Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2023 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT-RHSA-2015-1241.NASL
HistoryJul 20, 2015 - 12:00 a.m.

RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2015:1241) (Bar Mitzvah) (Logjam)

2015-07-2000:00:00
This script is Copyright (C) 2015-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
33
JSON

Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2015-2590, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2659, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000, CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760)

Note: With this update, Oracle JDK now disables RC4 TLS/SSL cipher suites by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug 1207101, linked to in the References section, for additional details about this change.

Note: This update forces the TLS/SSL client implementation in Oracle JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000 issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change.

All users of java-1.8.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 8 Update 51 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2015:1241. The text 
# itself is copyright (C) Red Hat, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(84871);
  script_version("2.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id(
    "CVE-2015-2590",
    "CVE-2015-2601",
    "CVE-2015-2613",
    "CVE-2015-2619",
    "CVE-2015-2621",
    "CVE-2015-2625",
    "CVE-2015-2627",
    "CVE-2015-2628",
    "CVE-2015-2632",
    "CVE-2015-2637",
    "CVE-2015-2638",
    "CVE-2015-2659",
    "CVE-2015-2664",
    "CVE-2015-2808",
    "CVE-2015-4000",
    "CVE-2015-4729",
    "CVE-2015-4731",
    "CVE-2015-4732",
    "CVE-2015-4733",
    "CVE-2015-4736",
    "CVE-2015-4748",
    "CVE-2015-4749",
    "CVE-2015-4760"
  );
  script_bugtraq_id(
    73684,
    74733,
    75784,
    75796,
    75812,
    75818,
    75823,
    75832,
    75833,
    75850,
    75854,
    75857,
    75861,
    75867,
    75871,
    75874,
    75877,
    75881,
    75883,
    75890,
    75892,
    75893,
    75895
  );
  script_xref(name:"RHSA", value:"2015:1241");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/24");
  script_xref(name:"CEA-ID", value:"CEA-2021-0004");

  script_name(english:"RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2015:1241) (Bar Mitzvah) (Logjam)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"Updated java-1.8.0-oracle packages that fix several security issues
are now available for Oracle Java for Red Hat Enterprise Linux 6 and
7.

Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Oracle Java SE version 8 includes the Oracle Java Runtime Environment
and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE
Critical Patch Update Advisory page, listed in the References section.
(CVE-2015-2590, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619,
CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628,
CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2659,
CVE-2015-2664, CVE-2015-2808, CVE-2015-4000, CVE-2015-4729,
CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736,
CVE-2015-4748, CVE-2015-4749, CVE-2015-4760)

Note: With this update, Oracle JDK now disables RC4 TLS/SSL cipher
suites by default to address the CVE-2015-2808 issue. Refer to Red Hat
Bugzilla bug 1207101, linked to in the References section, for
additional details about this change.

Note: This update forces the TLS/SSL client implementation in Oracle
JDK to reject DH key sizes below 768 bits to address the CVE-2015-4000
issue. Refer to Red Hat Bugzilla bug 1223211, linked to in the
References section, for additional details about this change.

All users of java-1.8.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 8 Update 51 and resolve these
issues. All running instances of Oracle Java must be restarted for the
update to take effect.");
  # http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?73eb3b44");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c11");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c33");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2015:1241");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2590");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2601");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2613");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2619");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2621");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2625");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2627");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2628");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2632");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2637");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2638");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2659");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2664");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-2808");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4000");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4729");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4731");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4732");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4733");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4736");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4748");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4749");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-4760");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4760");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2015-4000");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-javafx");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-jdbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-plugin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-src");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.1");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2015-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! ereg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x / 7.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2015:1241";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-oracle-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-oracle-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el6_6")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el6_6")) flag++;


  if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-oracle-1.8.0.51-1jpp.2.el7_1")) flag++;

  if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el7_1")) flag++;

  if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el7_1")) flag++;

  if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el7_1")) flag++;

  if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el7_1")) flag++;

  if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el7_1")) flag++;


  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-oracle / java-1.8.0-oracle-devel / etc");
  }
}
VendorProductVersionCPE
redhatenterprise_linuxjava-1.8.0-oraclep-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle
redhatenterprise_linuxjava-1.8.0-oracle-develp-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-devel
redhatenterprise_linuxjava-1.8.0-oracle-javafxp-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-javafx
redhatenterprise_linuxjava-1.8.0-oracle-jdbcp-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-jdbc
redhatenterprise_linuxjava-1.8.0-oracle-pluginp-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-plugin
redhatenterprise_linuxjava-1.8.0-oracle-srcp-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-src
redhatenterprise_linux6cpe:/o:redhat:enterprise_linux:6
redhatenterprise_linux6.6cpe:/o:redhat:enterprise_linux:6.6
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7
redhatenterprise_linux7.1cpe:/o:redhat:enterprise_linux:7.1

References

Related

ibm 50
redhat 12
openvas 42
nessus 46
archlinux 1
debian 3
suse 9
oraclelinux 4
osv 2
amazon 3
ubuntu 2
aix 1
veracode 16
centos 4
mageia 2
kaspersky 1
f5 1
ibm
ibm
Security Bulletin: July 2015 Java Platform Standard Edition Vulnerabilities in Multiple N series Products
2018-06-18 00:28:35
Security Bulletin: Multiple vulnerabilities in current releases of IBM® WebSphere Real Time
2018-06-15 07:03:24
Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM)
2018-06-18 01:29:36
redhat
redhat
(RHSA-2015:1241) Critical: java-1.8.0-oracle security update
2015-07-17 07:49:43
(RHSA-2015:1242) Critical: java-1.7.0-oracle security update
2015-07-17 07:49:59
(RHSA-2015:1243) Important: java-1.6.0-sun security update
2015-07-17 07:50:15
openvas
openvas
openSUSE: Security Advisory for java-1_8_0-openjdk (openSUSE-SU-2015:1289-1)
2015-09-18 00:00:00
SUSE: Security Advisory for java-1_7_1-ibm (SUSE-SU-2015:1331-1)
2015-10-16 00:00:00
Oracle Java SE JRE Multiple Unspecified Vulnerabilities-01 (Jul 2015) - Windows
2015-07-20 00:00:00
nessus
nessus
Oracle Java SE 6 < Update 101 / 7 < Update 85 / 8 < Update 51 Multiple Vulnerabilities
2015-09-30 00:00:00
RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:1485) (Logjam)
2015-07-23 00:00:00
Oracle Java SE Multiple Vulnerabilities (July 2015 CPU) (Bar Mitzvah)
2015-07-17 00:00:00
archlinux
archlinux
jre7-openjdk: multiple issues
2015-07-22 00:00:00
debian
debian
[SECURITY] [DSA 3339-1] openjdk-6 security update
2015-08-19 20:19:22
[SECURITY] [DLA 303-1] openjdk-6 security update
2015-08-28 08:31:00
[SECURITY] [DSA 3316-1] openjdk-7 security update
2015-07-25 10:13:47
suse
suse
Security update for java-1_8_0-openjdk (important)
2015-07-26 21:09:08
Security update for java-1_7_0-openjdk (important)
2015-07-30 17:08:48
Security update for java-1_6_0-ibm (important)
2015-09-08 13:10:01
oraclelinux
oraclelinux
java-1.6.0-openjdk security update
2015-07-31 00:00:00
java-1.7.0-openjdk security update
2015-07-16 00:00:00
java-1.7.0-openjdk security update
2015-07-15 00:00:00
osv
osv
openjdk-6 - security update
2015-08-28 00:00:00
openjdk-7 - security update
2015-07-25 00:00:00
amazon
amazon
Important: java-1.6.0-openjdk
2015-08-24 22:26:00
Critical: java-1.7.0-openjdk
2015-07-22 10:00:00
Important: java-1.8.0-openjdk
2015-07-22 10:00:00
ubuntu
ubuntu
OpenJDK 6 vulnerabilities
2015-08-06 00:00:00
OpenJDK 7 vulnerabilities
2015-07-30 00:00:00
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2015-07-31 13:04:25
veracode
veracode
Sandbox Restrictions Bypass
2019-05-02 05:41:17
Sandbox Restrictions Bypass
2019-05-02 05:41:17
Arbitrary Code Execution
2019-05-02 05:40:33
centos
centos
java security update
2015-07-15 15:08:01
java security update
2015-07-30 23:24:14
java security update
2015-07-15 15:39:22
mageia
mageia
Updated java-1.7.0-openjdk package fixes security vulnerabilities
2015-07-23 12:39:14
Updated java-1.8.0-openjdk package fixes security vulnerabilities
2015-07-27 12:53:07
kaspersky
kaspersky
KLA10629 Multiple vulnerabilities in Oracle Java SE
2015-07-14 00:00:00
f5
f5
K84947349 : OpenJDK vulnerabilities CVE-2015-2601, CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749
2017-09-15 00:00:00
JSON
Related for REDHAT-RHSA-2015-1241.NASL
ibm50redhat12openvas42nessus46archlinux1debian3suse9oraclelinux4osv2amazon3ubuntu2aix1veracode16centos4mageia2kaspersky1f51