Search...

openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2011:0155-1)

2014-06-13T00:00:00

ID SUSE_11_3_JAVA-1_6_0-OPENJDK-110228.NASL
Type nessus
Reporter Tenable
Modified 2014-06-13T00:00:00

Description

Multiple vulnerabilities were fixed in java-1_6_0-openjdk :

CVE-2010-4448: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N): DNS cache poisoning by untrusted applets

CVE-2010-4450: CVSS v2 Base Score: 3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P): Launcher incorrect processing of empty library path entries

CVE-2010-4465: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P): Swing timer-based security manager bypass

CVE-2010-4469: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P): Hotspot backward jsr heap corruption

CVE-2010-4470: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P): JAXP untrusted component state manipulation

CVE-2010-4471: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N): Java2D font-related system property leak

CVE-2010-4472: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N): Untrusted code allowed to replace DSIG/C14N implementation

CVE-2011-0706: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update java-1_6_0-openjdk-4038.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(75538);
  script_version("$Revision: 1.1 $");
  script_cvs_date("$Date: 2014/06/13 21:55:23 $");

  script_cve_id("CVE-2010-4448", "CVE-2010-4450", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4470", "CVE-2010-4471", "CVE-2010-4472", "CVE-2011-0706");

  script_name(english:"openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2011:0155-1)");
  script_summary(english:"Check for the java-1_6_0-openjdk-4038 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple vulnerabilities were fixed in java-1_6_0-openjdk :

  - CVE-2010-4448: CVSS v2 Base Score: 2.6
    (AV:N/AC:H/Au:N/C:N/I:P/A:N): DNS cache poisoning by
    untrusted applets

  - CVE-2010-4450: CVSS v2 Base Score: 3.7
    (AV:L/AC:H/Au:N/C:P/I:P/A:P): Launcher incorrect
    processing of empty library path entries

  - CVE-2010-4465: CVSS v2 Base Score: 6.8
    (AV:N/AC:M/Au:N/C:P/I:P/A:P): Swing timer-based security
    manager bypass

  - CVE-2010-4469: CVSS v2 Base Score: 6.8
    (AV:N/AC:M/Au:N/C:P/I:P/A:P): Hotspot backward jsr heap
    corruption

  - CVE-2010-4470: CVSS v2 Base Score: 4.3
    (AV:N/AC:M/Au:N/C:N/I:N/A:P): JAXP untrusted component
    state manipulation

  - CVE-2010-4471: CVSS v2 Base Score: 4.3
    (AV:N/AC:M/Au:N/C:N/I:P/A:N): Java2D font-related system
    property leak

  - CVE-2010-4472: CVSS v2 Base Score: 2.6
    (AV:N/AC:H/Au:N/C:P/I:N/A:N): Untrusted code allowed to
    replace DSIG/C14N implementation

  - CVE-2011-0706: CVSS v2 Base Score: 7.5
    (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges,
    and Access Control (CWE-264)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.opensuse.org/opensuse-updates/2011-03/msg00002.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=671714"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected java-1_6_0-openjdk packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-demo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-javadoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-plugin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-src");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/02/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE11\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE11.3", reference:"java-1_6_0-openjdk-1.6.0.0_b20.1.9.7-1.2.1") ) flag++;
if ( rpm_check(release:"SUSE11.3", reference:"java-1_6_0-openjdk-demo-1.6.0.0_b20.1.9.7-1.2.1") ) flag++;
if ( rpm_check(release:"SUSE11.3", reference:"java-1_6_0-openjdk-devel-1.6.0.0_b20.1.9.7-1.2.1") ) flag++;
if ( rpm_check(release:"SUSE11.3", reference:"java-1_6_0-openjdk-javadoc-1.6.0.0_b20.1.9.7-1.2.1") ) flag++;
if ( rpm_check(release:"SUSE11.3", reference:"java-1_6_0-openjdk-plugin-1.6.0.0_b20.1.9.7-1.2.1") ) flag++;
if ( rpm_check(release:"SUSE11.3", reference:"java-1_6_0-openjdk-src-1.6.0.0_b20.1.9.7-1.2.1") ) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1_6_0-openjdk");
}

JSON Vulners Source

Initial Source

{"hash": "7f67d906b8be6274441538f199d39941512a0651437e84c7f49bff6e50d365b4", "naslFamily": "SuSE Local Security Checks", "id": "SUSE_11_3_JAVA-1_6_0-OPENJDK-110228.NASL", "lastseen": "2017-10-29T13:40:37", "viewCount": 0, "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "3f41ecb853fd9b7494ce3fdc2790edf5", "key": "cpe"}, {"hash": "f1e9b34374fd3816b0f9c82cf0593e1f", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "cb9cbcdc0fc65205de8abc272a97ef09", "key": "description"}, {"hash": "1bed64f708bbb3f59de6308ebe0d6210", "key": "href"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "modified"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "ba108aa9477fe558baacf8191d499319", "key": "pluginID"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "published"}, {"hash": "6b4fa4ea826cc1026155b12f8e45f580", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "265e72f1c17332868ae3819fcf0a6c9c", "key": "sourceData"}, {"hash": "b87e473c8d53390ebb3768cd35381209", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "bulletinFamily": "scanner", "cpe": ["p-cpe:/a:novell:opensuse:java-1_6_0-openjdk", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-plugin", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-devel", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-javadoc", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-demo", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-src", "cpe:/o:novell:opensuse:11.3"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 2, "enchantments": {"vulnersScore": 7.5}, "type": "nessus", "description": "Multiple vulnerabilities were fixed in java-1_6_0-openjdk :\n\n - CVE-2010-4448: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N): DNS cache poisoning by untrusted applets\n\n - CVE-2010-4450: CVSS v2 Base Score: 3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P): Launcher incorrect processing of empty library path entries\n\n - CVE-2010-4465: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P): Swing timer-based security manager bypass\n\n - CVE-2010-4469: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P): Hotspot backward jsr heap corruption\n\n - CVE-2010-4470: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P): JAXP untrusted component state manipulation\n\n - CVE-2010-4471: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N): Java2D font-related system property leak\n\n - CVE-2010-4472: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N): Untrusted code allowed to replace DSIG/C14N implementation\n\n - CVE-2011-0706: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264)", "title": "openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2011:0155-1)", "history": [{"bulletin": {"hash": "a3b236e27a62e1b74b3dc9effa14786d9b84d6d32d2102fddb27541ee356eb27", "naslFamily": "SuSE Local Security Checks", "edition": 1, "lastseen": "2016-09-26T17:25:18", "enchantments": {}, "hashmap": [{"hash": "ba108aa9477fe558baacf8191d499319", "key": "pluginID"}, {"hash": "cb9cbcdc0fc65205de8abc272a97ef09", "key": "description"}, {"hash": "f1e9b34374fd3816b0f9c82cf0593e1f", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "6b4fa4ea826cc1026155b12f8e45f580", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "265e72f1c17332868ae3819fcf0a6c9c", "key": "sourceData"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "modified"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "1bed64f708bbb3f59de6308ebe0d6210", "key": "href"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "b87e473c8d53390ebb3768cd35381209", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "bulletinFamily": "scanner", "cpe": [], "history": [], "id": "SUSE_11_3_JAVA-1_6_0-OPENJDK-110228.NASL", "type": "nessus", "description": "Multiple vulnerabilities were fixed in java-1_6_0-openjdk :\n\n - CVE-2010-4448: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N): DNS cache poisoning by untrusted applets\n\n - CVE-2010-4450: CVSS v2 Base Score: 3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P): Launcher incorrect processing of empty library path entries\n\n - CVE-2010-4465: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P): Swing timer-based security manager bypass\n\n - CVE-2010-4469: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P): Hotspot backward jsr heap corruption\n\n - CVE-2010-4470: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P): JAXP untrusted component state manipulation\n\n - CVE-2010-4471: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N): Java2D font-related system property leak\n\n - CVE-2010-4472: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N): Untrusted code allowed to replace DSIG/C14N implementation\n\n - CVE-2011-0706: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264)", "viewCount": 0, "title": "openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2011:0155-1)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "objectVersion": "1.2", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update java-1_6_0-openjdk-4038.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75538);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2014/06/13 21:55:23 $\");\n\n script_cve_id(\"CVE-2010-4448\", \"CVE-2010-4450\", \"CVE-2010-4465\", \"CVE-2010-4469\", \"CVE-2010-4470\", \"CVE-2010-4471\", \"CVE-2010-4472\", \"CVE-2011-0706\");\n\n script_name(english:\"openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2011:0155-1)\");\n script_summary(english:\"Check for the java-1_6_0-openjdk-4038 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were fixed in java-1_6_0-openjdk :\n\n - CVE-2010-4448: CVSS v2 Base Score: 2.6\n (AV:N/AC:H/Au:N/C:N/I:P/A:N): DNS cache poisoning by\n untrusted applets\n\n - CVE-2010-4450: CVSS v2 Base Score: 3.7\n (AV:L/AC:H/Au:N/C:P/I:P/A:P): Launcher incorrect\n processing of empty library path entries\n\n - CVE-2010-4465: CVSS v2 Base Score: 6.8\n (AV:N/AC:M/Au:N/C:P/I:P/A:P): Swing timer-based security\n manager bypass\n\n - CVE-2010-4469: CVSS v2 Base Score: 6.8\n (AV:N/AC:M/Au:N/C:P/I:P/A:P): Hotspot backward jsr heap\n corruption\n\n - CVE-2010-4470: CVSS v2 Base Score: 4.3\n (AV:N/AC:M/Au:N/C:N/I:N/A:P): JAXP untrusted component\n state manipulation\n\n - CVE-2010-4471: CVSS v2 Base Score: 4.3\n (AV:N/AC:M/Au:N/C:N/I:P/A:N): Java2D font-related system\n property leak\n\n - CVE-2010-4472: CVSS v2 Base Score: 2.6\n (AV:N/AC:H/Au:N/C:P/I:N/A:N): Untrusted code allowed to\n replace DSIG/C14N implementation\n\n - CVE-2011-0706: CVSS v2 Base Score: 7.5\n (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges,\n and Access Control (CWE-264)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2011-03/msg00002.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=671714\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1_6_0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-demo-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-devel-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-javadoc-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-plugin-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-src-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_6_0-openjdk\");\n}\n", "published": "2014-06-13T00:00:00", "pluginID": "75538", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=671714", "http://lists.opensuse.org/opensuse-updates/2011-03/msg00002.html"], "reporter": "Tenable", "modified": "2014-06-13T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75538"}, "lastseen": "2016-09-26T17:25:18", "edition": 1, "differentElements": ["cpe"]}], "objectVersion": "1.3", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update java-1_6_0-openjdk-4038.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75538);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2014/06/13 21:55:23 $\");\n\n script_cve_id(\"CVE-2010-4448\", \"CVE-2010-4450\", \"CVE-2010-4465\", \"CVE-2010-4469\", \"CVE-2010-4470\", \"CVE-2010-4471\", \"CVE-2010-4472\", \"CVE-2011-0706\");\n\n script_name(english:\"openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2011:0155-1)\");\n script_summary(english:\"Check for the java-1_6_0-openjdk-4038 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were fixed in java-1_6_0-openjdk :\n\n - CVE-2010-4448: CVSS v2 Base Score: 2.6\n (AV:N/AC:H/Au:N/C:N/I:P/A:N): DNS cache poisoning by\n untrusted applets\n\n - CVE-2010-4450: CVSS v2 Base Score: 3.7\n (AV:L/AC:H/Au:N/C:P/I:P/A:P): Launcher incorrect\n processing of empty library path entries\n\n - CVE-2010-4465: CVSS v2 Base Score: 6.8\n (AV:N/AC:M/Au:N/C:P/I:P/A:P): Swing timer-based security\n manager bypass\n\n - CVE-2010-4469: CVSS v2 Base Score: 6.8\n (AV:N/AC:M/Au:N/C:P/I:P/A:P): Hotspot backward jsr heap\n corruption\n\n - CVE-2010-4470: CVSS v2 Base Score: 4.3\n (AV:N/AC:M/Au:N/C:N/I:N/A:P): JAXP untrusted component\n state manipulation\n\n - CVE-2010-4471: CVSS v2 Base Score: 4.3\n (AV:N/AC:M/Au:N/C:N/I:P/A:N): Java2D font-related system\n property leak\n\n - CVE-2010-4472: CVSS v2 Base Score: 2.6\n (AV:N/AC:H/Au:N/C:P/I:N/A:N): Untrusted code allowed to\n replace DSIG/C14N implementation\n\n - CVE-2011-0706: CVSS v2 Base Score: 7.5\n (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges,\n and Access Control (CWE-264)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2011-03/msg00002.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=671714\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1_6_0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-demo-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-devel-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-javadoc-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-plugin-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"java-1_6_0-openjdk-src-1.6.0.0_b20.1.9.7-1.2.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_6_0-openjdk\");\n}\n", "published": "2014-06-13T00:00:00", "pluginID": "75538", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=671714", "http://lists.opensuse.org/opensuse-updates/2011-03/msg00002.html"], "reporter": "Tenable", "modified": "2014-06-13T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75538"}

{"result": {"cve": [{"id": "CVE-2010-4448", "type": "cve", "title": "CVE-2010-4448", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Networking. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves \"DNS cache poisoning by untrusted applets.\"", "published": "2011-02-17T14:00:01", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4448", "cvelist": ["CVE-2010-4448"], "lastseen": "2017-12-22T12:41:50"}, {"id": "CVE-2010-4465", "type": "cve", "title": "CVE-2010-4465", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the lack of framework support by AWT event dispatch, and/or \"clipboard access in Applets.\"", "published": "2011-02-17T14:00:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4465", "cvelist": ["CVE-2010-4465"], "lastseen": "2017-12-22T12:41:50"}, {"id": "CVE-2010-4469", "type": "cve", "title": "CVE-2010-4469", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is heap corruption related to the Verifier and \"backward jsrs.\"", "published": "2011-02-17T14:00:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4469", "cvelist": ["CVE-2010-4469"], "lastseen": "2017-12-22T12:41:50"}, {"id": "CVE-2010-4450", "type": "cve", "title": "CVE-2010-4450", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux; and 1.4.2_29 and earlier for Solaris and Linux allows local standalone applications to affect confidentiality, integrity, and availability via unknown vectors related to Launcher. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is an untrusted search path vulnerability involving an empty LD_LIBRARY_PATH environment variable.", "published": "2011-02-17T14:00:01", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4450", "cvelist": ["CVE-2010-4450"], "lastseen": "2017-12-22T12:41:50"}, {"id": "CVE-2010-4472", "type": "cve", "title": "CVE-2010-4472", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect availability, related to XML Digital Signature and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves the replacement of the \"XML DSig Transform or C14N algorithm implementations.\"", "published": "2011-02-17T14:00:01", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4472", "cvelist": ["CVE-2010-4472"], "lastseen": "2017-12-22T12:41:50"}, {"id": "CVE-2010-4471", "type": "cve", "title": "CVE-2010-4471", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to 2D. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the exposure of system properties via vectors related to Font.createFont and exception text.", "published": "2011-02-17T14:00:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4471", "cvelist": ["CVE-2010-4471"], "lastseen": "2017-12-22T12:41:50"}, {"id": "CVE-2010-4470", "type": "cve", "title": "CVE-2010-4470", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows remote attackers to affect availability via unknown vectors related to JAXP and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to \"Features set on SchemaFactory not inherited by Validator.\"", "published": "2011-02-17T14:00:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4470", "cvelist": ["CVE-2010-4470"], "lastseen": "2017-12-22T12:41:50"}, {"id": "CVE-2011-0706", "type": "cve", "title": "CVE-2011-0706", "description": "The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of \"an inappropriate security descriptor.\"", "published": "2011-02-18T20:00:03", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0706", "cvelist": ["CVE-2011-0706"], "lastseen": "2017-09-19T13:37:22"}], "nessus": [{"id": "ORACLELINUX_ELSA-2011-0281.NASL", "type": "nessus", "title": "Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2011-0281)", "description": "From Red Hat Security Advisory 2011:0281 :\n\nUpdated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nA flaw was found in the Swing library. Forged TimerEvents could be used to bypass SecurityManager checks, allowing access to otherwise blocked files and directories. (CVE-2010-4465)\n\nA flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), which could lead to heap corruption. (CVE-2010-4469)\n\nA flaw was found in the way JAXP (Java API for XML Processing) components were handled, allowing them to be manipulated by untrusted applets. This could be used to elevate privileges and bypass secure XML processing restrictions. (CVE-2010-4470)\n\nIt was found that untrusted applets could create and place cache entries in the name resolution cache. This could allow an attacker targeted manipulation over name resolution until the OpenJDK VM is restarted. (CVE-2010-4448)\n\nIt was found that the Java launcher provided by OpenJDK did not check the LD_LIBRARY_PATH environment variable for insecure empty path elements. A local attacker able to trick a user into running the Java launcher while working from an attacker-writable directory could use this flaw to load an untrusted library, subverting the Java security model. (CVE-2010-4450)\n\nA flaw was found in the XML Digital Signature component in OpenJDK.\nUntrusted code could use this flaw to replace the Java Runtime Environment (JRE) XML Digital Signature Transform or C14N algorithm implementations to intercept digital signature operations.\n(CVE-2010-4472)\n\nNote: All of the above flaws can only be remotely triggered in OpenJDK by calling the 'appletviewer' application.\n\nThis update also provides one defense in depth patch. (BZ#676019)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68205", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4470"], "lastseen": "2017-10-29T13:45:53"}, {"id": "REDHAT-RHSA-2011-0281.NASL", "type": "nessus", "title": "RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2011:0281)", "description": "Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nA flaw was found in the Swing library. Forged TimerEvents could be used to bypass SecurityManager checks, allowing access to otherwise blocked files and directories. (CVE-2010-4465)\n\nA flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), which could lead to heap corruption. (CVE-2010-4469)\n\nA flaw was found in the way JAXP (Java API for XML Processing) components were handled, allowing them to be manipulated by untrusted applets. This could be used to elevate privileges and bypass secure XML processing restrictions. (CVE-2010-4470)\n\nIt was found that untrusted applets could create and place cache entries in the name resolution cache. This could allow an attacker targeted manipulation over name resolution until the OpenJDK VM is restarted. (CVE-2010-4448)\n\nIt was found that the Java launcher provided by OpenJDK did not check the LD_LIBRARY_PATH environment variable for insecure empty path elements. A local attacker able to trick a user into running the Java launcher while working from an attacker-writable directory could use this flaw to load an untrusted library, subverting the Java security model. (CVE-2010-4450)\n\nA flaw was found in the XML Digital Signature component in OpenJDK.\nUntrusted code could use this flaw to replace the Java Runtime Environment (JRE) XML Digital Signature Transform or C14N algorithm implementations to intercept digital signature operations.\n(CVE-2010-4472)\n\nNote: All of the above flaws can only be remotely triggered in OpenJDK by calling the 'appletviewer' application.\n\nThis update also provides one defense in depth patch. (BZ#676019)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2011-02-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=52020", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4470"], "lastseen": "2017-10-29T13:36:21"}, {"id": "CENTOS_RHSA-2011-0281.NASL", "type": "nessus", "title": "CentOS 5 : java-1.6.0-openjdk (CESA-2011:0281)", "description": "Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nA flaw was found in the Swing library. Forged TimerEvents could be used to bypass SecurityManager checks, allowing access to otherwise blocked files and directories. (CVE-2010-4465)\n\nA flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), which could lead to heap corruption. (CVE-2010-4469)\n\nA flaw was found in the way JAXP (Java API for XML Processing) components were handled, allowing them to be manipulated by untrusted applets. This could be used to elevate privileges and bypass secure XML processing restrictions. (CVE-2010-4470)\n\nIt was found that untrusted applets could create and place cache entries in the name resolution cache. This could allow an attacker targeted manipulation over name resolution until the OpenJDK VM is restarted. (CVE-2010-4448)\n\nIt was found that the Java launcher provided by OpenJDK did not check the LD_LIBRARY_PATH environment variable for insecure empty path elements. A local attacker able to trick a user into running the Java launcher while working from an attacker-writable directory could use this flaw to load an untrusted library, subverting the Java security model. (CVE-2010-4450)\n\nA flaw was found in the XML Digital Signature component in OpenJDK.\nUntrusted code could use this flaw to replace the Java Runtime Environment (JRE) XML Digital Signature Transform or C14N algorithm implementations to intercept digital signature operations.\n(CVE-2010-4472)\n\nNote: All of the above flaws can only be remotely triggered in OpenJDK by calling the 'appletviewer' application.\n\nThis update also provides one defense in depth patch. (BZ#676019)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2011-04-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53421", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4470"], "lastseen": "2017-10-29T13:38:19"}, {"id": "SL_20110217_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x i386/x86_64", "description": "A flaw was found in the Swing library. Forged TimerEvents could be used to bypass SecurityManager checks, allowing access to otherwise blocked files and directories. (CVE-2010-4465)\n\nA flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), which could lead to heap corruption. (CVE-2010-4469)\n\nA flaw was found in the way JAXP (Java API for XML Processing) components were handled, allowing them to be manipulated by untrusted applets. This could be used to elevate privileges and bypass secure XML processing restrictions. (CVE-2010-4470)\n\nIt was found that untrusted applets could create and place cache entries in the name resolution cache. This could allow an attacker targeted manipulation over name resolution until the OpenJDK VM is restarted. (CVE-2010-4448)\n\nIt was found that the Java launcher provided by OpenJDK did not check the LD_LIBRARY_PATH environment variable for insecure empty path elements. A local attacker able to trick a user into running the Java launcher while working from an attacker-writable directory could use this flaw to load an untrusted library, subverting the Java security model. (CVE-2010-4450)\n\nA flaw was found in the XML Digital Signature component in OpenJDK.\nUntrusted code could use this flaw to replace the Java Runtime Environment (JRE) XML Digital Signature Transform or C14N algorithm implementations to intercept digital signature operations.\n(CVE-2010-4472)\n\nNote: All of the above flaws can only be remotely triggered in OpenJDK by calling the 'appletviewer' application.\n\nThis update also provides one defense in depth patch. (BZ#676019)\n\nAll running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60963", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4470"], "lastseen": "2017-10-29T13:34:08"}, {"id": "REDHAT-RHSA-2011-0490.NASL", "type": "nessus", "title": "RHEL 4 / 5 : java-1.4.2-ibm (RHSA-2011:0490)", "description": "Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe IBM 1.4.2 SR13-FP9 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM 'Security alerts' page, listed in the References section. (CVE-2010-4447, CVE-2010-4448, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466, CVE-2010-4473, CVE-2010-4475, CVE-2011-0311)\n\nAll users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP9 Java release. All running instances of IBM Java must be restarted for this update to take effect.", "published": "2011-05-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53819", "cvelist": ["CVE-2010-4475", "CVE-2010-4462", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4454", "CVE-2010-4473", "CVE-2010-4447", "CVE-2010-4466"], "lastseen": "2017-10-29T13:36:04"}, {"id": "FEDORA_2011-1645.NASL", "type": "nessus", "title": "Fedora 14 : java-1.6.0-openjdk-1.6.0.0-52.1.9.7.fc14 (2011-1645)", "description": "This update fixes the following security issues :\n\nS6378709, CVE-2010-4465: AWT event dispatch does not support framework code \n\nS6854912, CVE-2010-4465: Security issue with the clipboard access in Applets \n\nS6878713, CVE-2010-4469: Verifier heap corruption, relating to backward jsrs \n\nS6907662, CVE-2010-4465: System clipboard should ensure access restrictions \n\nS6927050, CVE-2010-4470: Features set on SchemaFactory not inherited by Validator \n\nS6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets \n\nS6983554, CVE-2010-4450: (launcher) Fix empty user's LD_LIBRARY_PATH environment variable in the launcher \n\nS6985453, CVE-2010-4471: Font.createFont may expose some system properties in exception text \n\nS6994263, CVE-2010-4472: Untrusted code can replace JRE's XML DSig Transform or C14N algorithm implementations \n\nRH677332, CVE-2011-0706: IcedTea multiple signers privilege escalation\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-02-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=52006", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2017-10-29T13:34:33"}, {"id": "FEDORA_2011-1631.NASL", "type": "nessus", "title": "Fedora 13 : java-1.6.0-openjdk-1.6.0.0-50.1.8.7.fc13 (2011-1631)", "description": "This update fixes the following security issues :\n\nS6378709, CVE-2010-4465: AWT event dispatch does not support framework code \n\nS6854912, CVE-2010-4465: Security issue with the clipboard access in Applets \n\nS6878713, CVE-2010-4469: Verifier heap corruption, relating to backward jsrs \n\nS6907662, CVE-2010-4465: System clipboard should ensure access restrictions \n\nS6927050, CVE-2010-4470: Features set on SchemaFactory not inherited by Validator \n\nS6981922, CVE-2010-4448: DNS cache poisoning by untrusted applets \n\nS6983554, CVE-2010-4450: (launcher) Fix empty user's LD_LIBRARY_PATH environment variable in the launcher \n\nS6985453, CVE-2010-4471: Font.createFont may expose some system properties in exception text \n\nS6994263, CVE-2010-4472: Untrusted code can replace JRE's XML DSig Transform or C14N algorithm implementations \n\nRH677332, CVE-2011-0706: IcedTea multiple signers privilege escalation\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-02-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=52005", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2017-10-29T13:37:38"}, {"id": "UBUNTU_USN-1079-3.NASL", "type": "nessus", "title": "Ubuntu 10.10 : openjdk-6b18 vulnerabilities (USN-1079-3)", "description": "USN-1079-2 fixed vulnerabilities in OpenJDK 6 for armel (ARM) architectures in Ubuntu 9.10 and Ubuntu 10.04 LTS. This update fixes vulnerabilities in OpenJDK 6 for armel (ARM) architectures for Ubuntu 10.10.\n\nIt was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448)\n\nIt was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450)\n\nIt was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks.\nThis could allow an attacker to access restricted resources.\n(CVE-2010-4465)\n\nIt was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code.\n(CVE-2010-4469)\n\nIt was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470)\n\nIt was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties.\n(CVE-2010-4471)\n\nIt was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472)\n\nKonstantin Preisser and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476)\n\nIt was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2013-03-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=65100", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2017-10-29T13:40:48"}, {"id": "SUSE_11_2_JAVA-1_6_0-OPENJDK-110228.NASL", "type": "nessus", "title": "openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2011:0155-1)", "description": "Multiple vulnerabilities were fixed in java-1_6_0-openjdk :\n\n - CVE-2010-4448: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N): DNS cache poisoning by untrusted applets\n\n - CVE-2010-4450: CVSS v2 Base Score: 3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P): Launcher incorrect processing of empty library path entries\n\n - CVE-2010-4465: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P): Swing timer-based security manager bypass\n\n - CVE-2010-4469: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P): Hotspot backward jsr heap corruption\n\n - CVE-2010-4470: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P): JAXP untrusted component state manipulation\n\n - CVE-2010-4471: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N): Java2D font-related system property leak\n\n - CVE-2010-4472: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N): Untrusted code allowed to replace DSIG/C14N implementation\n\n - CVE-2011-0706: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P): Permissions, Privileges, and Access Control (CWE-264)", "published": "2011-05-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53735", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2017-10-29T13:39:26"}, {"id": "UBUNTU_USN-1079-1.NASL", "type": "nessus", "title": "Ubuntu 9.10 / 10.04 LTS / 10.10 : openjdk-6 vulnerabilities (USN-1079-1)", "description": "It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448)\n\nIt was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450)\n\nIt was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465)\n\nIt was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469)\n\nIt was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges.\n(CVE-2010-4470)\n\nIt was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471)\n\nIt was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations.\n(CVE-2010-4472)\n\nKonstantin Preisser and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476)\n\nIt was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor.\n(CVE-2011-0706).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-03-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=52498", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2017-10-29T13:44:09"}], "oraclelinux": [{"id": "ELSA-2011-0281", "type": "oraclelinux", "title": "java-1.6.0-openjdk security update", "description": "[1.6.0.0-1.39.b17]\n- respin of IcedTea6 1.7.10\n- Resolves: rhbz#676276\n[1.6.0.0-1.37.b17]\n- Updated to IcedTea6 1.7.10\n- Resolves: rhbz#676276", "published": "2011-02-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-0281.html", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4470"], "lastseen": "2016-09-04T11:16:18"}], "redhat": [{"id": "RHSA-2011:0281", "type": "redhat", "title": "(RHSA-2011:0281) Important: java-1.6.0-openjdk security update", "description": "These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nA flaw was found in the Swing library. Forged TimerEvents could be used to\nbypass SecurityManager checks, allowing access to otherwise blocked files\nand directories. (CVE-2010-4465)\n\nA flaw was found in the HotSpot component in OpenJDK. Certain bytecode\ninstructions confused the memory management within the Java Virtual Machine\n(JVM), which could lead to heap corruption. (CVE-2010-4469)\n\nA flaw was found in the way JAXP (Java API for XML Processing) components\nwere handled, allowing them to be manipulated by untrusted applets. This\ncould be used to elevate privileges and bypass secure XML processing\nrestrictions. (CVE-2010-4470)\n\nIt was found that untrusted applets could create and place cache entries in\nthe name resolution cache. This could allow an attacker targeted\nmanipulation over name resolution until the OpenJDK VM is restarted.\n(CVE-2010-4448)\n\nIt was found that the Java launcher provided by OpenJDK did not check the\nLD_LIBRARY_PATH environment variable for insecure empty path elements. A\nlocal attacker able to trick a user into running the Java launcher while\nworking from an attacker-writable directory could use this flaw to load an\nuntrusted library, subverting the Java security model. (CVE-2010-4450)\n\nA flaw was found in the XML Digital Signature component in OpenJDK.\nUntrusted code could use this flaw to replace the Java Runtime Environment\n(JRE) XML Digital Signature Transform or C14N algorithm implementations to\nintercept digital signature operations. (CVE-2010-4472)\n\nNote: All of the above flaws can only be remotely triggered in OpenJDK by\ncalling the \"appletviewer\" application.\n\nThis update also provides one defense in depth patch. (BZ#676019)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2011-02-17T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0281", "cvelist": ["CVE-2010-4448", "CVE-2010-4450", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4470", "CVE-2010-4472"], "lastseen": "2017-12-25T20:04:52"}, {"id": "RHSA-2011:0870", "type": "redhat", "title": "(RHSA-2011:0870) Moderate: java-1.4.2-ibm-sap security update", "description": "The IBM 1.4.2 SR13-FP9 Java release includes the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM \"Security alerts\" page,\nlisted in the References section. (CVE-2010-4447, CVE-2010-4448,\nCVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466, CVE-2010-4473,\nCVE-2010-4475, CVE-2011-0311)\n\nAll users of java-1.4.2-ibm-sap for Red Hat Enterprise Linux 4, 5 and 6 for\nSAP are advised to upgrade to these updated packages, which contain the IBM\n1.4.2 SR13-FP9 Java release. All running instances of IBM Java must be\nrestarted for this update to take effect.\n", "published": "2011-06-15T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0870", "cvelist": ["CVE-2010-4447", "CVE-2010-4448", "CVE-2010-4454", "CVE-2010-4462", "CVE-2010-4465", "CVE-2010-4466", "CVE-2010-4473", "CVE-2010-4475", "CVE-2011-0311"], "lastseen": "2017-09-09T07:20:15"}, {"id": "RHSA-2011:0490", "type": "redhat", "title": "(RHSA-2011:0490) Critical: java-1.4.2-ibm security update", "description": "The IBM 1.4.2 SR13-FP9 Java release includes the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM \"Security alerts\" page,\nlisted in the References section. (CVE-2010-4447, CVE-2010-4448,\nCVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466, CVE-2010-4473,\nCVE-2010-4475, CVE-2011-0311)\n\nAll users of java-1.4.2-ibm are advised to upgrade to these updated\npackages, which contain the IBM 1.4.2 SR13-FP9 Java release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "published": "2011-05-05T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0490", "cvelist": ["CVE-2010-4447", "CVE-2010-4448", "CVE-2010-4454", "CVE-2010-4462", "CVE-2010-4465", "CVE-2010-4466", "CVE-2010-4473", "CVE-2010-4475", "CVE-2011-0311"], "lastseen": "2017-09-09T07:20:25"}, {"id": "RHSA-2011:0364", "type": "redhat", "title": "(RHSA-2011:0364) Critical: java-1.5.0-ibm security update", "description": "The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and\nthe IBM Java 2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM \"Security alerts\" page,\nlisted in the References section. (CVE-2010-4447, CVE-2010-4448,\nCVE-2010-4450, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466,\nCVE-2010-4468, CVE-2010-4471, CVE-2010-4473, CVE-2010-4475)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM 1.5.0 SR12-FP4 Java release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "published": "2011-03-17T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0364", "cvelist": ["CVE-2010-4447", "CVE-2010-4448", "CVE-2010-4450", "CVE-2010-4454", "CVE-2010-4462", "CVE-2010-4465", "CVE-2010-4466", "CVE-2010-4468", "CVE-2010-4471", "CVE-2010-4473", "CVE-2010-4475"], "lastseen": "2017-09-09T07:19:16"}, {"id": "RHSA-2011:0282", "type": "redhat", "title": "(RHSA-2011:0282) Critical: java-1.6.0-sun security update", "description": "The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and\nthe Sun Java 6 Software Development Kit.\n\nThis update fixes several vulnerabilities in the Sun Java 6 Runtime\nEnvironment and the Sun Java 6 Software Development Kit. Further\ninformation about these flaws can be found on the \"Oracle Java SE and Java\nfor Business Critical Patch Update Advisory\" page, listed in the References\nsection. (CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450,\nCVE-2010-4451, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463,\nCVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469,\nCVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4475,\nCVE-2010-4476)\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of Sun Java\nmust be restarted for the update to take effect.\n", "published": "2011-02-17T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0282", "cvelist": ["CVE-2010-4422", "CVE-2010-4447", "CVE-2010-4448", "CVE-2010-4450", "CVE-2010-4451", "CVE-2010-4452", "CVE-2010-4454", "CVE-2010-4462", "CVE-2010-4463", "CVE-2010-4465", "CVE-2010-4466", "CVE-2010-4467", "CVE-2010-4468", "CVE-2010-4469", "CVE-2010-4470", "CVE-2010-4471", "CVE-2010-4472", "CVE-2010-4473", "CVE-2010-4475", "CVE-2010-4476"], "lastseen": "2017-09-09T07:20:03"}, {"id": "RHSA-2011:0357", "type": "redhat", "title": "(RHSA-2011:0357) Critical: java-1.6.0-ibm security update", "description": "The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and\nthe IBM Java 2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM \"Security alerts\" page,\nlisted in the References section. (CVE-2010-4422, CVE-2010-4447,\nCVE-2010-4448, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463,\nCVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4471,\nCVE-2010-4473, CVE-2010-4475)\n\nNote: The RHSA-2010:0987 and RHSA-2011:0290 java-1.6.0-ibm errata were\nmissing 64-bit PowerPC packages for Red Hat Enterprise Linux 4 Extras. This\nerratum provides 64-bit PowerPC packages for Red Hat Enterprise Linux 4\nExtras as expected.\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM 1.6.0 SR9-FP1 Java release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "published": "2011-03-16T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0357", "cvelist": ["CVE-2010-4422", "CVE-2010-4447", "CVE-2010-4448", "CVE-2010-4452", "CVE-2010-4454", "CVE-2010-4462", "CVE-2010-4463", "CVE-2010-4465", "CVE-2010-4466", "CVE-2010-4467", "CVE-2010-4468", "CVE-2010-4471", "CVE-2010-4473", "CVE-2010-4475"], "lastseen": "2017-09-09T07:20:09"}, {"id": "RHSA-2011:0880", "type": "redhat", "title": "(RHSA-2011:0880) Low: Red Hat Network Satellite server IBM Java Runtime security update", "description": "This update corrects several security vulnerabilities in the IBM Java\nRuntime Environment shipped as part of Red Hat Network Satellite 5.4.1. In\na typical operating environment, these are of low security risk as the\nruntime is not used on untrusted applets.\n\nThis update fixes several vulnerabilities in the IBM Java 2 Runtime\nEnvironment. Detailed vulnerability descriptions are linked from the IBM\n\"Security alerts\" page, listed in the References section. (CVE-2009-3555,\nCVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550,\nCVE-2010-3551, CVE-2010-3553, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557,\nCVE-2010-3558, CVE-2010-3560, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565,\nCVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572,\nCVE-2010-3573, CVE-2010-3574, CVE-2010-4422, CVE-2010-4447, CVE-2010-4448,\nCVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465,\nCVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4471, CVE-2010-4473,\nCVE-2010-4475, CVE-2010-4476)\n\nUsers of Red Hat Network Satellite 5.4.1 are advised to upgrade to these\nupdated java-1.6.0-ibm packages, which contain the IBM 1.6.0 SR9-FP1 Java\nrelease. For this update to take effect, Red Hat Network Satellite must be\nrestarted. Refer to the Solution section for details.\n", "published": "2011-06-16T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0880", "cvelist": ["CVE-2010-3562", "CVE-2010-4475", "CVE-2010-4468", "CVE-2010-3557", "CVE-2010-3563", "CVE-2010-3551", "CVE-2010-3553", "CVE-2010-3550", "CVE-2010-4452", "CVE-2010-4462", "CVE-2010-3566", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-3565", "CVE-2010-4454", "CVE-2010-3572", "CVE-2010-4422", "CVE-2010-4463", "CVE-2010-3574", "CVE-2010-4473", "CVE-2010-3541", "CVE-2010-3571", "CVE-2009-3555", "CVE-2010-4476", "CVE-2010-4471", "CVE-2010-3560", "CVE-2010-1321", "CVE-2010-3556", "CVE-2010-4447", "CVE-2010-3549", "CVE-2010-3555", "CVE-2010-3573", "CVE-2010-3548", "CVE-2010-4467", "CVE-2010-3568", "CVE-2010-3558", "CVE-2010-4466", "CVE-2010-3569"], "lastseen": "2016-09-04T11:18:01"}], "openvas": [{"id": "OPENVAS:1361412562310122240", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2011-0281", "description": "Oracle Linux Local Security Checks ELSA-2011-0281", "published": "2015-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122240", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4470"], "lastseen": "2017-07-24T12:53:11"}, {"id": "OPENVAS:870394", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2011:0281-01", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2011-02-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870394", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470"], "lastseen": "2017-07-27T10:55:00"}, {"id": "OPENVAS:1361412562310881416", "type": "openvas", "title": "CentOS Update for java CESA-2011:0281 centos5 x86_64", "description": "Check for the Version of java", "published": "2012-07-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881416", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470"], "lastseen": "2018-04-06T11:20:36"}, {"id": "OPENVAS:1361412562310870394", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2011:0281-01", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2011-02-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870394", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470"], "lastseen": "2018-04-09T11:35:24"}, {"id": "OPENVAS:840607", "type": "openvas", "title": "Ubuntu Update for openjdk-6 vulnerabilities USN-1079-1", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1079-1", "published": "2011-03-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=840607", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2017-12-04T11:26:36"}, {"id": "OPENVAS:881416", "type": "openvas", "title": "CentOS Update for java CESA-2011:0281 centos5 x86_64", "description": "Check for the Version of java", "published": "2012-07-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881416", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470"], "lastseen": "2018-01-02T10:58:21"}, {"id": "OPENVAS:1361412562310880559", "type": "openvas", "title": "CentOS Update for java CESA-2011:0281 centos5 i386", "description": "Check for the Version of java", "published": "2011-08-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880559", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470"], "lastseen": "2018-04-09T11:36:50"}, {"id": "OPENVAS:880559", "type": "openvas", "title": "CentOS Update for java CESA-2011:0281 centos5 i386", "description": "Check for the Version of java", "published": "2011-08-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=880559", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470"], "lastseen": "2017-07-25T10:55:38"}, {"id": "OPENVAS:1361412562310840607", "type": "openvas", "title": "Ubuntu Update for openjdk-6 vulnerabilities USN-1079-1", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1079-1", "published": "2011-03-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840607", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2018-04-30T14:12:16"}, {"id": "OPENVAS:1361412562310862853", "type": "openvas", "title": "Fedora Update for java-1.6.0-openjdk FEDORA-2011-1631", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2011-02-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862853", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2011-0025", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2018-04-09T11:37:27"}], "centos": [{"id": "CESA-2011:0281", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2011:0281\n\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nA flaw was found in the Swing library. Forged TimerEvents could be used to\nbypass SecurityManager checks, allowing access to otherwise blocked files\nand directories. (CVE-2010-4465)\n\nA flaw was found in the HotSpot component in OpenJDK. Certain bytecode\ninstructions confused the memory management within the Java Virtual Machine\n(JVM), which could lead to heap corruption. (CVE-2010-4469)\n\nA flaw was found in the way JAXP (Java API for XML Processing) components\nwere handled, allowing them to be manipulated by untrusted applets. This\ncould be used to elevate privileges and bypass secure XML processing\nrestrictions. (CVE-2010-4470)\n\nIt was found that untrusted applets could create and place cache entries in\nthe name resolution cache. This could allow an attacker targeted\nmanipulation over name resolution until the OpenJDK VM is restarted.\n(CVE-2010-4448)\n\nIt was found that the Java launcher provided by OpenJDK did not check the\nLD_LIBRARY_PATH environment variable for insecure empty path elements. A\nlocal attacker able to trick a user into running the Java launcher while\nworking from an attacker-writable directory could use this flaw to load an\nuntrusted library, subverting the Java security model. (CVE-2010-4450)\n\nA flaw was found in the XML Digital Signature component in OpenJDK.\nUntrusted code could use this flaw to replace the Java Runtime Environment\n(JRE) XML Digital Signature Transform or C14N algorithm implementations to\nintercept digital signature operations. (CVE-2010-4472)\n\nNote: All of the above flaws can only be remotely triggered in OpenJDK by\ncalling the \"appletviewer\" application.\n\nThis update also provides one defense in depth patch. (BZ#676019)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-April/017313.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-April/017314.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-0281.html", "published": "2011-04-14T10:33:37", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2011-April/017313.html", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4470"], "lastseen": "2017-10-03T18:24:36"}], "ubuntu": [{"id": "USN-1079-1", "type": "ubuntu", "title": "OpenJDK 6 vulnerabilities", "description": "It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448)\n\nIt was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450)\n\nIt was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465)\n\nIt was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469)\n\nIt was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470)\n\nIt was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471)\n\nIt was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472)\n\nKonstantin Preisser and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476)\n\nIt was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706)", "published": "2011-03-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1079-1/", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2018-03-29T18:18:40"}, {"id": "USN-1079-3", "type": "ubuntu", "title": "OpenJDK 6 vulnerabilities", "description": "USN-1079-2 fixed vulnerabilities in OpenJDK 6 for armel (ARM) architectures in Ubuntu 9.10 and Ubuntu 10.04 LTS. This update fixes vulnerabilities in OpenJDK 6 for armel (ARM) architectures for Ubuntu 10.10.\n\nOriginal advisory details:\n\nIt was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448)\n\nIt was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450)\n\nIt was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465)\n\nIt was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469)\n\nIt was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470)\n\nIt was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471)\n\nIt was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472)\n\nKonstantin Preisser and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476)\n\nIt was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706)", "published": "2011-03-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1079-3/", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2018-03-29T18:19:10"}, {"id": "USN-1079-2", "type": "ubuntu", "title": "OpenJDK 6 vulnerabilities", "description": "USN-1079-1 fixed vulnerabilities in OpenJDK 6 for non-armel (ARM) architectures. This update provides the corresponding updates for OpenJDK 6 for use with the armel (ARM) architectures.\n\nIn order to build the armel (ARM) OpenJDK 6 update for Ubuntu 10.04 LTS, it was necessary to rebuild binutils and gcj-4.4 from Ubuntu 10.04 LTS updates.\n\nOriginal advisory details:\n\nIt was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448)\n\nIt was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450)\n\nIt was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465)\n\nIt was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469)\n\nIt was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470)\n\nIt was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471)\n\nIt was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472)\n\nKonstantin Preisser and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476)\n\nIt was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706)", "published": "2011-03-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1079-2/", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2018-03-29T18:18:13"}], "suse": [{"id": "SUSE-SA:2011:024", "type": "suse", "title": "remote code execution in java-1_4_2-ibm", "description": "IBM Java 1.4.2 was updated to SR 13 Fix Pack 9, fixing bugs and security issues.\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2011-05-13T13:10:27", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00004.html", "cvelist": ["CVE-2010-4475", "CVE-2010-4462", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4454", "CVE-2010-4473", "CVE-2010-4476", "CVE-2010-4447", "CVE-2010-4466", "CVE-2011-0311"], "lastseen": "2016-09-04T11:27:16"}, {"id": "SUSE-SU-2011:0823-1", "type": "suse", "title": "Security update for IBM Java 1.4.2 (important)", "description": "IBM Java 1.4.2 SR13 for SAP fixes various bugs and the\n following security issues:\n\n * CVE-2010-4447\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447</a>\n >\n * CVE-2010-4448\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448</a>\n >\n * CVE-2010-4454\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454</a>\n >\n * CVE-2010-4462\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462</a>\n >\n * CVE-2010-4465\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465</a>\n >\n * CVE-2010-4466\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466</a>\n >\n * CVE-2010-4473\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473</a>\n >\n * CVE-2010-4475\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475</a>\n >\n * CVE-2010-4476\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476</a>\n >\n * CVE-2011-0311\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0311\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0311</a>\n >\n\n", "published": "2011-07-22T05:08:11", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00010.html", "cvelist": ["CVE-2010-4475", "CVE-2010-4462", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4454", "CVE-2010-4473", "CVE-2010-4476", "CVE-2010-4447", "CVE-2010-4466", "CVE-2011-0311"], "lastseen": "2016-09-04T12:14:44"}, {"id": "SUSE-SA:2011:014", "type": "suse", "title": "remote code execution in java-1_6_0-ibm,java-1_5_0-ibm,java-1_4_2-ibm", "description": "IBM Java 6 was updated to SR9 FP1 was updated to fix a critical security bug in float number handling and also contains other security bugfixes.\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2011-03-22T13:32:34", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-03/msg00003.html", "cvelist": ["CVE-2010-4475", "CVE-2010-4468", "CVE-2010-3557", "CVE-2010-3553", "CVE-2010-4452", "CVE-2010-4462", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4454", "CVE-2010-4422", "CVE-2010-4463", "CVE-2010-3574", "CVE-2010-4473", "CVE-2010-3571", "CVE-2010-4476", "CVE-2010-4471", "CVE-2010-1321", "CVE-2010-4447", "CVE-2010-4467", "CVE-2010-4466"], "lastseen": "2016-09-04T12:32:47"}, {"id": "SUSE-SA:2011:010", "type": "suse", "title": "remote code execution in java-1_6_0-sun", "description": "Sun Java 1.6 was updated to Update 24 fixing various bugs and security issues.\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2011-02-22T14:41:11", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00005.html", "cvelist": ["CVE-2010-4475", "CVE-2010-4468", "CVE-2010-4452", "CVE-2010-4462", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4454", "CVE-2010-4451", "CVE-2010-4422", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4463", "CVE-2010-4473", "CVE-2010-4474", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4447", "CVE-2010-4470", "CVE-2010-4467", "CVE-2010-4466"], "lastseen": "2016-09-04T11:41:42"}], "debian": [{"id": "DSA-2224", "type": "debian", "title": "openjdk-6 -- several vulnerabilities", "description": "Several security vulnerabilities were discovered in OpenJDK, an implementation of the Java platform.\n\n * [CVE-2010-4351](<https://security-tracker.debian.org/tracker/CVE-2010-4351>)\n\nThe JNLP SecurityManager returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creating instances of ClassLoader.\n\n * [CVE-2010-4448](<https://security-tracker.debian.org/tracker/CVE-2010-4448>)\n\nMalicious applets can perform DNS cache poisoning.\n\n * [CVE-2010-4450](<https://security-tracker.debian.org/tracker/CVE-2010-4450>)\n\nAn empty (but set) LD_LIBRARY_PATH environment variable results in a misconstructed library search path, resulting in code execution from possibly untrusted sources.\n\n * [CVE-2010-4465](<https://security-tracker.debian.org/tracker/CVE-2010-4465>)\n\nMalicious applets can extend their privileges by abusing Swing timers.\n\n * [CVE-2010-4469](<https://security-tracker.debian.org/tracker/CVE-2010-4469>)\n\nThe Hotspot just-in-time compiler miscompiles crafted byte sequences, resulting in heap corruption.\n\n * [CVE-2010-4470](<https://security-tracker.debian.org/tracker/CVE-2010-4470>)\n\nJAXP can be exploited by untrusted code to elevate privileges.\n\n * [CVE-2010-4471](<https://security-tracker.debian.org/tracker/CVE-2010-4471>)\n\nJava2D can be exploited by untrusted code to elevate privileges.\n\n * [CVE-2010-4472](<https://security-tracker.debian.org/tracker/CVE-2010-4472>)\n\nUntrusted code can replace the XML DSIG implementation.\n\n * [CVE-2011-0025](<https://security-tracker.debian.org/tracker/CVE-2011-0025>)\n\nSignatures on JAR files are not properly verified, which allows remote attackers to trick users into executing code that appears to come from a trusted source.\n\n * [CVE-2011-0706](<https://security-tracker.debian.org/tracker/CVE-2011-0706>)\n\nThe JNLPClassLoader class allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of an inappropriate security descriptor.\n\nIn addition, this security update contains stability fixes, such as switching to the recommended Hotspot version (hs14) for this particular version of OpenJDK. \n\nFor the oldstable distribution (lenny), these problems have been fixed in version 6b18-1.8.7-2~lenny1.\n\nFor the stable distribution (squeeze), these problems have been fixed in version 6b18-1.8.7-2~squeeze1.\n\nFor the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1.8.7-1.\n\nWe recommend that you upgrade your openjdk-6 packages.", "published": "2011-04-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-2224", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4472", "CVE-2010-4471", "CVE-2011-0025", "CVE-2010-4470", "CVE-2010-4351", "CVE-2011-0706"], "lastseen": "2016-09-02T18:36:03"}], "oracle": [{"id": "ORACLE:CPUAPR2011-301950", "type": "oracle", "title": "cpuapr2011", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are cumulative but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 73 new security fixes across all product families listed below.\n", "published": "2011-04-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2011-0799", "CVE-2011-0412", "CVE-2011-0801", "CVE-2011-0808", "CVE-2011-0859", "CVE-2011-0856", "CVE-2011-0793", "CVE-2011-0791", "CVE-2010-4468", "CVE-2010-3450", "CVE-2011-0837", "CVE-2011-0787", "CVE-2011-0821", "CVE-2011-0812", "CVE-2011-0827", "CVE-2011-0805", "CVE-2011-0846", "CVE-2011-0824", "CVE-2011-0807", "CVE-2010-4452", "CVE-2011-0810", "CVE-2011-0790", "CVE-2010-4462", "CVE-2011-0851", "CVE-2010-4448", "CVE-2010-4465", "CVE-2011-0803", "CVE-2011-0798", "CVE-2010-3689", "CVE-2011-0820", "CVE-2010-4454", "CVE-2011-0806", "CVE-2010-4253", "CVE-2011-0809", "CVE-2011-0789", "CVE-2011-0841", "CVE-2011-0861", "CVE-2010-3451", "CVE-2011-0795", "CVE-2010-4450", "CVE-2011-0834", "CVE-2011-0825", "CVE-2011-0823", "CVE-2011-0850", "CVE-2010-4473", "CVE-2011-0860", "CVE-2011-0828", "CVE-2011-0858", "CVE-2011-0847", "CVE-2009-3555", "CVE-2010-3454", "CVE-2010-4476", "CVE-2010-4472", "CVE-2011-0843", "CVE-2010-4471", "CVE-2011-0849", "CVE-2011-0800", "CVE-2011-0826", "CVE-2011-0840", "CVE-2011-0857", "CVE-2011-0792", "CVE-2011-0818", "CVE-2010-4643", "CVE-2011-0853", "CVE-2011-0794", "CVE-2010-3453", "CVE-2011-0836", "CVE-2011-0839", "CVE-2010-4470", "CVE-2011-0796", "CVE-2011-0833", "CVE-2011-0813", "CVE-2011-0804", "CVE-2011-0819", "CVE-2011-0844", "CVE-2011-0829", "CVE-2011-0855", "CVE-2011-0797", "CVE-2011-0411", "CVE-2011-0785", "CVE-2010-3452", "CVE-2011-0854"], "lastseen": "2018-04-18T20:24:09"}], "vmware": [{"id": "VMSA-2011-0013", "type": "vmware", "title": "VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX", "description": "a. ESX third party update for Service Console openssl RPM \nThe Service Console openssl RPM is updated to openssl-0.9.8e.12.el5_5.7 resolving two security issues. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-7270 and CVE-2010-4180 to these issues. \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "published": "2011-10-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.vmware.com/security/advisories/VMSA-2011-0013.html", "cvelist": ["CVE-2010-3562", "CVE-2010-4475", "CVE-2011-0865", "CVE-2010-2054", "CVE-2010-4468", "CVE-2010-3557", "CVE-2010-3563", "CVE-2010-3551", "CVE-2011-0802", "CVE-2010-3552", "CVE-2010-3553", "CVE-2010-3550", "CVE-2010-4452", "CVE-2010-4462", "CVE-2010-3566", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-3565", "CVE-2010-4180", "CVE-2010-4454", "CVE-2010-3572", "CVE-2010-4451", "CVE-2010-4422", "CVE-2010-4469", "CVE-2011-0002", "CVE-2010-4450", "CVE-2010-4463", "CVE-2010-3574", "CVE-2010-4473", "CVE-2010-4474", "CVE-2010-3541", "CVE-2011-0873", "CVE-2010-3571", "CVE-2010-3173", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-3560", "CVE-2010-3559", "CVE-2008-7270", "CVE-2011-0815", "CVE-2010-1321", "CVE-2010-3556", "CVE-2011-0867", "CVE-2010-3561", "CVE-2010-4447", "CVE-2010-3549", "CVE-2010-3554", "CVE-2010-3170", "CVE-2010-4470", "CVE-2010-3555", "CVE-2011-0864", "CVE-2010-3570", "CVE-2010-3567", "CVE-2010-3573", "CVE-2010-3548", "CVE-2010-4467", "CVE-2010-3568", "CVE-2011-0862", "CVE-2010-3558", "CVE-2010-4466", "CVE-2010-3569", "CVE-2011-0871", "CVE-2011-0814"], "lastseen": "2016-09-04T11:19:38"}], "gentoo": [{"id": "GLSA-201111-02", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "description": "### Background\n\nThe Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform). \n\n### Description\n\nMultiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below and the associated Oracle Critical Patch Update Advisory for details. \n\n### Impact\n\nA remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JDK 1.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/sun-jdk-1.6.0.29\"\n \n\nAll Oracle JRE 1.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/sun-jre-bin-1.6.0.29\"\n \n\nAll users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/emul-linux-x86-java-1.6.0.29\"\n \n\nNOTE: As Oracle has revoked the DLJ license for its Java implementation, the packages can no longer be updated automatically. This limitation is not present on a non-fetch restricted implementation such as dev-java/icedtea-bin.", "published": "2011-11-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201111-02", "cvelist": ["CVE-2010-3562", "CVE-2010-4475", "CVE-2011-0865", "CVE-2011-3557", "CVE-2010-4468", "CVE-2010-3557", "CVE-2011-3551", "CVE-2010-3563", "CVE-2011-3549", "CVE-2010-3551", "CVE-2011-0802", "CVE-2011-0868", "CVE-2010-3552", "CVE-2010-3553", "CVE-2010-3550", "CVE-2010-4452", "CVE-2011-3561", "CVE-2010-4462", "CVE-2010-3566", "CVE-2010-4448", "CVE-2010-4465", "CVE-2011-0869", "CVE-2010-3565", "CVE-2011-0863", "CVE-2010-4454", "CVE-2010-3572", "CVE-2010-4451", "CVE-2011-3548", "CVE-2010-4422", "CVE-2011-3547", "CVE-2010-4469", "CVE-2011-3521", "CVE-2011-3389", "CVE-2010-4450", "CVE-2010-4463", "CVE-2010-3574", "CVE-2011-3544", "CVE-2011-3553", "CVE-2010-4473", "CVE-2010-4474", "CVE-2011-3516", "CVE-2010-3541", "CVE-2011-3558", "CVE-2011-0873", "CVE-2010-3571", "CVE-2011-3555", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-3560", "CVE-2010-3559", "CVE-2011-0815", "CVE-2011-3546", "CVE-2010-3556", "CVE-2011-3554", "CVE-2011-0867", "CVE-2010-3561", "CVE-2010-4447", "CVE-2010-3549", "CVE-2011-3556", "CVE-2010-3554", "CVE-2010-4470", "CVE-2011-3560", "CVE-2010-3555", "CVE-2011-0864", "CVE-2010-3570", "CVE-2011-3545", "CVE-2011-3552", "CVE-2010-3567", "CVE-2010-3573", "CVE-2010-3548", "CVE-2011-3550", "CVE-2010-4467", "CVE-2010-3568", "CVE-2011-0862", "CVE-2010-3558", "CVE-2010-4466", "CVE-2010-3569", "CVE-2011-0871", "CVE-2011-0814", "CVE-2011-0872"], "lastseen": "2016-09-06T19:47:03"}, {"id": "GLSA-201406-32", "type": "gentoo", "title": "IcedTea JDK: Multiple vulnerabilities", "description": "### Background\n\nIcedTea is a distribution of the Java OpenJDK source code built with free build tools. \n\n### Description\n\nMultiple vulnerabilities have been discovered in the IcedTea JDK. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll IcedTea JDK users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-6.1.13.3\"", "published": "2014-06-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201406-32", "cvelist": ["CVE-2012-5089", "CVE-2013-0426", "CVE-2013-2431", "CVE-2010-3562", "CVE-2013-2420", "CVE-2011-0865", "CVE-2013-2384", "CVE-2013-2415", "CVE-2012-1711", "CVE-2014-2397", "CVE-2013-1571", "CVE-2013-5782", "CVE-2011-3557", "CVE-2013-2417", "CVE-2013-1500", "CVE-2013-2448", "CVE-2010-3557", "CVE-2011-3551", "CVE-2013-4002", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2013-0427", "CVE-2012-1725", "CVE-2013-2424", "CVE-2014-0457", "CVE-2013-5850", "CVE-2013-2407", "CVE-2013-5778", "CVE-2013-1478", "CVE-2013-2456", "CVE-2010-3551", "CVE-2011-0868", "CVE-2013-0428", "CVE-2014-0446", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-0169", "CVE-2010-3553", "CVE-2012-1719", "CVE-2014-1876", "CVE-2014-0458", "CVE-2013-0429", "CVE-2014-2427", "CVE-2011-3563", "CVE-2013-1475", "CVE-2013-2421", "CVE-2013-1518", "CVE-2013-0435", "CVE-2012-5087", "CVE-2013-0809", "CVE-2013-0442", "CVE-2010-3566", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-5842", "CVE-2010-4448", "CVE-2013-0431", "CVE-2010-4465", "CVE-2012-5085", "CVE-2012-4540", "CVE-2011-0869", "CVE-2010-3565", "CVE-2012-5076", "CVE-2013-5830", "CVE-2013-2473", "CVE-2013-6954", "CVE-2012-4416", "CVE-2012-5075", "CVE-2014-0453", "CVE-2013-1488", "CVE-2012-0424", "CVE-2013-0434", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2011-3548", "CVE-2012-5081", "CVE-2011-3547", "CVE-2013-5817", "CVE-2010-4469", "CVE-2012-0503", "CVE-2011-3521", "CVE-2013-0443", "CVE-2011-5035", "CVE-2013-2419", "CVE-2014-0461", "CVE-2012-1723", "CVE-2013-2463", "CVE-2011-3571", "CVE-2010-3860", "CVE-2011-3389", "CVE-2013-2469", "CVE-2014-0459", "CVE-2014-0456", "CVE-2010-4450", "CVE-2012-1726", "CVE-2013-2465", "CVE-2013-1537", "CVE-2014-0429", "CVE-2013-5806", "CVE-2010-3574", "CVE-2011-3544", "CVE-2013-5805", "CVE-2011-3553", "CVE-2013-0444", "CVE-2012-0506", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-5825", "CVE-2012-1717", "CVE-2013-2423", "CVE-2010-3541", "CVE-2013-5823", "CVE-2011-3558", "CVE-2014-2403", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2009-3555", "CVE-2013-2429", "CVE-2013-5849", "CVE-2014-2412", "CVE-2010-2548", "CVE-2012-5086", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-5077", "CVE-2013-1486", "CVE-2013-1476", "CVE-2010-4476", "CVE-2010-4472", "CVE-2013-5780", "CVE-2010-4471", "CVE-2014-2421", "CVE-2012-5069", "CVE-2012-3216", "CVE-2014-0460", "CVE-2011-0870", "CVE-2011-0815", "CVE-2013-0432", "CVE-2012-0505", "CVE-2012-5084", "CVE-2012-1718", "CVE-2010-2783", "CVE-2013-2458", "CVE-2011-3554", "CVE-2013-0424", "CVE-2013-2459", "CVE-2013-0450", "CVE-2012-5071", "CVE-2013-5814", "CVE-2010-3561", "CVE-2011-0025", "CVE-2012-0501", "CVE-2010-3564", "CVE-2013-0440", "CVE-2013-2443", "CVE-2010-3549", "CVE-2012-3422", "CVE-2013-2446", "CVE-2011-3556", "CVE-2012-0547", "CVE-2013-5829", "CVE-2010-3554", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2472", "CVE-2014-2423", "CVE-2010-4470", "CVE-2011-0822", "CVE-2011-3560", "CVE-2013-1493", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2010-4351", "CVE-2011-0864", "CVE-2013-2453", "CVE-2013-1557", "CVE-2013-2426", "CVE-2013-2455", "CVE-2013-2422", "CVE-2013-2383", "CVE-2013-0425", "CVE-2013-1484", "CVE-2011-3552", "CVE-2013-5774", "CVE-2012-1724", "CVE-2010-3567", "CVE-2010-3573", "CVE-2013-6629", "CVE-2012-5068", "CVE-2013-3829", "CVE-2013-0441", "CVE-2010-3548", "CVE-2011-0706", "CVE-2012-5979", "CVE-2012-0502", "CVE-2013-5783", "CVE-2010-4467", "CVE-2012-3423", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2014-2398", "CVE-2010-3568", "CVE-2014-0451", "CVE-2013-1569", "CVE-2013-2412", "CVE-2014-0452", "CVE-2011-0862", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2014-2414", "CVE-2010-3569", "CVE-2011-0871", "CVE-2013-2449", "CVE-2011-0872", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-06T19:46:20"}], "seebug": [{"id": "SSV:24277", "type": "seebug", "title": "Oracle Java Applet\u526a\u8d34\u677f\u6ce8\u5165\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "description": "CVE ID\uff1aCVE-2010-4465\r\n\r\nOracle Java Runtime Environment\u662f\u4e00\u6b3e\u4e3aJAVA\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u53ef\u9760\u7684\u8fd0\u884c\u73af\u5883\u7684\u89e3\u51b3\u65b9\u6848\u3002\r\n\u7531\u4e8e\u4e0d\u5145\u5206\u9632\u5fa1\u7cfb\u7edf\u526a\u8d34\u677f\u52ab\u6301\u653b\u51fb\u3002\u5f53in focus\u65f6\uff0c\u6076\u610f\u7ec4\u4ef6\u53ef\u65e0\u9700\u7528\u6237\u4ea4\u4e92\u83b7\u53d6\u7cfb\u7edf\u526a\u8d34\u677f\u7684\u53e5\u67c4\u3002\u7136\u540e\u53ef\u4ece\u526a\u8d34\u677f\u4e2d\u8bfb\u53d6\u6570\u636e\u6216\u5199\u5165\u3002\u901a\u8fc7\u628aTransferableProxy\u5bf9\u8c61\u5199\u5165\u5230\u7cfb\u7edf\u526a\u8d34\u677f\uff0c\u5e76\u5f3a\u5236\u7c98\u8d34\u64cd\u4f5c\uff0c\u53ef\u8c03\u7528JRE\u7528\u6237\u4e0a\u4e0b\u6587\u6267\u884c\u4efb\u610f\u4ee3\u7801\n\nOracle Java Runtime\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html", "published": "2011-12-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-24277", "cvelist": ["CVE-2010-4465"], "lastseen": "2017-11-19T17:56:50"}], "zdi": [{"id": "ZDI-11-083", "type": "zdi", "title": "Oracle Java Applet Clipboard Injection Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.\n\nThe specific flaw is due to insufficient defenses against system clipboard hijacking. When in focus, a handle to the system clipboard can be retrieved without user interaction by a malicious component. The clipboard can then be arbitrarily read from or written to. By writing a TransferableProxy object to the system clipboard and then forcing a paste action, arbitrary code can be executed under the context of the user invoking the JRE.", "published": "2011-02-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-11-083", "cvelist": ["CVE-2010-4465"], "lastseen": "2016-11-09T00:17:58"}]}}