1.11.11.90]\n- updated to icedtea6-1.11.11.90.tar.gz\n- removed upstreamed patch9 jaxp-backport-factoryfinder.patch\n- removed upstreamed patch10 fixToFontSecurityFix.patch.\n- modified patch3, java-1.6.0-openjdk-java-access-bridge-security.patch\n- Resolves: rhbz#973129", "edition": 4, "modified": "2013-07-03T00:00:00", "published": "2013-07-03T00:00:00", "id": "ELSA-2013-1014", "href": "http://linux.oracle.com/errata/ELSA-2013-1014.html", "title": "java-1.6.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-17T13:12:37", "description": "Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAfter installing this update, users of icedtea-web must install\nRHBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.", "edition": 25, "published": "2013-06-20T00:00:00", "title": "RHEL 6 : java-1.7.0-openjdk (RHSA-2013:0957)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2013-06-20T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc"], "id": "REDHAT-RHSA-2013-0957.NASL", "href": "https://www.tenable.com/plugins/nessus/66939", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0957. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66939);\n script_version(\"1.36\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_bugtraq_id(60617, 60618, 60619, 60620, 60622, 60623, 60627, 60629, 60632, 60633, 60634, 60635, 60638, 60639, 60640, 60641, 60644, 60645, 60646, 60647, 60650, 60651, 60652, 60653, 60655, 60656, 60657, 60658, 60659);\n script_xref(name:\"RHSA\", value:\"2013:0957\");\n\n script_name(english:\"RHEL 6 : java-1.7.0-openjdk (RHSA-2013:0957)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAfter installing this update, users of icedtea-web must install\nRHBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\"\n );\n # http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2.3.10/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?34eca3ff\"\n );\n # https://rhn.redhat.com/errata/RHBA-2013-0959.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHBA-2013:0959\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2465\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2454\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2455\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2456\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2450\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2452\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2453\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2458\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2470\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2471\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2473\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2446\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2463\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2407\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1500\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2449\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2448\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2469\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2443\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2461\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2460\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2444\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0957\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:47:37", "description": "Multiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout- of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAfter installing this update, users of icedtea-web must install\nSLBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.", "edition": 15, "published": "2013-06-21T00:00:00", "title": "Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20130620)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2013-06-21T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel", "p-cpe:/a:fermilab:scientific_linux:icedtea-web", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk", "p-cpe:/a:fermilab:scientific_linux:icedtea-web-javadoc", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo"], "id": "SL_20130620_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/66951", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66951);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20130620)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout- of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAfter installing this update, users of icedtea-web must install\nSLBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1306&L=scientific-linux-errata&T=0&P=1587\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b80d2530\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:icedtea-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:icedtea-web-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"icedtea-web-1.2.3-4.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"icedtea-web-javadoc-1.2.3-4.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.el6_4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icedtea-web / icedtea-web-javadoc / java-1.7.0-openjdk / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:28:46", "description": "Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAfter installing this update, users of icedtea-web must install\nRHBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.", "edition": 24, "published": "2013-06-21T00:00:00", "title": "CentOS 6 : java-1.7.0-openjdk (CESA-2013:0957)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2013-06-21T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc"], "id": "CENTOS_RHSA-2013-0957.NASL", "href": "https://www.tenable.com/plugins/nessus/66946", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0957 and \n# CentOS Errata and Security Advisory 2013:0957 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66946);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_bugtraq_id(60617, 60618, 60619, 60620, 60622, 60623, 60627, 60629, 60632, 60633, 60634, 60635, 60638, 60639, 60640, 60641, 60644, 60645, 60646, 60647, 60650, 60651, 60652, 60653, 60655, 60656, 60657, 60658, 60659);\n script_xref(name:\"RHSA\", value:\"2013:0957\");\n\n script_name(english:\"CentOS 6 : java-1.7.0-openjdk (CESA-2013:0957)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAfter installing this update, users of icedtea-web must install\nRHBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2013-June/019796.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a3d64f61\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2459\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:12:37", "description": "Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 24, "published": "2013-06-20T00:00:00", "title": "RHEL 5 : java-1.7.0-openjdk (RHSA-2013:0958)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2013-06-20T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc"], "id": "REDHAT-RHSA-2013-0958.NASL", "href": "https://www.tenable.com/plugins/nessus/66940", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0958. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66940);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_bugtraq_id(60617, 60618, 60619, 60620, 60622, 60623, 60627, 60629, 60632, 60633, 60634, 60635, 60638, 60639, 60640, 60641, 60644, 60645, 60646, 60647, 60650, 60651, 60652, 60653, 60655, 60656, 60657, 60658, 60659);\n script_xref(name:\"RHSA\", value:\"2013:0958\");\n\n script_name(english:\"RHEL 5 : java-1.7.0-openjdk (RHSA-2013:0958)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2.3.10/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?34eca3ff\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0958\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2465\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2454\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2455\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2456\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2450\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2452\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2453\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2458\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2470\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2471\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2473\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2446\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2463\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2407\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1500\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2449\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2448\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2469\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2443\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2461\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2460\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2444\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0958\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T01:22:49", "description": "Multiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470 ,\nCVE-2013-2471 , CVE-2013-2472 , CVE-2013-2473 , CVE-2013-2463 ,\nCVE-2013-2465 , CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448 , CVE-2013-2454 ,\nCVE-2013-2458 , CVE-2013-2457 , CVE-2013-2453 , CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456 ,\nCVE-2013-2447 , CVE-2013-2455 , CVE-2013-2452 , CVE-2013-2443 ,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444 , CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407 , CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)", "edition": 26, "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-204)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.7.0-openjdk", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2013-204.NASL", "href": "https://www.tenable.com/plugins/nessus/69762", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-204.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69762);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/07/10 16:04:12\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_xref(name:\"ALAS\", value:\"2013-204\");\n script_xref(name:\"RHSA\", value:\"2013:0957\");\n\n script_name(english:\"Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-204)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470 ,\nCVE-2013-2471 , CVE-2013-2472 , CVE-2013-2473 , CVE-2013-2463 ,\nCVE-2013-2465 , CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448 , CVE-2013-2454 ,\nCVE-2013-2458 , CVE-2013-2457 , CVE-2013-2453 , CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456 ,\nCVE-2013-2447 , CVE-2013-2455 , CVE-2013-2452 , CVE-2013-2443 ,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444 , CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407 , CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2013-204.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.7.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.3.29.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.29.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.29.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.29.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.29.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.29.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:47:59", "description": "From Red Hat Security Advisory 2013:0958 :\n\nUpdated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 21, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 : java-1.7.0-openjdk (ELSA-2013-0958)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk"], "id": "ORACLELINUX_ELSA-2013-0958.NASL", "href": "https://www.tenable.com/plugins/nessus/68837", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0958 and \n# Oracle Linux Security Advisory ELSA-2013-0958 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68837);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_bugtraq_id(60617, 60618, 60619, 60620, 60622, 60623, 60627, 60629, 60632, 60633, 60634, 60635, 60638, 60639, 60640, 60641, 60644, 60645, 60646, 60647, 60650, 60651, 60652, 60653, 60655, 60656, 60657, 60658, 60659);\n script_xref(name:\"RHSA\", value:\"2013:0958\");\n\n script_name(english:\"Oracle Linux 5 : java-1.7.0-openjdk (ELSA-2013-0958)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:0958 :\n\nUpdated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-June/003537.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.4.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.4.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.4.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.4.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.4.0.1.el5_9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:54:13", "description": "Updated java-1.7.0-openjdk packages fix multiple security\nvulnerabilities\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469).\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication (CVE-2013-2459).\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460).\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446).\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine\n(CVE-2013-2445).\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service (CVE-2013-2444, CVE-2013-2450).\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service (CVE-2013-2407, CVE-2013-2461).\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information\n(CVE-2013-2412).\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation (CVE-2013-2449).\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation (CVE-2013-1571).\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment (CVE-2013-1500).", "edition": 25, "published": "2013-06-28T00:00:00", "title": "Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:183)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2013-06-28T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-src", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-devel", "p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-javadoc"], "id": "MANDRIVA_MDVSA-2013-183.NASL", "href": "https://www.tenable.com/plugins/nessus/67012", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:183. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67012);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_bugtraq_id(60617, 60618, 60619, 60620, 60622, 60623, 60627, 60629, 60632, 60633, 60634, 60635, 60638, 60639, 60640, 60641, 60644, 60645, 60646, 60647, 60650, 60651, 60652, 60653, 60655, 60656, 60657, 60658, 60659);\n script_xref(name:\"MDVSA\", value:\"2013:183\");\n\n script_name(english:\"Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:183)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages fix multiple security\nvulnerabilities\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469).\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication (CVE-2013-2459).\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460).\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446).\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine\n(CVE-2013-2445).\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service (CVE-2013-2444, CVE-2013-2450).\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service (CVE-2013-2407, CVE-2013-2461).\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information\n(CVE-2013-2412).\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation (CVE-2013-2449).\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation (CVE-2013-1571).\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment (CVE-2013-1500).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2013-0185.html\"\n );\n # http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a094a6d7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://rhn.redhat.com/errata/RHBA-2013-0959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0957\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:28:46", "description": "Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 24, "published": "2013-06-21T00:00:00", "title": "CentOS 5 : java-1.7.0-openjdk (CESA-2013:0958)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2013-06-21T00:00:00", "cpe": ["p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc"], "id": "CENTOS_RHSA-2013-0958.NASL", "href": "https://www.tenable.com/plugins/nessus/66947", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0958 and \n# CentOS Errata and Security Advisory 2013:0958 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66947);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_bugtraq_id(60617, 60618, 60619, 60620, 60622, 60623, 60627, 60629, 60632, 60633, 60634, 60635, 60638, 60639, 60640, 60641, 60644, 60645, 60646, 60647, 60650, 60651, 60652, 60653, 60655, 60656, 60657, 60658, 60659);\n script_xref(name:\"RHSA\", value:\"2013:0958\");\n\n script_name(english:\"CentOS 5 : java-1.7.0-openjdk (CESA-2013:0958)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2013-June/019797.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f9119246\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2459\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.4.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.4.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.4.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:47:59", "description": "From Red Hat Security Advisory 2013:0957 :\n\nUpdated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAfter installing this update, users of icedtea-web must install\nRHBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.", "edition": 21, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2013-0957)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2013-07-12T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk"], "id": "ORACLELINUX_ELSA-2013-0957.NASL", "href": "https://www.tenable.com/plugins/nessus/68836", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0957 and \n# Oracle Linux Security Advisory ELSA-2013-0957 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68836);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_bugtraq_id(60617, 60618, 60619, 60620, 60622, 60623, 60627, 60629, 60632, 60633, 60634, 60635, 60638, 60639, 60640, 60641, 60644, 60645, 60646, 60647, 60650, 60651, 60652, 60653, 60655, 60656, 60657, 60658, 60659);\n script_xref(name:\"RHSA\", value:\"2013:0957\");\n\n script_name(english:\"Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2013-0957)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:0957 :\n\nUpdated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout-of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nRed Hat would like to thank Tim Brown for reporting CVE-2013-1500, and\nUS-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as\nthe original reporter of CVE-2013-1571.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAfter installing this update, users of icedtea-web must install\nRHBA-2013:0959 for icedtea-web to continue functioning.\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-June/003534.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.3.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.0.1.el6_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:47:37", "description": "Multiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout- of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.", "edition": 14, "published": "2013-06-21T00:00:00", "title": "Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20130620)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "modified": "2013-06-21T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo"], "id": "SL_20130620_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/66950", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66950);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20130620)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws were discovered in the ImagingLib and the image\nattribute, channel, layout and raster processing in the 2D component.\nAn untrusted Java application or applet could possibly use these flaws\nto trigger Java Virtual Machine memory corruption. (CVE-2013-2470,\nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463,\nCVE-2013-2465, CVE-2013-2469)\n\nInteger overflow flaws were found in the way AWT processed certain\ninput. An attacker could use these flaws to execute arbitrary code\nwith the privileges of the user running an untrusted Java applet or\napplication. (CVE-2013-2459)\n\nMultiple improper permission check issues were discovered in the\nSound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to\nbypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454,\nCVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA\ncomponents can be exploited by an untrusted Java application or applet\nto gain access to potentially sensitive information. (CVE-2013-2456,\nCVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,\nCVE-2013-2446)\n\nIt was discovered that the Hotspot component did not properly handle\nout- of-memory errors. An untrusted Java application or applet could\npossibly use these flaws to terminate the Java Virtual Machine.\n(CVE-2013-2445)\n\nIt was discovered that the AWT component did not properly manage\ncertain resources and that the ObjectStreamClass of the Serialization\ncomponent did not properly handle circular references. An untrusted\nJava application or applet could possibly use these flaws to cause a\ndenial of service. (CVE-2013-2444, CVE-2013-2450)\n\nIt was discovered that the Libraries component contained certain\nerrors related to XML security and the class loader. A remote attacker\ncould possibly exploit these flaws to bypass intended security\nmechanisms or disclose potentially sensitive information and cause a\ndenial of service. (CVE-2013-2407, CVE-2013-2461)\n\nIt was discovered that JConsole did not properly inform the user when\nestablishing an SSL connection failed. An attacker could exploit this\nflaw to gain access to potentially sensitive information.\n(CVE-2013-2412)\n\nIt was discovered that GnomeFileTypeDetector did not check for read\npermissions when accessing files. An untrusted Java application or\napplet could possibly use this flaw to disclose potentially sensitive\ninformation. (CVE-2013-2449)\n\nIt was found that documentation generated by Javadoc was vulnerable to\na frame injection attack. If such documentation was accessible over a\nnetwork, and a remote attacker could trick a user into visiting a\nspecially crafted URL, it would lead to arbitrary web content being\ndisplayed next to the documentation. This could be used to perform a\nphishing attack by providing frame content that spoofed a login form\non the site hosting the vulnerable documentation. (CVE-2013-1571)\n\nIt was discovered that the 2D component created shared memory segments\nwith insecure permissions. A local attacker could use this flaw to\nread or write to the shared memory segment. (CVE-2013-1500)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.10.\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1306&L=scientific-linux-errata&T=0&P=1448\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?74dee3dc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java storeImageArray() Invalid Array Indexing Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el5_9\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.4.el5_9\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.4.el5_9\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.4.el5_9\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.4.el5_9\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-src-1.7.0.25-2.3.10.4.el5_9\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:36:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "Oracle Linux Local Security Checks ELSA-2013-0957", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123607", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123607", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0957", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-0957.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123607\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:06:11 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-0957\");\n script_tag(name:\"insight\", value:\"ELSA-2013-0957 - java-1.7.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-0957\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-0957.html\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.3.0.1.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.25~2.3.10.3.0.1.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.3.0.1.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.25~2.3.10.3.0.1.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.25~2.3.10.3.0.1.el6_4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-06-24T00:00:00", "id": "OPENVAS:1361412562310881752", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881752", "type": "openvas", "title": "CentOS Update for java CESA-2013:0958 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0958 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881752\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-24 15:02:52 +0530 (Mon, 24 Jun 2013)\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\",\n \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\",\n \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\",\n \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\",\n \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\",\n \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\",\n \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\",\n \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for java CESA-2013:0958 centos5\");\n\n script_xref(name:\"CESA\", value:\"2013:0958\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-June/019797.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"java on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple flaws were discovered in the ImagingLib and the image attribute,\n channel, layout and raster processing in the 2D component. An untrusted\n Java application or applet could possibly use these flaws to trigger Java\n Virtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\n CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\n Integer overflow flaws were found in the way AWT processed certain input.\n An attacker could use these flaws to execute arbitrary code with the\n privileges of the user running an untrusted Java applet or application.\n (CVE-2013-2459)\n\n Multiple improper permission check issues were discovered in the Sound,\n JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\n untrusted Java application or applet could use these flaws to bypass Java\n sandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\n CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\n Multiple flaws in the Serialization, Networking, Libraries and CORBA\n components can be exploited by an untrusted Java application or applet to\n gain access to potentially sensitive information. (CVE-2013-2456,\n CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\n It was discovered that the Hotspot component did not properly handle\n out-of-memory errors. An untrusted Java application or applet could\n possibly use these flaws to terminate the Java Virtual Machine.\n (CVE-2013-2445)\n\n It was discovered that the AWT component did not properly manage certain\n resources and that the ObjectStreamClass of the Serialization component\n did not properly handle circular references. An untrusted Java application\n or applet could possibly use these flaws to cause a denial of service.\n (CVE-2013-2444, CVE-2013-2450)\n\n It was discovered that the Libraries component contained certain errors\n related to XML security and the class loader. A remote attacker could\n possibly exploit these flaws to bypass intended security mechanisms or\n disclose potentially sensitive information and cause a denial of service.\n (CVE-2013-2407, CVE-2013-2461)\n\n It was discovered that JConsole did not properly inform the user when\n establishing an SSL connection failed. An attacker could exploit this flaw\n to gain access to potentially sensitive information. (CVE-2013-2412)\n\n It was discovered that GnomeFileTypeDetector did not check for read\n permissions when accessing files. An untrusted Java application or applet\n could possibly use ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "Oracle Linux Local Security Checks ELSA-2013-0958", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123608", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123608", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0958", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-0958.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123608\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:06:12 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-0958\");\n script_tag(name:\"insight\", value:\"ELSA-2013-0958 - java-1.7.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-0958\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-0958.html\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\", \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\", \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\", \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\", \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\", \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\", \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\", \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.4.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.25~2.3.10.4.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.4.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.25~2.3.10.4.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.25~2.3.10.4.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-18T11:09:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "Check for the Version of java-1.7.0-openjdk", "modified": "2018-01-17T00:00:00", "published": "2013-06-24T00:00:00", "id": "OPENVAS:871010", "href": "http://plugins.openvas.org/nasl.php?oid=871010", "type": "openvas", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2013:0957-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.7.0-openjdk RHSA-2013:0957-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple flaws were discovered in the ImagingLib and the image attribute,\n channel, layout and raster processing in the 2D component. An untrusted\n Java application or applet could possibly use these flaws to trigger Java\n Virtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\n CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\n Integer overflow flaws were found in the way AWT processed certain input.\n An attacker could use these flaws to execute arbitrary code with the\n privileges of the user running an untrusted Java applet or application.\n (CVE-2013-2459)\n\n Multiple improper permission check issues were discovered in the Sound,\n JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\n untrusted Java application or applet could use these flaws to bypass Java\n sandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\n CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\n Multiple flaws in the Serialization, Networking, Libraries and CORBA\n components can be exploited by an untrusted Java application or applet to\n gain access to potentially sensitive information. (CVE-2013-2456,\n CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\n It was discovered that the Hotspot component did not properly handle\n out-of-memory errors. An untrusted Java application or applet could\n possibly use these flaws to terminate the Java Virtual Machine.\n (CVE-2013-2445)\n\n It was discovered that the AWT component did not properly manage certain\n resources and that the ObjectStreamClass of the Serialization component\n did not properly handle circular references. An untrusted Java application\n or applet could possibly use these flaws to cause a denial of service.\n (CVE-2013-2444, CVE-2013-2450)\n\n It was discovered that the Libraries component contained certain errors\n related to XML security and the class loader. A remote attacker could\n possibly exploit these flaws to bypass intended security mechanisms or\n disclose potentially sensitive information and cause a denial of service.\n (CVE-2013-2407, CVE-2013-2461)\n\n It was discovered that JConsole did not properly inform the user when\n establishing an SSL connection failed. An attacker could exploit this flaw\n to gain access to potentially sensitive information. (CVE-2013-2412)\n\n It was discovered that GnomeFi ...\n\n Description truncated, for more information please check the Reference URL\";\n\n\ntag_solution = \"Please Install the Updated Packages.\";\ntag_affected = \"java-1.7.0-openjdk on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\";\n\n\nif(description)\n{\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_id(871010);\n script_version(\"$Revision: 8448 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 17:18:06 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-24 14:55:53 +0530 (Mon, 24 Jun 2013)\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\",\n \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\",\n \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\",\n \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\",\n \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\",\n \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\",\n \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\",\n \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"RedHat Update for java-1.7.0-openjdk RHSA-2013:0957-01\");\n\n script_xref(name: \"RHSA\", value: \"2013:0957-01\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2013-June/msg00017.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of java-1.7.0-openjdk\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.3.el6_4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.25~2.3.10.3.el6_4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.3.el6_4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-26T11:09:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "Check for the Version of java-1.7.0-openjdk", "modified": "2018-01-26T00:00:00", "published": "2013-06-24T00:00:00", "id": "OPENVAS:871009", "href": "http://plugins.openvas.org/nasl.php?oid=871009", "type": "openvas", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2013:0958-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.7.0-openjdk RHSA-2013:0958-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple flaws were discovered in the ImagingLib and the image attribute,\n channel, layout and raster processing in the 2D component. An untrusted\n Java application or applet could possibly use these flaws to trigger Java\n Virtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\n CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\n Integer overflow flaws were found in the way AWT processed certain input.\n An attacker could use these flaws to execute arbitrary code with the\n privileges of the user running an untrusted Java applet or application.\n (CVE-2013-2459)\n\n Multiple improper permission check issues were discovered in the Sound,\n JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\n untrusted Java application or applet could use these flaws to bypass Java\n sandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\n CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\n Multiple flaws in the Serialization, Networking, Libraries and CORBA\n components can be exploited by an untrusted Java application or applet to\n gain access to potentially sensitive information. (CVE-2013-2456,\n CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\n It was discovered that the Hotspot component did not properly handle\n out-of-memory errors. An untrusted Java application or applet could\n possibly use these flaws to terminate the Java Virtual Machine.\n (CVE-2013-2445)\n\n It was discovered that the AWT component did not properly manage certain\n resources and that the ObjectStreamClass of the Serialization component\n did not properly handle circular references. An untrusted Java application\n or applet could possibly use these flaws to cause a denial of service.\n (CVE-2013-2444, CVE-2013-2450)\n\n It was discovered that the Libraries component contained certain errors\n related to XML security and the class loader. A remote attacker could\n possibly exploit these flaws to bypass intended security mechanisms or\n disclose potentially sensitive information and cause a denial of service.\n (CVE-2013-2407, CVE-2013-2461)\n\n It was discovered that JConsole did not properly inform the user when\n establishing an SSL connection failed. An attacker could exploit this flaw\n to gain access to potentially sensitive information. (CVE-2013-2412)\n\n It was discovered that GnomeFileTypeDetector did not check for read\n permissions when accessing files. An untrusted Jav ...\n\n Description truncated, for more information please check the Reference URL\";\n\n\ntag_affected = \"java-1.7.0-openjdk on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(871009);\n script_version(\"$Revision: 8542 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-26 07:57:28 +0100 (Fri, 26 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-24 14:52:46 +0530 (Mon, 24 Jun 2013)\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\",\n \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\",\n \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\",\n \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\",\n \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\",\n \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\",\n \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\",\n \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for java-1.7.0-openjdk RHSA-2013:0958-01\");\n\n script_xref(name: \"RHSA\", value: \"2013:0958-01\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2013-June/msg00018.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of java-1.7.0-openjdk\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:51:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "Check for the Version of java", "modified": "2017-07-10T00:00:00", "published": "2013-06-24T00:00:00", "id": "OPENVAS:881751", "href": "http://plugins.openvas.org/nasl.php?oid=881751", "type": "openvas", "title": "CentOS Update for java CESA-2013:0957 centos6 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0957 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple flaws were discovered in the ImagingLib and the image attribute,\n channel, layout and raster processing in the 2D component. An untrusted\n Java application or applet could possibly use these flaws to trigger Java\n Virtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\n CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\n Integer overflow flaws were found in the way AWT processed certain input.\n An attacker could use these flaws to execute arbitrary code with the\n privileges of the user running an untrusted Java applet or application.\n (CVE-2013-2459)\n\n Multiple improper permission check issues were discovered in the Sound,\n JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\n untrusted Java application or applet could use these flaws to bypass Java\n sandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\n CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\n Multiple flaws in the Serialization, Networking, Libraries and CORBA\n components can be exploited by an untrusted Java application or applet to\n gain access to potentially sensitive information. (CVE-2013-2456,\n CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\n It was discovered that the Hotspot component did not properly handle\n out-of-memory errors. An untrusted Java application or applet could\n possibly use these flaws to terminate the Java Virtual Machine.\n (CVE-2013-2445)\n\n It was discovered that the AWT component did not properly manage certain\n resources and that the ObjectStreamClass of the Serialization component\n did not properly handle circular references. An untrusted Java application\n or applet could possibly use these flaws to cause a denial of service.\n (CVE-2013-2444, CVE-2013-2450)\n\n It was discovered that the Libraries component contained certain errors\n related to XML security and the class loader. A remote attacker could\n possibly exploit these flaws to bypass intended security mechanisms or\n disclose potentially sensitive information and cause a denial of service.\n (CVE-2013-2407, CVE-2013-2461)\n\n It was discovered that JConsole did not properly inform the user when\n establishing an SSL connection failed. An attacker could exploit this flaw\n to gain access to potentially sensitive information. (CVE-2013-2412)\n\n It was discovered that GnomeFileTypeDetector did not check for read\n permissions when accessing files. An untrusted Java application or applet\n could possibly use ...\n\n Description truncated, for more information please check the Reference URL\";\n\n\ntag_affected = \"java on CentOS 6\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(881751);\n script_version(\"$Revision: 6655 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:48:58 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-24 14:59:40 +0530 (Mon, 24 Jun 2013)\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\",\n \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\",\n \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\",\n \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\",\n \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\",\n \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\",\n \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\",\n \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for java CESA-2013:0957 centos6 \");\n\n script_xref(name: \"CESA\", value: \"2013:0957\");\n script_xref(name: \"URL\" , value: \"http://lists.centos.org/pipermail/centos-announce/2013-June/019796.html\");\n script_summary(\"Check for the Version of java\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2013-06-24T00:00:00", "id": "OPENVAS:1361412562310871010", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871010", "type": "openvas", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2013:0957-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.7.0-openjdk RHSA-2013:0957-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_tag(name:\"affected\", value:\"java-1.7.0-openjdk on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple flaws were discovered in the ImagingLib and the image attribute,\n channel, layout and raster processing in the 2D component. An untrusted\n Java application or applet could possibly use these flaws to trigger Java\n Virtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\n CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\n Integer overflow flaws were found in the way AWT processed certain input.\n An attacker could use these flaws to execute arbitrary code with the\n privileges of the user running an untrusted Java applet or application.\n (CVE-2013-2459)\n\n Multiple improper permission check issues were discovered in the Sound,\n JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\n untrusted Java application or applet could use these flaws to bypass Java\n sandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\n CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\n Multiple flaws in the Serialization, Networking, Libraries and CORBA\n components can be exploited by an untrusted Java application or applet to\n gain access to potentially sensitive information. (CVE-2013-2456,\n CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\n It was discovered that the Hotspot component did not properly handle\n out-of-memory errors. An untrusted Java application or applet could\n possibly use these flaws to terminate the Java Virtual Machine.\n (CVE-2013-2445)\n\n It was discovered that the AWT component did not properly manage certain\n resources and that the ObjectStreamClass of the Serialization component\n did not properly handle circular references. An untrusted Java application\n or applet could possibly use these flaws to cause a denial of service.\n (CVE-2013-2444, CVE-2013-2450)\n\n It was discovered that the Libraries component contained certain errors\n related to XML security and the class loader. A remote attacker could\n possibly exploit these flaws to bypass intended security mechanisms or\n disclose potentially sensitive information and cause a denial of service.\n (CVE-2013-2407, CVE-2013-2461)\n\n It was discovered that JConsole did not properly inform the user when\n establishing an SSL connection failed. An attacker could exploit this flaw\n to gain access to potentially sensitive information. (CVE-2013-2412)\n\n It was discovered that GnomeFi ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.871010\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-24 14:55:53 +0530 (Mon, 24 Jun 2013)\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\",\n \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\",\n \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\",\n \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\",\n \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\",\n \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\",\n \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\",\n \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"RedHat Update for java-1.7.0-openjdk RHSA-2013:0957-01\");\n\n script_xref(name:\"RHSA\", value:\"2013:0957-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2013-June/msg00017.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.7.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.3.el6_4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.25~2.3.10.3.el6_4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.3.el6_4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-25T10:52:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "Check for the Version of java", "modified": "2017-07-10T00:00:00", "published": "2013-06-24T00:00:00", "id": "OPENVAS:881752", "href": "http://plugins.openvas.org/nasl.php?oid=881752", "type": "openvas", "title": "CentOS Update for java CESA-2013:0958 centos5 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0958 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple flaws were discovered in the ImagingLib and the image attribute,\n channel, layout and raster processing in the 2D component. An untrusted\n Java application or applet could possibly use these flaws to trigger Java\n Virtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\n CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\n Integer overflow flaws were found in the way AWT processed certain input.\n An attacker could use these flaws to execute arbitrary code with the\n privileges of the user running an untrusted Java applet or application.\n (CVE-2013-2459)\n\n Multiple improper permission check issues were discovered in the Sound,\n JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\n untrusted Java application or applet could use these flaws to bypass Java\n sandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\n CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\n Multiple flaws in the Serialization, Networking, Libraries and CORBA\n components can be exploited by an untrusted Java application or applet to\n gain access to potentially sensitive information. (CVE-2013-2456,\n CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\n It was discovered that the Hotspot component did not properly handle\n out-of-memory errors. An untrusted Java application or applet could\n possibly use these flaws to terminate the Java Virtual Machine.\n (CVE-2013-2445)\n\n It was discovered that the AWT component did not properly manage certain\n resources and that the ObjectStreamClass of the Serialization component\n did not properly handle circular references. An untrusted Java application\n or applet could possibly use these flaws to cause a denial of service.\n (CVE-2013-2444, CVE-2013-2450)\n\n It was discovered that the Libraries component contained certain errors\n related to XML security and the class loader. A remote attacker could\n possibly exploit these flaws to bypass intended security mechanisms or\n disclose potentially sensitive information and cause a denial of service.\n (CVE-2013-2407, CVE-2013-2461)\n\n It was discovered that JConsole did not properly inform the user when\n establishing an SSL connection failed. An attacker could exploit this flaw\n to gain access to potentially sensitive information. (CVE-2013-2412)\n\n It was discovered that GnomeFileTypeDetector did not check for read\n permissions when accessing files. An untrusted Java application or applet\n could possibly use ...\n\n Description truncated, for more information please check the Reference URL\";\n\n\ntag_affected = \"java on CentOS 5\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(881752);\n script_version(\"$Revision: 6655 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:48:58 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-24 15:02:52 +0530 (Mon, 24 Jun 2013)\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\",\n \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\",\n \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\",\n \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\",\n \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\",\n \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\",\n \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\",\n \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for java CESA-2013:0958 centos5 \");\n\n script_xref(name: \"CESA\", value: \"2013:0958\");\n script_xref(name: \"URL\" , value: \"http://lists.centos.org/pipermail/centos-announce/2013-June/019797.html\");\n script_summary(\"Check for the Version of java\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.25~2.3.10.4.el5_9\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-06-24T00:00:00", "id": "OPENVAS:1361412562310881751", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881751", "type": "openvas", "title": "CentOS Update for java CESA-2013:0957 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0957 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881751\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-24 14:59:40 +0530 (Mon, 24 Jun 2013)\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\",\n \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\",\n \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\",\n \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\",\n \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\",\n \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\",\n \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\",\n \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for java CESA-2013:0957 centos6\");\n\n script_xref(name:\"CESA\", value:\"2013:0957\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-June/019796.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"java on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple flaws were discovered in the ImagingLib and the image attribute,\n channel, layout and raster processing in the 2D component. An untrusted\n Java application or applet could possibly use these flaws to trigger Java\n Virtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\n CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\n Integer overflow flaws were found in the way AWT processed certain input.\n An attacker could use these flaws to execute arbitrary code with the\n privileges of the user running an untrusted Java applet or application.\n (CVE-2013-2459)\n\n Multiple improper permission check issues were discovered in the Sound,\n JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\n untrusted Java application or applet could use these flaws to bypass Java\n sandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\n CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\n Multiple flaws in the Serialization, Networking, Libraries and CORBA\n components can be exploited by an untrusted Java application or applet to\n gain access to potentially sensitive information. (CVE-2013-2456,\n CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\n It was discovered that the Hotspot component did not properly handle\n out-of-memory errors. An untrusted Java application or applet could\n possibly use these flaws to terminate the Java Virtual Machine.\n (CVE-2013-2445)\n\n It was discovered that the AWT component did not properly manage certain\n resources and that the ObjectStreamClass of the Serialization component\n did not properly handle circular references. An untrusted Java application\n or applet could possibly use these flaws to cause a denial of service.\n (CVE-2013-2444, CVE-2013-2450)\n\n It was discovered that the Libraries component contained certain errors\n related to XML security and the class loader. A remote attacker could\n possibly exploit these flaws to bypass intended security mechanisms or\n disclose potentially sensitive information and cause a denial of service.\n (CVE-2013-2407, CVE-2013-2461)\n\n It was discovered that JConsole did not properly inform the user when\n establishing an SSL connection failed. An attacker could exploit this flaw\n to gain access to potentially sensitive information. (CVE-2013-2412)\n\n It was discovered that GnomeFileTypeDetector did not check for read\n permissions when accessing files. An untrusted Java application or applet\n could possibly use ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.25~2.3.10.3.el6_4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2013-06-24T00:00:00", "id": "OPENVAS:1361412562310871009", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871009", "type": "openvas", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2013:0958-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.7.0-openjdk RHSA-2013:0958-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871009\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-24 14:52:46 +0530 (Mon, 24 Jun 2013)\");\n script_cve_id(\"CVE-2013-1500\", \"CVE-2013-1571\", \"CVE-2013-2407\", \"CVE-2013-2412\",\n \"CVE-2013-2443\", \"CVE-2013-2444\", \"CVE-2013-2445\", \"CVE-2013-2446\",\n \"CVE-2013-2447\", \"CVE-2013-2448\", \"CVE-2013-2449\", \"CVE-2013-2450\",\n \"CVE-2013-2452\", \"CVE-2013-2453\", \"CVE-2013-2454\", \"CVE-2013-2455\",\n \"CVE-2013-2456\", \"CVE-2013-2457\", \"CVE-2013-2458\", \"CVE-2013-2459\",\n \"CVE-2013-2460\", \"CVE-2013-2461\", \"CVE-2013-2463\", \"CVE-2013-2465\",\n \"CVE-2013-2469\", \"CVE-2013-2470\", \"CVE-2013-2471\", \"CVE-2013-2472\",\n \"CVE-2013-2473\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for java-1.7.0-openjdk RHSA-2013:0958-01\");\n\n script_xref(name:\"RHSA\", value:\"2013:0958-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2013-June/msg00018.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.7.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n script_tag(name:\"affected\", value:\"java-1.7.0-openjdk on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Multiple flaws were discovered in the ImagingLib and the image attribute,\n channel, layout and raster processing in the 2D component. An untrusted\n Java application or applet could possibly use these flaws to trigger Java\n Virtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471,\n CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469)\n\n Integer overflow flaws were found in the way AWT processed certain input.\n An attacker could use these flaws to execute arbitrary code with the\n privileges of the user running an untrusted Java applet or application.\n (CVE-2013-2459)\n\n Multiple improper permission check issues were discovered in the Sound,\n JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An\n untrusted Java application or applet could use these flaws to bypass Java\n sandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,\n CVE-2013-2457, CVE-2013-2453, CVE-2013-2460)\n\n Multiple flaws in the Serialization, Networking, Libraries and CORBA\n components can be exploited by an untrusted Java application or applet to\n gain access to potentially sensitive information. (CVE-2013-2456,\n CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446)\n\n It was discovered that the Hotspot component did not properly handle\n out-of-memory errors. An untrusted Java application or applet could\n possibly use these flaws to terminate the Java Virtual Machine.\n (CVE-2013-2445)\n\n It was discovered that the AWT component did not properly manage certain\n resources and that the ObjectStreamClass of the Serialization component\n did not properly handle circular references. An untrusted Java application\n or applet could possibly use these flaws to cause a denial of service.\n (CVE-2013-2444, CVE-2013-2450)\n\n It was discovered that the Libraries component contained certain errors\n related to XML security and the class loader. A remote attacker could\n possibly exploit these flaws to bypass intended security mechanisms or\n disclose potentially sensitive information and cause a denial of service.\n (CVE-2013-2407, CVE-2013-2461)\n\n It was discovered that JConsole did not properly inform the user when\n establishing an SSL connection failed. An attacker could exploit this flaw\n to gain access to potentially sensitive information. (CVE-2013-2412)\n\n It was discovered that GnomeFileTypeDetector did not check for read\n permissions when accessing files. An untrusted Jav ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.25~2.3.10.4.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:36:03", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. ([CVE-2013-2470 __](<https://access.redhat.com/security/cve/CVE-2013-2470>), [CVE-2013-2471 __](<https://access.redhat.com/security/cve/CVE-2013-2471>), [CVE-2013-2472 __](<https://access.redhat.com/security/cve/CVE-2013-2472>), [CVE-2013-2473 __](<https://access.redhat.com/security/cve/CVE-2013-2473>), [CVE-2013-2463 __](<https://access.redhat.com/security/cve/CVE-2013-2463>), [CVE-2013-2465 __](<https://access.redhat.com/security/cve/CVE-2013-2465>), [CVE-2013-2469 __](<https://access.redhat.com/security/cve/CVE-2013-2469>))\n\nInteger overflow flaws were found in the way AWT processed certain input. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted Java applet or application. ([CVE-2013-2459 __](<https://access.redhat.com/security/cve/CVE-2013-2459>))\n\nMultiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2013-2448 __](<https://access.redhat.com/security/cve/CVE-2013-2448>), [CVE-2013-2454 __](<https://access.redhat.com/security/cve/CVE-2013-2454>), [CVE-2013-2458 __](<https://access.redhat.com/security/cve/CVE-2013-2458>), [CVE-2013-2457 __](<https://access.redhat.com/security/cve/CVE-2013-2457>), [CVE-2013-2453 __](<https://access.redhat.com/security/cve/CVE-2013-2453>), [CVE-2013-2460 __](<https://access.redhat.com/security/cve/CVE-2013-2460>))\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. ([CVE-2013-2456 __](<https://access.redhat.com/security/cve/CVE-2013-2456>), [CVE-2013-2447 __](<https://access.redhat.com/security/cve/CVE-2013-2447>), [CVE-2013-2455 __](<https://access.redhat.com/security/cve/CVE-2013-2455>), [CVE-2013-2452 __](<https://access.redhat.com/security/cve/CVE-2013-2452>), [CVE-2013-2443 __](<https://access.redhat.com/security/cve/CVE-2013-2443>), [CVE-2013-2446 __](<https://access.redhat.com/security/cve/CVE-2013-2446>))\n\nIt was discovered that the Hotspot component did not properly handle out-of-memory errors. An untrusted Java application or applet could possibly use these flaws to terminate the Java Virtual Machine. ([CVE-2013-2445 __](<https://access.redhat.com/security/cve/CVE-2013-2445>))\n\nIt was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service. ([CVE-2013-2444 __](<https://access.redhat.com/security/cve/CVE-2013-2444>), [CVE-2013-2450 __](<https://access.redhat.com/security/cve/CVE-2013-2450>))\n\nIt was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service. ([CVE-2013-2407 __](<https://access.redhat.com/security/cve/CVE-2013-2407>), [CVE-2013-2461 __](<https://access.redhat.com/security/cve/CVE-2013-2461>))\n\nIt was discovered that JConsole did not properly inform the user when establishing an SSL connection failed. An attacker could exploit this flaw to gain access to potentially sensitive information. ([CVE-2013-2412 __](<https://access.redhat.com/security/cve/CVE-2013-2412>))\n\nIt was discovered that GnomeFileTypeDetector did not check for read permissions when accessing files. An untrusted Java application or applet could possibly use this flaw to disclose potentially sensitive information. ([CVE-2013-2449 __](<https://access.redhat.com/security/cve/CVE-2013-2449>))\n\nIt was found that documentation generated by Javadoc was vulnerable to a frame injection attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web content being displayed next to the documentation. This could be used to perform a phishing attack by providing frame content that spoofed a login form on the site hosting the vulnerable documentation. ([CVE-2013-1571 __](<https://access.redhat.com/security/cve/CVE-2013-1571>))\n\nIt was discovered that the 2D component created shared memory segments with insecure permissions. A local attacker could use this flaw to read or write to the shared memory segment. ([CVE-2013-1500 __](<https://access.redhat.com/security/cve/CVE-2013-1500>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.29.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.29.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.29.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.29.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.25-2.3.10.3.29.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.29.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.25-2.3.10.3.29.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.29.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.29.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.29.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.29.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.25-2.3.10.3.29.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-06-20T14:14:00", "published": "2013-06-20T14:14:00", "id": "ALAS-2013-204", "href": "https://alas.aws.amazon.com/ALAS-2013-204.html", "title": "Important: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:34:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445"], "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. ([CVE-2013-2470 __](<https://access.redhat.com/security/cve/CVE-2013-2470>), [CVE-2013-2471 __](<https://access.redhat.com/security/cve/CVE-2013-2471>), [CVE-2013-2472 __](<https://access.redhat.com/security/cve/CVE-2013-2472>), [CVE-2013-2473 __](<https://access.redhat.com/security/cve/CVE-2013-2473>), [CVE-2013-2463 __](<https://access.redhat.com/security/cve/CVE-2013-2463>), [CVE-2013-2465 __](<https://access.redhat.com/security/cve/CVE-2013-2465>), [CVE-2013-2469 __](<https://access.redhat.com/security/cve/CVE-2013-2469>))\n\nInteger overflow flaws were found in the way AWT processed certain input. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted Java applet or application. ([CVE-2013-2459 __](<https://access.redhat.com/security/cve/CVE-2013-2459>))\n\nMultiple improper permission check issues were discovered in the Sound and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2013-2448 __](<https://access.redhat.com/security/cve/CVE-2013-2448>), [CVE-2013-2457 __](<https://access.redhat.com/security/cve/CVE-2013-2457>), [CVE-2013-2453 __](<https://access.redhat.com/security/cve/CVE-2013-2453>))\n\nMultiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. ([CVE-2013-2456 __](<https://access.redhat.com/security/cve/CVE-2013-2456>), [CVE-2013-2447 __](<https://access.redhat.com/security/cve/CVE-2013-2447>), [CVE-2013-2455 __](<https://access.redhat.com/security/cve/CVE-2013-2455>), [CVE-2013-2452 __](<https://access.redhat.com/security/cve/CVE-2013-2452>), [CVE-2013-2443 __](<https://access.redhat.com/security/cve/CVE-2013-2443>), [CVE-2013-2446 __](<https://access.redhat.com/security/cve/CVE-2013-2446>))\n\nIt was discovered that the Hotspot component did not properly handle out-of-memory errors. An untrusted Java application or applet could possibly use these flaws to terminate the Java Virtual Machine. ([CVE-2013-2445 __](<https://access.redhat.com/security/cve/CVE-2013-2445>))\n\nIt was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service. ([CVE-2013-2444 __](<https://access.redhat.com/security/cve/CVE-2013-2444>), [CVE-2013-2450 __](<https://access.redhat.com/security/cve/CVE-2013-2450>))\n\nIt was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service. ([CVE-2013-2407 __](<https://access.redhat.com/security/cve/CVE-2013-2407>), [CVE-2013-2461 __](<https://access.redhat.com/security/cve/CVE-2013-2461>))\n\nIt was discovered that JConsole did not properly inform the user when establishing an SSL connection failed. An attacker could exploit this flaw to gain access to potentially sensitive information. ([CVE-2013-2412 __](<https://access.redhat.com/security/cve/CVE-2013-2412>))\n\nIt was found that documentation generated by Javadoc was vulnerable to a frame injection attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web content being displayed next to the documentation. This could be used to perform a phishing attack by providing frame content that spoofed a login form on the site hosting the vulnerable documentation. ([CVE-2013-1571 __](<https://access.redhat.com/security/cve/CVE-2013-1571>))\n\nIt was discovered that the 2D component created shared memory segments with insecure permissions. A local attacker could use this flaw to read or write to the shared memory segment. ([CVE-2013-1500 __](<https://access.redhat.com/security/cve/CVE-2013-1500>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-src-1.6.0.0-62.1.11.11.90.55.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.0-62.1.11.11.90.55.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.0-62.1.11.11.90.55.amzn1.i686 \n java-1.6.0-openjdk-demo-1.6.0.0-62.1.11.11.90.55.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.0-62.1.11.11.90.55.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-62.1.11.11.90.55.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.0-62.1.11.11.90.55.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-07-12T15:31:00", "published": "2013-07-12T15:31:00", "id": "ALAS-2013-207", "href": "https://alas.aws.amazon.com/ALAS-2013-207.html", "title": "Important: java-1.6.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-08T23:31:11", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure and data integrity. An attacker could exploit these \nto expose sensitive data over the network. (CVE-2013-1500, CVE-2013-2454, \nCVE-2013-2458)\n\nA vulnerability was discovered in the OpenJDK Javadoc related to data \nintegrity. (CVE-2013-1571)\n\nA vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and availability. An attacker could exploit this to cause a \ndenial of service or expose sensitive data over the network. \n(CVE-2013-2407)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure. An attacker could exploit these to expose sensitive \ndata over the network. (CVE-2013-2412, CVE-2013-2443, CVE-2013-2446, \nCVE-2013-2447, CVE-2013-2449, CVE-2013-2452, CVE-2013-2456)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \navailability. An attacker could exploit these to cause a denial of service. \n(CVE-2013-2444, CVE-2013-2445, CVE-2013-2450)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker could \nexploit these to cause a denial of service or expose sensitive data over \nthe network. (CVE-2013-2448, CVE-2013-2451, CVE-2013-2459, CVE-2013-2460, \nCVE-2013-2461, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, \nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data \nintegrity. (CVE-2013-2453, CVE-2013-2455, CVE-2013-2457)", "edition": 5, "modified": "2013-07-16T00:00:00", "published": "2013-07-16T00:00:00", "id": "USN-1907-1", "href": "https://ubuntu.com/security/notices/USN-1907-1", "title": "OpenJDK 7 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:41:27", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "USN-1907-1 fixed vulnerabilities in OpenJDK 7. Due to upstream changes, \nIcedTea Web needed an update to work with the new OpenJDK 7.\n\nOriginal advisory details:\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure and data integrity. An attacker could exploit these \nto expose sensitive data over the network. (CVE-2013-1500, CVE-2013-2454, \nCVE-2013-2458)\n\nA vulnerability was discovered in the OpenJDK Javadoc related to data \nintegrity. (CVE-2013-1571)\n\nA vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and availability. An attacker could exploit this to cause a \ndenial of service or expose sensitive data over the network. \n(CVE-2013-2407)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure. An attacker could exploit these to expose sensitive \ndata over the network. (CVE-2013-2412, CVE-2013-2443, CVE-2013-2446, \nCVE-2013-2447, CVE-2013-2449, CVE-2013-2452, CVE-2013-2456)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \navailability. An attacker could exploit these to cause a denial of service. \n(CVE-2013-2444, CVE-2013-2445, CVE-2013-2450)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker could \nexploit these to cause a denial of service or expose sensitive data over \nthe network. (CVE-2013-2448, CVE-2013-2451, CVE-2013-2459, CVE-2013-2460, \nCVE-2013-2461, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, \nCVE-2013-2471, CVE-2013-2472, CVE-2013-2473)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data \nintegrity. (CVE-2013-2453, CVE-2013-2455, CVE-2013-2457)", "edition": 5, "modified": "2013-07-16T00:00:00", "published": "2013-07-16T00:00:00", "id": "USN-1907-2", "href": "https://ubuntu.com/security/notices/USN-1907-2", "title": "IcedTea Web update", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:25", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2449"], "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure and data integrity. An attacker could exploit these \nto expose sensitive data over the network. (CVE-2013-1500, CVE-2013-2454, \nCVE-2013-2458)\n\nA vulnerability was discovered in the OpenJDK Javadoc related to data \nintegrity. (CVE-2013-1571)\n\nA vulnerability was discovered in the OpenJDK JRE related to information \ndisclosure and availability. An attacker could exploit this to cause a \ndenial of service or expose sensitive data over the network. \n(CVE-2013-2407)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure. An attacker could exploit these to expose sensitive \ndata over the network. (CVE-2013-2412, CVE-2013-2443, CVE-2013-2446, \nCVE-2013-2447, CVE-2013-2449, CVE-2013-2452, CVE-2013-2456)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \navailability. An attacker could exploit these to cause a denial of service. \n(CVE-2013-2444, CVE-2013-2445, CVE-2013-2450)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to \ninformation disclosure, data integrity and availability. An attacker could \nexploit these to cause a denial of service or expose sensitive data over \nthe network. (CVE-2013-2448, CVE-2013-2451, CVE-2013-2459, CVE-2013-2461, \nCVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, \nCVE-2013-2472, CVE-2013-2473, CVE-2013-3743)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data \nintegrity. (CVE-2013-2453, CVE-2013-2455, CVE-2013-2457)", "edition": 5, "modified": "2013-07-23T00:00:00", "published": "2013-07-23T00:00:00", "id": "USN-1908-1", "href": "https://ubuntu.com/security/notices/USN-1908-1", "title": "OpenJDK 6 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:48:25", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "This update to icedtea-2.4.1 fixes various security issues:\n\n * S6741606, CVE-2013-2407: Integrate Apache Santuario\n * S7158805, CVE-2013-2445: Better rewriting of nested\n subroutine calls\n * S7170730, CVE-2013-2451: Improve Windows network\n stack support.\n * S8000638, CVE-2013-2450: Improve deserialization\n * S8000642, CVE-2013-2446: Better handling of objects\n for transportation\n * S8001033, CVE-2013-2452: Refactor network address\n handling in virtual machine identifiers\n * S8001034, CVE-2013-1500: Memory management\n improvements\n * S8001038, CVE-2013-2444: Resourcefully handle\n resources\n * S8001318, CVE-2013-2447: Socket.getLocalAddress not\n consistent with InetAddress.getLocalHost\n * S8001330, CVE-2013-2443: Improve on checking order\n (non-Zero builds only)\n * S8003703, CVE-2013-2412: Update RMI connection dialog\n box\n * S8004288, CVE-2013-2449: (fs) Files.probeContentType\n problems\n * S8006328, CVE-2013-2448: Improve robustness of sound\n classes\n * S8007812, CVE-2013-2455: (reflect)\n Class.getEnclosingMethod problematic for some classes\n * S8008120, CVE-2013-2457: Improve JMX class checking\n * S8008124, CVE-2013-2453: Better compliance testing\n * S8008132, CVE-2013-2456: Better serialization support\n * S8008744, CVE-2013-2407: Rework part of fix for\n JDK-6741606\n * S8009057, CVE-2013-2448: Improve MIDI event handling\n * S8009071, CVE-2013-2459: Improve shape handling\n * S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292\n implementation change\n * S8009554, CVE-2013-2454: Improve\n SerialJavaObject.getFields\n * S8010209, CVE-2013-2460: Better provision of factories\n * S8011243, CVE-2013-2470: Improve ImagingLib\n * S8011248, CVE-2013-2471: Better Component Rasters\n * S8011253, CVE-2013-2472: Better Short Component\n Rasters\n * S8011257, CVE-2013-2473: Better Byte Component Rasters\n * S8012375, CVE-2013-1571: Improve Javadoc framing\n * S8012438, CVE-2013-2463: Better image validation\n * S8012597, CVE-2013-2465: Better image channel\n verification\n * S8012601, CVE-2013-2469: Better validation of image\n layouts\n * S8014281, CVE-2013-2461: Better checking of XML\n signature\n", "edition": 1, "modified": "2013-07-25T16:04:14", "published": "2013-07-25T16:04:14", "id": "SUSE-SU-2013:1254-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00025.html", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:57:12", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445"], "description": "java-1_6_0-openjdk has been updated to Icedtea6-1.12.6\n version.\n\n Security fixes:\n\n * S6741606, CVE-2013-2407: Integrate Apache Santuario\n * S7158805, CVE-2013-2445: Better rewriting of nested\n subroutine calls\n * S7170730, CVE-2013-2451: Improve Windows network\n stack support.\n * S8000638, CVE-2013-2450: Improve deserialization\n * S8000642, CVE-2013-2446: Better handling of objects\n for transportation\n * S8001032: Restrict object access\n * S8001033, CVE-2013-2452: Refactor network address\n handling in virtual machine identifiers\n * S8001034, CVE-2013-1500: Memory management\n improvements\n * S8001038, CVE-2013-2444: Resourcefully handle\n resources\n * S8001043: Clarify definition restrictions\n * S8001309: Better handling of annotation interfaces\n * S8001318, CVE-2013-2447: Socket.getLocalAddress not\n consistent with InetAddress.getLocalHost\n * S8001330, CVE-2013-2443: Improve on checking order\n * S8003703, CVE-2013-2412: Update RMI connection dialog\n box\n * S8004584: Augment applet contextualization\n * S8005007: Better glyph processing\n * S8006328, CVE-2013-2448: Improve robustness of sound\n classes\n * S8006611: Improve scripting\n * S8007467: Improve robustness of JMX internal APIs\n * S8007471: Improve MBean notifications\n * S8007812, CVE-2013-2455: (reflect)\n Class.getEnclosingMethod problematic for some classes\n * S8008120, CVE-2013-2457: Improve JMX class checking\n * S8008124, CVE-2013-2453: Better compliance testing\n * S8008128: Better API coherence for JMX\n * S8008132, CVE-2013-2456: Better serialization support\n * S8008585: Better JMX data handling\n * S8008593: Better URLClassLoader resource management\n * S8008603: Improve provision of JMX providers\n", "edition": 1, "modified": "2013-07-23T22:04:14", "published": "2013-07-23T22:04:14", "id": "SUSE-SU-2013:1238-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00024.html", "title": "Security update for java-1_6_0-openjdk (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:32:47", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3012", "CVE-2013-2468", "CVE-2013-3008", "CVE-2013-3006", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2462", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-3007", "CVE-2013-2471", "CVE-2013-3010", "CVE-2013-2464", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2400", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-3744", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2460", "CVE-2013-2449", "CVE-2013-2466"], "description": "IBM Java 1.7.0 has been updated to SR5 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "edition": 1, "modified": "2013-07-25T20:04:26", "published": "2013-07-25T20:04:26", "id": "SUSE-SU-2013:1257-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html", "title": "Security update for java-1_7_0-ibm (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:19:41", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3012", "CVE-2013-2468", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2466"], "description": "IBM Java 1.6.0 was updated to SR14 to fix bugs and security\n issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "edition": 1, "modified": "2013-07-30T19:04:11", "published": "2013-07-30T19:04:11", "id": "SUSE-SU-2013:1255-3", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00033.html", "type": "suse", "title": "Security update for IBM Java 1.6.0 (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:59:55", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3012", "CVE-2013-2468", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2466"], "description": "IBM Java 1.6.0 has been updated to SR14 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "edition": 1, "modified": "2013-07-25T20:04:13", "published": "2013-07-25T20:04:13", "id": "SUSE-SU-2013:1255-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html", "type": "suse", "title": "Security update for java-1_6_0-ibm (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:09:50", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3012", "CVE-2013-2468", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2466"], "description": "IBM Java 1.6.0 has been updated to SR14 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n * check if installed qa_filelist is not empty\n (bnc#831936)\n", "edition": 1, "modified": "2013-08-06T23:04:12", "published": "2013-08-06T23:04:12", "id": "SUSE-SU-2013:1305-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html", "title": "Security update for IBM Java 1.6.0 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:56:36", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3012", "CVE-2013-2468", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2466"], "description": "IBM Java 1.6.0 has been updated to SR14 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "edition": 1, "modified": "2013-07-27T17:04:18", "published": "2013-07-27T17:04:18", "id": "SUSE-SU-2013:1255-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00030.html", "title": "Security update for java-1_6_0-ibm (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:27:55", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3012", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2455"], "description": "IBM Java 1.5.0 was updated to SR16-FP3 to fix bugs and\n security issues:\n\n CVE-2013-3009, CVE-2013-3011, CVE-2013-3012, CVE-2013-4002,\n CVE-2013-2469, CVE-2013-2465, CVE-2013-2464,\n CVE-2013-2463, CVE-2013-2473, CVE-2013-2472,\n CVE-2013-2471, CVE-2013-2470, CVE-2013-2459, CVE-2013-3743,\n CVE-2013-2448, CVE-2013-2454, CVE-2013-2456,\n CVE-2013-2457, CVE-2013-2455, CVE-2013-2443,\n CVE-2013-2447, CVE-2013-2444, CVE-2013-2452, CVE-2013-2446,\n CVE-2013-2450, CVE-2013-1571, CVE-2013-1500\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n\n Additionally, the following bugs have been fixed: - Add\n Europe/Busingen to tzmappings (bnc#817062) - Mark files in\n jre/bin and bin/ as executable (bnc#823034).\n\n Security Issues:\n\n * CVE-2013-3009\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3009\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3009</a>\n >\n * CVE-2013-3011\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3011\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3011</a>\n >\n * CVE-2013-3012\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3012\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3012</a>\n >\n * CVE-2013-2469\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469</a>\n >\n * CVE-2013-4002\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002</a>\n >\n * CVE-2013-2465\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465</a>\n >\n * CVE-2013-2464\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464</a>\n >\n * CVE-2013-2463\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463</a>\n >\n * CVE-2013-2473\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473</a>\n >\n * CVE-2013-2472\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472</a>\n >\n * CVE-2013-2471\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471</a>\n >\n * CVE-2013-2470\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470</a>\n >\n * CVE-2013-2459\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459</a>\n >\n * CVE-2013-3743\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743</a>\n >\n * CVE-2013-2448\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448</a>\n >\n * CVE-2013-2454\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454</a>\n >\n * CVE-2013-2457\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457</a>\n >\n * CVE-2013-2456\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456</a>\n >\n * CVE-2013-2455\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455</a>\n >\n * CVE-2013-2443\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443</a>\n >\n * CVE-2013-2444\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444</a>\n >\n * CVE-2013-2447\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447</a>\n >\n * CVE-2013-2452\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452</a>\n >\n * CVE-2013-2446\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446</a>\n >\n * CVE-2013-2450\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450</a>\n >\n * CVE-2013-1571\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571</a>\n >\n * CVE-2013-1500\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500</a>\n >\n\n\n", "edition": 1, "modified": "2013-07-30T17:04:11", "published": "2013-07-30T17:04:11", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00032.html", "id": "SUSE-SU-2013:1263-2", "title": "Security update for java-1_5_0-ibm (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:14:44", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3012", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2455"], "description": "IBM Java 1.5.0 was updated to SR16-FP3 to fix bugs and\n security issues:\n\n CVE-2013-3009, CVE-2013-3011, CVE-2013-3012, CVE-2013-4002\n CVE-2013-2469, CVE-2013-2465, CVE-2013-2464, CVE-2013-2463,\n CVE-2013-2473, CVE-2013-2472, CVE-2013-2471, CVE-2013-2470,\n CVE-2013-2459, CVE-2013-3743, CVE-2013-2448, CVE-2013-2454,\n CVE-2013-2456 CVE-2013-2457, CVE-2013-2455, CVE-2013-2443,\n CVE-2013-2447 CVE-2013-2444, CVE-2013-2452, CVE-2013-2446,\n CVE-2013-2450, CVE-2013-1571, CVE-2013-1500\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n\n\n", "edition": 1, "modified": "2013-08-02T23:04:12", "published": "2013-08-02T23:04:12", "id": "SUSE-SU-2013:1293-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html", "type": "suse", "title": "Security update for IBMJava5 JRE and IBMJava5 SDK (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:43:37", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3012", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2455"], "description": "IBM Java 1.5.0 has been updated to SR16-FP3 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Also the following bug has been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "edition": 1, "modified": "2013-07-27T17:04:14", "published": "2013-07-27T17:04:14", "id": "SUSE-SU-2013:1263-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html", "type": "suse", "title": "Security update for java-1_5_0-ibm (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-05-30T02:22:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2722-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJuly 15, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-7\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 \n CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 \n CVE-2013-2447 CVE-2013-2448 CVE-2013-2449 CVE-2013-2450 \n CVE-2013-2451 CVE-2013-2452 CVE-2013-2453 CVE-2013-2454 \n CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2458 \n CVE-2013-2459 CVE-2013-2460 CVE-2013-2461 CVE-2013-2463 \n CVE-2013-2465 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 \n CVE-2013-2472 CVE-2013-2473\n\nSeveral vulnerabilities have been discovered in OpenJDK, an \nimplementation of the Oracle Java platform, resulting in the execution \nof arbitrary code, breakouts of the Java sandbox, information disclosure \nor denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 7u25-2.3.10-1~deb7u1. In addition icedtea-web needed to be\nupdated to 1.4-3~deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7u25-2.3.10-1.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n\n\n\n", "edition": 3, "modified": "2013-07-15T15:53:07", "published": "2013-07-15T15:53:07", "id": "DEBIAN:DSA-2722-1:0F82B", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00132.html", "title": "[SECURITY] [DSA 2722-1] openjdk-7 security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:12:41", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2727-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJuly 25, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-6\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 \n CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 \n CVE-2013-2447 CVE-2013-2448 CVE-2013-2450 CVE-2013-2451 \n CVE-2013-2452 CVE-2013-2453 CVE-2013-2455 CVE-2013-2456 \n CVE-2013-2457 CVE-2013-2459 CVE-2013-2461 CVE-2013-2463 \n CVE-2013-2465 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 \n CVE-2013-2472 CVE-2013-2473\n\nSeveral vulnerabilities have been discovered in OpenJDK, an \nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, breakouts of the Java sandbox, information disclosure\nor denial of service.\n\nFor the oldstable distribution (squeeze), these problems have been fixed in\nversion 6b27-1.12.6-1~deb6u1.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 6b27-1.12.6-1~deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 6b27-1.12.6-1.\n\nWe recommend that you upgrade your openjdk-6 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 4, "modified": "2013-07-25T21:12:25", "published": "2013-07-25T21:12:25", "id": "DEBIAN:DSA-2727-1:34891", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00137.html", "title": "[SECURITY] [DSA 2727-1] openjdk-6 security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "cvelist": ["CVE-2013-2468", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2462", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-2461", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2458", "CVE-2013-2459", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2400", "CVE-2013-2472", "CVE-2013-2467", "CVE-2013-2444", "CVE-2013-3744", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2445", "CVE-2013-2460", "CVE-2013-2449", "CVE-2013-2466"], "description": "40 different vulnerabilities", "edition": 1, "modified": "2013-08-28T00:00:00", "published": "2013-08-28T00:00:00", "id": "SECURITYVULNS:VULN:13165", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13165", "title": "Oracle Java multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}