Lucene search
This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.VIRTUOZZO_VZLSA-2018-2943.NASLHistoryNov 21, 2018 - 12:00 a.m.
Virtuozzo 6 : java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc (VZLSA-2018-2943)
2018-11-2100:00:00
This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
12
An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.
Security Fix(es) :
-
OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169)
-
OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183)
-
OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149)
-
OpenJDK: Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136)
-
OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139)
-
OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180)
-
OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(119089);
script_version("1.105");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/04/08");
script_cve_id(
"CVE-2018-3136",
"CVE-2018-3139",
"CVE-2018-3149",
"CVE-2018-3169",
"CVE-2018-3180",
"CVE-2018-3183",
"CVE-2018-3214"
);
script_name(english:"Virtuozzo 6 : java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc (VZLSA-2018-2943)");
script_summary(english:"Checks the rpm output for the updated package.");
script_set_attribute(attribute:"synopsis", value:
"The remote Virtuozzo host is missing a security update.");
script_set_attribute(attribute:"description", value:
"An update for java-1.8.0-openjdk is now available for Red Hat
Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Security Fix(es) :
* OpenJDK: Improper field access checks (Hotspot, 8199226)
(CVE-2018-3169)
* OpenJDK: Unrestricted access to scripting engine (Scripting,
8202936) (CVE-2018-3183)
* OpenJDK: Incomplete enforcement of the trustURLCodebase restriction
(JNDI, 8199177) (CVE-2018-3149)
* OpenJDK: Incorrect handling of unsigned attributes in singed Jar
manifests (Security, 8194534) (CVE-2018-3136)
* OpenJDK: Leak of sensitive header data via HTTP redirect
(Networking, 8196902) (CVE-2018-3139)
* OpenJDK: Missing endpoint identification algorithm check during TLS
session resumption (JSSE, 8202613) (CVE-2018-3180)
* OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361)
(CVE-2018-3214)
For more details about the security issue(s), including the impact, a
CVSS score, and other related information, refer to the CVE page(s)
listed in the References section.
Note that Tenable Network Security has attempted to extract the
preceding description block directly from the corresponding Red Hat
security advisory. Virtuozzo provides no description for VZLSA
advisories. Tenable has attempted to automatically clean and format
it as much as possible without introducing additional issues.");
# http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2018-2943.json
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e0351eea");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:2943");
script_set_attribute(attribute:"solution", value:
"Update the affected java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3183");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"patch_publication_date", value:"2018/10/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/21");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-demo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-demo-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-devel-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-headless");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-headless-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-javadoc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-javadoc-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-src");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-src-debug");
script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:6");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Virtuozzo Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Virtuozzo/release");
if (isnull(release) || "Virtuozzo" >!< release) audit(AUDIT_OS_NOT, "Virtuozzo");
os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 6.x", "Virtuozzo " + os_ver);
if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);
flag = 0;
pkgs = ["java-1.8.0-openjdk-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-debug-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-demo-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-devel-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-headless-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-src-1.8.0.191.b12-0.vl6",
"java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.vl6"];
foreach (pkg in pkgs)
if (rpm_check(release:"Virtuozzo-6", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| virtuozzo | virtuozzo | java-1.8.0-openjdk | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk |
| virtuozzo | virtuozzo | java-1.8.0-openjdk-debug | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-debug |
| virtuozzo | virtuozzo | java-1.8.0-openjdk-demo | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-demo |
| virtuozzo | virtuozzo | java-1.8.0-openjdk-demo-debug | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-demo-debug |
| virtuozzo | virtuozzo | java-1.8.0-openjdk-devel | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-devel |
| virtuozzo | virtuozzo | java-1.8.0-openjdk-devel-debug | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-devel-debug |
| virtuozzo | virtuozzo | java-1.8.0-openjdk-headless | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-headless |
| virtuozzo | virtuozzo | java-1.8.0-openjdk-headless-debug | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-headless-debug |
| virtuozzo | virtuozzo | java-1.8.0-openjdk-javadoc | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-javadoc |
| virtuozzo | virtuozzo | java-1.8.0-openjdk-javadoc-debug | p-cpe:/a:virtuozzo:virtuozzo:java-1.8.0-openjdk-javadoc-debug |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3136
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3139
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3183
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3214
www.nessus.org/u?e0351eea
access.redhat.com/errata/RHSA-2018:2943
Related
oraclelinux
oraclelinux
java-1.8.0-openjdk security update
2018-10-17 00:00:00
java-1.8.0-openjdk security update
2018-10-17 00:00:00
java-1.7.0-openjdk security update
2018-10-30 00:00:00
nessus
nessus
Virtuozzo 7 : java-1.8.0-openjdk / etc (VZLSA-2018-2942)
2018-11-21 00:00:00
Amazon Linux 2 : java-1.8.0-openjdk (ALAS-2018-1097)
2018-10-26 00:00:00
openvas
openvas
Debian Security Advisory DSA 4326-1 (openjdk-8 - security update)
2018-10-25 00:00:00
CentOS Update for java CESA-2018:2942 centos7
2018-10-23 00:00:00
redhat
redhat
(RHSA-2018:2943) Critical: java-1.8.0-openjdk security update
2018-10-17 19:48:47
(RHSA-2018:2942) Critical: java-1.8.0-openjdk security update
2018-10-17 19:48:34
(RHSA-2018:3409) Important: java-1.7.0-openjdk security update
2018-10-30 14:57:03
amazon
amazon
Critical: java-1.8.0-openjdk
2018-11-05 19:33:00
Critical: java-1.8.0-openjdk
2018-10-25 16:14:00
Critical: java-1.7.0-openjdk
2018-12-06 20:23:00
debian
debian
[SECURITY] [DSA 4326-1] openjdk-8
2018-10-25 21:22:38
[SECURITY] [DLA 1590-1] openjdk-7 security update
2018-11-22 22:14:25
centos
centos
java security update
2018-10-22 14:45:40
java security update
2018-10-22 16:25:25
java security update
2018-11-20 23:42:18
osv
osv
openjdk-8 - security update
2018-10-25 00:00:00
openjdk-7 - security update
2018-11-22 00:00:00
mageia
mageia
Updated java-1.8.0-openjdk packages fix security vulnerabilities
2018-11-03 14:55:18
ibm
ibm
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2018-12-14 12:06:34
ubuntu
ubuntu
OpenJDK vulnerabilities
2018-10-30 00:00:00
OpenJDK 7 vulnerabilities
2018-11-16 00:00:00
suse
suse
Security update for java-1_8_0-openjdk (important)
2019-01-12 00:00:00
Security update for java-11-openjdk (moderate)
2018-10-19 00:10:37
cloudfoundry
cloudfoundry
Cloud Foundry products uses vulnerable versions of Java | Cloud Foundry
2019-02-06 00:00:00
photon
photon
Home
Download Photon OS
User Documentation
FAQ
Security Advisories
Related Information
Lightwave - PHSA-2018-1.0-0192
2018-10-25 00:00:00
Home
Download Photon OS
User Documentation
FAQ
Security Advisories
Related Information
Lightwave - PHSA-2018-2.0-0106
2018-11-02 00:00:00
Critical Photon OS Security Update - PHSA-2018-0192
2018-10-25 00:00:00
kaspersky
kaspersky
KLA11340 Multiple vulnerabilities in Oracle Java SE
2018-10-16 00:00:00
Related for VIRTUOZZO_VZLSA-2018-2943.NASL