ID OPENVAS:1361412562310122071 Type openvas Reporter Eero Volotinen Modified 2017-07-06T00:00:00
Description
Oracle Linux Local Security Checks ELSA-2011-1380
# OpenVAS Vulnerability Test
# Description: Oracle Linux Local Check
# $Id: ELSA-2011-1380.nasl 6556 2017-07-06 11:54:54Z cfischer $
# Authors:
# Eero Volotinen <eero.volotinen@solinor.com>
#
# Copyright:
# Copyright (c) 2015 Eero Volotinen, http://solinor.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.122071");
script_version("$Revision: 6556 $");
script_tag(name:"creation_date", value:"2015-10-06 14:12:34 +0300 (Tue, 06 Oct 2015)");
script_tag(name:"last_modification", value:"$Date: 2017-07-06 13:54:54 +0200 (Thu, 06 Jul 2017) $");
script_name("Oracle Linux Local Check: ELSA-2011-1380");
script_tag(name: "insight", value: "ELSA-2011-1380 - java-1.6.0-openjdk security update - [1:1.6.0.0-1.40.1.9.10]- Resolves: rhbz#744788- Bumped to IcedTea6 1.9.8-removed font copying Security fixes - S7000600, CVE-2011-3547: InputStream skip() information leak - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine - S7055902, CVE-2011-3521: IIOP deserialization code execution - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks - S7064341, CVE-2011-3389: JSSE - S7070134, CVE-2011-3558: Hotspot unspecified issue - S7077466, CVE-2011-3556: RMI DGC server remote code execution - S7083012, CVE-2011-3557: RMI registry privileged code execution - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection NetX - PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest");
script_tag(name : "solution", value : "update software");
script_tag(name : "solution_type", value : "VendorFix");
script_tag(name : "summary", value : "Oracle Linux Local Security Checks ELSA-2011-1380");
script_xref(name : "URL" , value : "http://linux.oracle.com/errata/ELSA-2011-1380.html");
script_cve_id("CVE-2011-3389","CVE-2011-3521","CVE-2011-3544","CVE-2011-3547","CVE-2011-3548","CVE-2011-3551","CVE-2011-3552","CVE-2011-3553","CVE-2011-3554","CVE-2011-3556","CVE-2011-3557","CVE-2011-3558","CVE-2011-3560");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"qod_type", value:"package");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/oracle_linux", "ssh/login/release");
script_category(ACT_GATHER_INFO);
script_copyright("Eero Volotinen");
script_family("Oracle Linux Local Security Checks");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = get_kb_item("ssh/login/release");
res = "";
if(release == NULL)
{
exit(0);
}
if(release == "OracleLinux5")
{
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk", rpm:"java-1.6.0-openjdk~1.6.0.0~1.23.1.9.10.0.1.el5_7", rls:"OracleLinux5")) != NULL) {
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk-demo", rpm:"java-1.6.0-openjdk-demo~1.6.0.0~1.23.1.9.10.0.1.el5_7", rls:"OracleLinux5")) != NULL) {
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk-devel", rpm:"java-1.6.0-openjdk-devel~1.6.0.0~1.23.1.9.10.0.1.el5_7", rls:"OracleLinux5")) != NULL) {
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk-javadoc", rpm:"java-1.6.0-openjdk-javadoc~1.6.0.0~1.23.1.9.10.0.1.el5_7", rls:"OracleLinux5")) != NULL) {
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk-src", rpm:"java-1.6.0-openjdk-src~1.6.0.0~1.23.1.9.10.0.1.el5_7", rls:"OracleLinux5")) != NULL) {
security_message(data:res);
exit(0);
}
}
if(release == "OracleLinux6")
{
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk", rpm:"java-1.6.0-openjdk~1.6.0.0~1.40.1.9.10.el6_1", rls:"OracleLinux6")) != NULL) {
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk-demo", rpm:"java-1.6.0-openjdk-demo~1.6.0.0~1.40.1.9.10.el6_1", rls:"OracleLinux6")) != NULL) {
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk-devel", rpm:"java-1.6.0-openjdk-devel~1.6.0.0~1.40.1.9.10.el6_1", rls:"OracleLinux6")) != NULL) {
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk-javadoc", rpm:"java-1.6.0-openjdk-javadoc~1.6.0.0~1.40.1.9.10.el6_1", rls:"OracleLinux6")) != NULL) {
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"java-1.6.0-openjdk-src", rpm:"java-1.6.0-openjdk-src~1.6.0.0~1.40.1.9.10.el6_1", rls:"OracleLinux6")) != NULL) {
security_message(data:res);
exit(0);
}
}
if (__pkg_match) exit(99); #Not vulnerable
exit(0);
{"id": "OPENVAS:1361412562310122071", "bulletinFamily": "scanner", "title": "Oracle Linux Local Check: ELSA-2011-1380", "description": "Oracle Linux Local Security Checks ELSA-2011-1380", "published": "2015-10-06T00:00:00", "modified": "2017-07-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122071", "reporter": "Eero Volotinen", "references": ["http://linux.oracle.com/errata/ELSA-2011-1380.html"], "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "type": "openvas", "lastseen": "2017-07-24T12:52:23", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Oracle Linux Local Security Checks ELSA-2011-1380", "edition": 2, "enchantments": {}, "hash": "6189b58f7c97ed5ae14bcd312af2e6873730a6bae64d2937e11f1a9ac6534f8a", "hashmap": [{"hash": "08b23d2d7acff95e6d367430d3593874", "key": "href"}, {"hash": "9564b1250a06eb1a494ab04295d2334a", "key": "modified"}, {"hash": "705c9c6e3a07fe0b437680078dc3c313", "key": "references"}, {"hash": "8dd9465c1f750ba48cd8167f93b302ce", "key": "pluginID"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "64f508884fcbd4fda1d8563719289c2c", "key": "cvelist"}, {"hash": "e31ed89ab0cbb68ce2c40f17ec1e5483", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "7ed6b2320916c7b97f13bf098c5ce691", "key": "title"}, {"hash": "6c7273b876815990be7a11dedfe50bea", "key": "sourceData"}, {"hash": "30c4194c368eb509b76e4c51d5fe867a", "key": "description"}, {"hash": "2996f7d445a5f86070564ef8302482c9", "key": "published"}, {"hash": "bb3dbc0ecae053747a8a163af717a25f", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122071", "id": "OPENVAS:1361412562310122071", "lastseen": "2017-07-17T10:51:48", "modified": "2017-06-30T00:00:00", "naslFamily": "Oracle Linux Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310122071", "published": "2015-10-06T00:00:00", "references": ["http://linux.oracle.com/errata/ELSA-2011-1380.html"], "reporter": "Eero Volotinen", "sourceData": "# OpenVAS Vulnerability Test \n# Description: Oracle Linux Local Check \n# $Id: ELSA-2011-1380.nasl 6497 2017-06-30 09:58:54Z teissa $\n \n# Authors: \n# Eero Volotinen <eero.volotinen@solinor.com> \n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.122071\");\nscript_version(\"$Revision: 6497 $\");\nscript_tag(name:\"creation_date\", value:\"2015-10-06 14:12:34 +0300 (Tue, 06 Oct 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2017-06-30 11:58:54 +0200 (Fri, 30 Jun 2017) $\");\nscript_name(\"Oracle Linux Local Check: ELSA-2011-1380\");\nscript_tag(name: \"insight\", value: \"ELSA-2011-1380 - java-1.6.0-openjdk security update - [1:1.6.0.0-1.40.1.9.10]- Resolves: rhbz#744788- Bumped to IcedTea6 1.9.8-removed font copying Security fixes - S7000600, CVE-2011-3547: InputStream skip() information leak - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine - S7055902, CVE-2011-3521: IIOP deserialization code execution - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks - S7064341, CVE-2011-3389: JSSE - S7070134, CVE-2011-3558: Hotspot unspecified issue - S7077466, CVE-2011-3556: RMI DGC server remote code execution - S7083012, CVE-2011-3557: RMI registry privileged code execution - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection NetX - PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_tag(name : \"summary\", value : \"Oracle Linux Local Security Checks ELSA-2011-1380\");\nscript_xref(name : \"URL\" , value : \"http://linux.oracle.com/errata/ELSA-2011-1380.html\");\nscript_cve_id(\"CVE-2011-3389\",\"CVE-2011-3521\",\"CVE-2011-3544\",\"CVE-2011-3547\",\"CVE-2011-3548\",\"CVE-2011-3551\",\"CVE-2011-3552\",\"CVE-2011-3553\",\"CVE-2011-3554\",\"CVE-2011-3556\",\"CVE-2011-3557\",\"CVE-2011-3558\",\"CVE-2011-3560\");\nscript_tag(name:\"cvss_base\", value:\"10.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"login/SSH/success\", \"ssh/login/release\");\nscript_category(ACT_GATHER_INFO);\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Oracle Linux Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\nrelease = get_kb_item(\"ssh/login/release\");\nres = \"\";\nif(release == NULL)\n{\n exit(0);\n}\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n\n}\nif (__pkg_match) exit(99); #Not vulnerable\n exit(0);\n\n", "title": "Oracle Linux Local Check: ELSA-2011-1380", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-07-17T10:51:48"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Oracle Linux Local Security Checks ELSA-2011-1380", "edition": 1, "enchantments": {}, "hash": "8ddea61a0e8f4a060a71e3ca5b0e1c0baaf1dad264e2e10ef2a622d169e0a3e8", "hashmap": [{"hash": "08b23d2d7acff95e6d367430d3593874", "key": "href"}, {"hash": "705c9c6e3a07fe0b437680078dc3c313", "key": "references"}, {"hash": "8dd9465c1f750ba48cd8167f93b302ce", "key": "pluginID"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "451ccf9b33cae434b1236ed7a06114ec", "key": "modified"}, {"hash": "64f508884fcbd4fda1d8563719289c2c", "key": "cvelist"}, {"hash": "e31ed89ab0cbb68ce2c40f17ec1e5483", "key": "naslFamily"}, {"hash": "989e508539f226fe37552b777ffa8eff", "key": "sourceData"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "7ed6b2320916c7b97f13bf098c5ce691", "key": "title"}, {"hash": "30c4194c368eb509b76e4c51d5fe867a", "key": "description"}, {"hash": "2996f7d445a5f86070564ef8302482c9", "key": "published"}, {"hash": "bb3dbc0ecae053747a8a163af717a25f", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122071", "id": "OPENVAS:1361412562310122071", "lastseen": "2017-07-02T21:11:31", "modified": "2016-11-15T00:00:00", "naslFamily": "Oracle Linux Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310122071", "published": "2015-10-06T00:00:00", "references": ["http://linux.oracle.com/errata/ELSA-2011-1380.html"], "reporter": "Eero Volotinen", "sourceData": "# OpenVAS Vulnerability Test \n# Description: Oracle Linux Local Check \n# $Id: ELSA-2011-1380.nasl 4513 2016-11-15 09:37:48Z cfi $\n \n# Authors: \n# Eero Volotinen <eero.volotinen@solinor.com> \n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.122071\");\nscript_version(\"$Revision: 4513 $\");\nscript_tag(name:\"creation_date\", value:\"2015-10-06 14:12:34 +0300 (Tue, 06 Oct 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2016-11-15 10:37:48 +0100 (Tue, 15 Nov 2016) $\");\nscript_name(\"Oracle Linux Local Check: ELSA-2011-1380\");\nscript_tag(name: \"insight\", value: \"ELSA-2011-1380 - java-1.6.0-openjdk security update - [1:1.6.0.0-1.40.1.9.10]- Resolves: rhbz#744788- Bumped to IcedTea6 1.9.8-removed font copying Security fixes - S7000600, CVE-2011-3547: InputStream skip() information leak - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine - S7055902, CVE-2011-3521: IIOP deserialization code execution - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks - S7064341, CVE-2011-3389: JSSE - S7070134, CVE-2011-3558: Hotspot unspecified issue - S7077466, CVE-2011-3556: RMI DGC server remote code execution - S7083012, CVE-2011-3557: RMI registry privileged code execution - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection NetX - PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_tag(name : \"summary\", value : \"Oracle Linux Local Security Checks ELSA-2011-1380\");\nscript_xref(name : \"URL\" , value : \"http://linux.oracle.com/errata/ELSA-2011-1380.html\");\nscript_cve_id(\"CVE-2011-3389\",\"CVE-2011-3521\",\"CVE-2011-3544\",\"CVE-2011-3547\",\"CVE-2011-3548\",\"CVE-2011-3551\",\"CVE-2011-3552\",\"CVE-2011-3553\",\"CVE-2011-3554\",\"CVE-2011-3556\",\"CVE-2011-3557\",\"CVE-2011-3558\",\"CVE-2011-3560\");\nscript_tag(name:\"cvss_base\", value:\"10.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"login/SSH/success\", \"ssh/login/release\");\nscript_category(ACT_GATHER_INFO);\nscript_summary(\"Oracle Linux Local Security Checks ELSA-2011-1380\");\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Oracle Linux Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\nrelease = get_kb_item(\"ssh/login/release\");\nres = \"\";\nif(release == NULL)\n{\n exit(0);\n}\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n\n}\nif (__pkg_match) exit(99); #Not vulnerable\n exit(0);\n\n", "title": "Oracle Linux Local Check: ELSA-2011-1380", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:11:31"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "64f508884fcbd4fda1d8563719289c2c"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "30c4194c368eb509b76e4c51d5fe867a"}, {"key": "href", "hash": "08b23d2d7acff95e6d367430d3593874"}, {"key": "modified", "hash": "774d0176dfa389c0c71e9e200f95a6ba"}, {"key": "naslFamily", "hash": "e31ed89ab0cbb68ce2c40f17ec1e5483"}, {"key": "pluginID", "hash": "8dd9465c1f750ba48cd8167f93b302ce"}, {"key": "published", "hash": "2996f7d445a5f86070564ef8302482c9"}, {"key": "references", "hash": "705c9c6e3a07fe0b437680078dc3c313"}, {"key": "reporter", "hash": "bb3dbc0ecae053747a8a163af717a25f"}, {"key": "sourceData", "hash": "43e62d614cb735876955c04cd73f397d"}, {"key": "title", "hash": "7ed6b2320916c7b97f13bf098c5ce691"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "6f2a88265f0e314e0220714fe2931b78771048b88265479ca38fd1d76cc107d0", "viewCount": 0, "enchantments": {"vulnersScore": 7.2}, "objectVersion": "1.3", "sourceData": "# OpenVAS Vulnerability Test \n# Description: Oracle Linux Local Check \n# $Id: ELSA-2011-1380.nasl 6556 2017-07-06 11:54:54Z cfischer $\n \n# Authors: \n# Eero Volotinen <eero.volotinen@solinor.com> \n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.122071\");\nscript_version(\"$Revision: 6556 $\");\nscript_tag(name:\"creation_date\", value:\"2015-10-06 14:12:34 +0300 (Tue, 06 Oct 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 13:54:54 +0200 (Thu, 06 Jul 2017) $\");\nscript_name(\"Oracle Linux Local Check: ELSA-2011-1380\");\nscript_tag(name: \"insight\", value: \"ELSA-2011-1380 - java-1.6.0-openjdk security update - [1:1.6.0.0-1.40.1.9.10]- Resolves: rhbz#744788- Bumped to IcedTea6 1.9.8-removed font copying Security fixes - S7000600, CVE-2011-3547: InputStream skip() information leak - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine - S7055902, CVE-2011-3521: IIOP deserialization code execution - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks - S7064341, CVE-2011-3389: JSSE - S7070134, CVE-2011-3558: Hotspot unspecified issue - S7077466, CVE-2011-3556: RMI DGC server remote code execution - S7083012, CVE-2011-3557: RMI registry privileged code execution - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection NetX - PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_tag(name : \"summary\", value : \"Oracle Linux Local Security Checks ELSA-2011-1380\");\nscript_xref(name : \"URL\" , value : \"http://linux.oracle.com/errata/ELSA-2011-1380.html\");\nscript_cve_id(\"CVE-2011-3389\",\"CVE-2011-3521\",\"CVE-2011-3544\",\"CVE-2011-3547\",\"CVE-2011-3548\",\"CVE-2011-3551\",\"CVE-2011-3552\",\"CVE-2011-3553\",\"CVE-2011-3554\",\"CVE-2011-3556\",\"CVE-2011-3557\",\"CVE-2011-3558\",\"CVE-2011-3560\");\nscript_tag(name:\"cvss_base\", value:\"10.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\");\nscript_category(ACT_GATHER_INFO);\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Oracle Linux Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\nrelease = get_kb_item(\"ssh/login/release\");\nres = \"\";\nif(release == NULL)\n{\n exit(0);\n}\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.23.1.9.10.0.1.el5_7\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.40.1.9.10.el6_1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0); \n }\n\n}\nif (__pkg_match) exit(99); #Not vulnerable\n exit(0);\n\n", "naslFamily": "Oracle Linux Local Security Checks", "pluginID": "1361412562310122071"}
{"result": {"cve": [{"id": "CVE-2011-3557", "type": "cve", "title": "CVE-2011-3557", "description": "Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI, a different vulnerability than CVE-2011-3556.", "published": "2011-10-19T17:55:01", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3557", "cvelist": ["CVE-2011-3557"], "lastseen": "2018-01-06T12:20:51"}, {"id": "CVE-2011-3551", "type": "cve", "title": "CVE-2011-3551", "description": "Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.", "published": "2011-10-19T17:55:01", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3551", "cvelist": ["CVE-2011-3551"], "lastseen": "2018-01-06T12:20:51"}, {"id": "CVE-2011-3548", "type": "cve", "title": "CVE-2011-3548", "description": "Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT.", "published": "2011-10-19T17:55:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3548", "cvelist": ["CVE-2011-3548"], "lastseen": "2018-01-06T12:20:51"}, {"id": "CVE-2011-3547", "type": "cve", "title": "CVE-2011-3547", "description": "Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking.", "published": "2011-10-19T17:55:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3547", "cvelist": ["CVE-2011-3547"], "lastseen": "2018-01-06T12:20:51"}, {"id": "CVE-2011-3521", "type": "cve", "title": "CVE-2011-3521", "description": "Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization.", "published": "2011-10-19T17:55:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3521", "cvelist": ["CVE-2011-3521"], "lastseen": "2018-01-06T12:20:51"}, {"id": "CVE-2011-3389", "type": "cve", "title": "CVE-2011-3389", "description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "published": "2011-09-06T15:55:03", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389", "cvelist": ["CVE-2011-3389"], "lastseen": "2018-03-28T15:08:11"}, {"id": "CVE-2011-3544", "type": "cve", "title": "CVE-2011-3544", "description": "Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.", "published": "2011-10-19T17:55:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3544", "cvelist": ["CVE-2011-3544"], "lastseen": "2018-01-06T12:20:51"}, {"id": "CVE-2011-3553", "type": "cve", "title": "CVE-2011-3553", "description": "Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote authenticated users to affect confidentiality, related to JAXWS.", "published": "2011-10-19T17:55:01", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3553", "cvelist": ["CVE-2011-3553"], "lastseen": "2018-01-06T12:20:51"}, {"id": "CVE-2011-3558", "type": "cve", "title": "CVE-2011-3558", "description": "Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot.", "published": "2011-10-19T17:55:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3558", "cvelist": ["CVE-2011-3558"], "lastseen": "2018-01-06T12:20:51"}, {"id": "CVE-2011-3554", "type": "cve", "title": "CVE-2011-3554", "description": "Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors.", "published": "2011-10-19T17:55:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3554", "cvelist": ["CVE-2011-3554"], "lastseen": "2018-01-06T12:20:51"}], "openvas": [{"id": "OPENVAS:1361412562310802273", "type": "openvas", "title": "Oracle Java SE Multiple Vulnerabilities - October 2011 (Windows01)", "description": "This host is installed with Oracle Java SE and is prone to multiple\n vulnerabilities.", "published": "2011-11-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802273", "cvelist": ["CVE-2011-3557", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2018-04-06T11:35:02"}, {"id": "OPENVAS:802273", "type": "openvas", "title": "Oracle Java SE Multiple Vulnerabilities - October 2011 (Windows01)", "description": "This host is installed with Oracle Java SE and is prone to multiple\n vulnerabilities.", "published": "2011-11-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=802273", "cvelist": ["CVE-2011-3557", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-11-13T12:58:20"}, {"id": "OPENVAS:1361412562310120500", "type": "openvas", "title": "Amazon Linux Local Check: alas-2011-10", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120500", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-07-24T12:55:28"}, {"id": "OPENVAS:1361412562310881447", "type": "openvas", "title": "CentOS Update for java CESA-2011:1380 centos5 x86_64", "description": "Check for the Version of java", "published": "2012-07-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881447", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2018-04-06T11:16:58"}, {"id": "OPENVAS:1361412562310881023", "type": "openvas", "title": "CentOS Update for java CESA-2011:1380 centos5 i386", "description": "Check for the Version of java", "published": "2011-10-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881023", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2018-04-09T11:38:16"}, {"id": "OPENVAS:870501", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2011:1380-01", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2011-10-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870501", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-07-27T10:55:24"}, {"id": "OPENVAS:70570", "type": "openvas", "title": "Debian Security Advisory DSA 2356-1 (openjdk-6)", "description": "The remote host is missing an update to openjdk-6\nannounced via advisory DSA 2356-1.", "published": "2012-02-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=70570", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-07-24T12:51:15"}, {"id": "OPENVAS:881447", "type": "openvas", "title": "CentOS Update for java CESA-2011:1380 centos5 x86_64", "description": "Check for the Version of java", "published": "2012-07-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881447", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2018-01-02T10:56:39"}, {"id": "OPENVAS:863904", "type": "openvas", "title": "Fedora Update for java-1.6.0-openjdk FEDORA-2011-15020", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2012-04-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=863904", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2018-01-03T10:57:40"}, {"id": "OPENVAS:881023", "type": "openvas", "title": "CentOS Update for java CESA-2011:1380 centos5 i386", "description": "Check for the Version of java", "published": "2011-10-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881023", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-07-25T10:55:56"}], "suse": [{"id": "SUSE-SU-2012:0122-1", "type": "suse", "title": "Security update for IBM Java 1.4.2 (important)", "description": "IBM Java 1.4.2 SR13 FP11 has been released and contains\n various security fixes.\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <a rel=\"nofollow\" href=\"http://www.mozilla.org/en-US/firefox/10.0/releasenotes/\">http://www.mozilla.org/en-US/firefox/10.0/releasenotes/</a>\n <<a rel=\"nofollow\" href=\"http://www.mozilla.org/en-US/firefox/10.0/releasenotes/\">http://www.mozilla.org/en-US/firefox/10.0/releasenotes/</a>>\n\n (CVEs fixed: CVE-2011-3547 CVE-2011-3548 CVE-2011-3549\n CVE-2011-3552 CVE-2011-3545 CVE-2011-3556 CVE-2011-3557\n CVE-2011-3389 CVE-2011-3560 )\n\n Security Issues:\n\n * CVE-2011-3389\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389</a>\n >\n * CVE-2011-3545\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545</a>\n >\n * CVE-2011-3547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547</a>\n >\n * CVE-2011-3548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548</a>\n >\n * CVE-2011-3549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549</a>\n >\n * CVE-2011-3552\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552</a>\n >\n * CVE-2011-3556\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556</a>\n >\n * CVE-2011-3557\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557</a>\n >\n * CVE-2011-3560\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560</a>\n >\n\n\n", "published": "2012-01-26T04:08:11", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html", "cvelist": ["CVE-2011-3557", "CVE-2011-3549", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3389", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3545", "CVE-2011-3552"], "lastseen": "2016-09-04T12:25:43"}, {"id": "SUSE-SU-2011:1298-1", "type": "suse", "title": "Security update for IBM Java (important)", "description": "IBM Java 5 was updated to SR13, fixing various bugs and\n security issues.\n\n Security issues addressed are tracked by:\n\n CVE-2011-3545, CVE-2011-3547, CVE-2011-3548 CVE-2011-3549,\n CVE-2011-3552, CVE-2011-3554 CVE-2011-3557\n", "published": "2011-12-02T10:08:33", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00003.html", "cvelist": ["CVE-2011-3557", "CVE-2011-3549", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3554", "CVE-2011-3545", "CVE-2011-3552"], "lastseen": "2016-09-04T11:27:55"}, {"id": "SUSE-SU-2012:0122-2", "type": "suse", "title": "Security update for IBM Java 1.4.2 (important)", "description": "IBM Java 1.4.2 SR13 FP11 has been released and contains\n various security fixes.\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n (CVEs fixed: CVE-2011-3547 CVE-2011-3548 CVE-2011-3549\n CVE-2011-3552 CVE-2011-3545 CVE-2011-3556 CVE-2011-3557\n CVE-2011-3389 CVE-2011-3560 )\n\n Security Issues:\n\n * CVE-2011-3389\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389</a>\n >\n * CVE-2011-3545\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545</a>\n >\n * CVE-2011-3547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547</a>\n >\n * CVE-2011-3548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548</a>\n >\n * CVE-2011-3549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549</a>\n >\n * CVE-2011-3552\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552</a>\n >\n * CVE-2011-3556\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556</a>\n >\n * CVE-2011-3557\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557</a>\n >\n * CVE-2011-3560\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560</a>\n >\n\n", "published": "2012-02-23T22:08:13", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00019.html", "cvelist": ["CVE-2011-3557", "CVE-2011-3549", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3389", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3545", "CVE-2011-3552"], "lastseen": "2016-09-04T12:45:45"}, {"id": "SUSE-SU-2012:0602-1", "type": "suse", "title": "Security update for IBM Java 1.6.0 (important)", "description": "IBM Java 1.5.0 has been updated to SR13-FP1, fixing various\n security issues.\n\n More information can be found on:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n", "published": "2012-05-09T20:08:14", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html", "cvelist": ["CVE-2011-3557", "CVE-2011-3563", "CVE-2012-0507", "CVE-2012-0503", "CVE-2011-3389", "CVE-2012-0498", "CVE-2012-0506", "CVE-2012-0505", "CVE-2012-0499", "CVE-2012-0501", "CVE-2011-3560", "CVE-2012-0502"], "lastseen": "2016-09-04T11:57:19"}, {"id": "SUSE-SU-2012:0114-1", "type": "suse", "title": "Security update for IBM Java (important)", "description": "IBM Java 1.6.0 SR10 has been released fixing the following\n CVE's:\n\n * CVE-2011-3389\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389</a>\n >\n * CVE-2011-3516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3516</a>\n >\n * CVE-2011-3521\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521</a>\n >\n * CVE-2011-3544\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544</a>\n >\n * CVE-2011-3545\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545</a>\n >\n * CVE-2011-3546\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3546\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3546</a>\n >\n * CVE-2011-3547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547</a>\n >\n * CVE-2011-3548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548</a>\n >\n * CVE-2011-3549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549</a>\n >\n * CVE-2011-3550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3550</a>\n >\n * CVE-2011-3551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551</a>\n >\n * CVE-2011-3552\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552</a>\n >\n * CVE-2011-3553\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553</a>\n >\n * CVE-2011-3554\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554</a>\n >\n * CVE-2011-3556\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556</a>\n >\n * CVE-2011-3557\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557</a>\n >\n * CVE-2011-3560\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560</a>\n >\n * CVE-2011-3561\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3561\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3561</a>\n >\n\n\n", "published": "2012-01-23T17:08:23", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3549", "CVE-2011-3561", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3516", "CVE-2011-3546", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3545", "CVE-2011-3552", "CVE-2011-3550"], "lastseen": "2016-09-04T12:43:05"}, {"id": "SUSE-SU-2012:0114-2", "type": "suse", "title": "Security update for IBM Java 1.6.0 (important)", "description": "IBM Java 1.6.0 SR10 has been released fixing the following\n CVE's/security Issues:\n\n * CVE-2011-3389\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389</a>\n >\n * CVE-2011-3516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3516</a>\n >\n * CVE-2011-3521\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521</a>\n >\n * CVE-2011-3544\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544</a>\n >\n * CVE-2011-3545\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3545</a>\n >\n * CVE-2011-3546\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3546\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3546</a>\n >\n * CVE-2011-3547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547</a>\n >\n * CVE-2011-3548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548</a>\n >\n * CVE-2011-3549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3549</a>\n >\n * CVE-2011-3550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3550</a>\n >\n * CVE-2011-3551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551</a>\n >\n * CVE-2011-3552\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552</a>\n >\n * CVE-2011-3553\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553</a>\n >\n * CVE-2011-3554\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554</a>\n >\n * CVE-2011-3556\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556</a>\n >\n * CVE-2011-3557\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557</a>\n >\n * CVE-2011-3560\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560</a>\n >\n * CVE-2011-3561\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3561\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3561</a>\n >\n\n", "published": "2012-03-06T21:08:29", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00001.html", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3549", "CVE-2011-3561", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3516", "CVE-2011-3546", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3545", "CVE-2011-3552", "CVE-2011-3550"], "lastseen": "2016-09-04T12:23:19"}], "nessus": [{"id": "SUSE_JAVA-1_5_0-IBM-7862.NASL", "type": "nessus", "title": "SuSE 10 Security Update : IBM Java (ZYPP Patch Number 7862)", "description": "IBM Java 5 was updated to SR13, fixing various bugs and security issues.\n\nSecurity issues addressed are tracked by :\n\nCVE-2011-3545 / CVE-2011-3547 / CVE-2011-3548 / CVE-2011-3549 / CVE-2011-3552 / CVE-2011-3554 / CVE-2011-3557", "published": "2011-12-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=57208", "cvelist": ["CVE-2011-3557", "CVE-2011-3549", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3554", "CVE-2011-3545", "CVE-2011-3552"], "lastseen": "2017-10-29T13:45:59"}, {"id": "SUSE_11_JAVA-1_4_2-IBM-120105.NASL", "type": "nessus", "title": "SuSE 11.1 Security Update : IBM Java 1.4.2 (SAT Patch Number 5609)", "description": "IBM Java 1.4.2 SR13 FP11 has been released and contains various security fixes.\n\nhttp://www.ibm.com/developerworks/java/jdk/alerts/ http://www.ibm.com/developerworks/java/jdk/alerts/\n\n(CVEs fixed: CVE-2011-3547 / CVE-2011-3548 / CVE-2011-3549 / CVE-2011-3552 / CVE-2011-3545 / CVE-2011-3556 / CVE-2011-3557 / CVE-2011-3389 / CVE-2011-3560)", "published": "2012-02-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=58113", "cvelist": ["CVE-2011-3557", "CVE-2011-3549", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3389", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3545", "CVE-2011-3552"], "lastseen": "2017-10-29T13:39:01"}, {"id": "REDHAT-RHSA-2012-0006.NASL", "type": "nessus", "title": "RHEL 4 / 5 : java-1.4.2-ibm (RHSA-2012:0006) (BEAST)", "description": "Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe IBM Java SE version 1.4.2 release includes the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit.\nDetailed vulnerability descriptions are linked from the IBM 'Security alerts' page, listed in the References section. (CVE-2011-3389, CVE-2011-3545, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560)\n\nAll users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM Java 1.4.2 SR13-FP11 release. All running instances of IBM Java must be restarted for this update to take effect.", "published": "2012-01-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=57464", "cvelist": ["CVE-2011-3557", "CVE-2011-3549", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3389", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3545", "CVE-2011-3552"], "lastseen": "2017-10-29T13:33:59"}, {"id": "SUSE_JAVA-1_4_2-IBM-7908.NASL", "type": "nessus", "title": "SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 7908)", "description": "IBM Java 1.4.2 SR13 FP11 has been released and contains various security fixes.\n\nhttp://www.ibm.com/developerworks/java/jdk/alerts/ http://www.mozilla.org/en-US/firefox/10.0/releasenotes/\n\n(CVEs fixed: CVE-2011-3547 / CVE-2011-3548 / CVE-2011-3549 / CVE-2011-3552 / CVE-2011-3545 / CVE-2011-3556 / CVE-2011-3557 / CVE-2011-3389 / CVE-2011-3560 )", "published": "2012-01-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=57683", "cvelist": ["CVE-2011-3557", "CVE-2011-3549", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3389", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3545", "CVE-2011-3552"], "lastseen": "2017-10-29T13:37:23"}, {"id": "ORACLELINUX_ELSA-2011-1380.NASL", "type": "nessus", "title": "Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2011-1380) (BEAST)", "description": "From Red Hat Security Advisory 2011:1380 :\n\nUpdated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nA flaw was found in the Java RMI (Remote Method Invocation) registry implementation. A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry. (CVE-2011-3556)\n\nA flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute code on the RMI server with unrestricted privileges. (CVE-2011-3557)\n\nA flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization code. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions by deserializing specially crafted input. (CVE-2011-3521)\n\nIt was found that the Java ScriptingEngine did not properly restrict the privileges of sandboxed applications. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3544)\n\nA flaw was found in the AWTKeyStroke implementation. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3548)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the Java2D code used to perform transformations of graphic shapes and images. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions.\n(CVE-2011-3551)\n\nAn insufficient error checking flaw was found in the unpacker for JAR files in pack200 format. A specially crafted JAR file could use this flaw to crash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code with JVM privileges. (CVE-2011-3554)\n\nIt was found that HttpsURLConnection did not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy. (CVE-2011-3560)\n\nA flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection. (CVE-2011-3389)\n\nNote: This update mitigates the CVE-2011-3389 issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag '-Djsse.enableCBCProtection=false' to the java command.\n\nAn information leak flaw was found in the InputStream.skip implementation. An untrusted Java application or applet could possibly use this flaw to obtain bytes skipped by other threads.\n(CVE-2011-3547)\n\nA flaw was found in the Java HotSpot virtual machine. An untrusted Java application or applet could use this flaw to disclose portions of the VM memory, or cause it to crash. (CVE-2011-3558)\n\nThe Java API for XML Web Services (JAX-WS) implementation in OpenJDK was configured to include the stack trace in error messages sent to clients. A remote client could possibly use this flaw to obtain sensitive information. (CVE-2011-3553)\n\nIt was found that Java applications running with SecurityManager restrictions were allowed to use too many UDP sockets by default. If multiple instances of a malicious application were started at the same time, they could exhaust all available UDP sockets on the system.\n(CVE-2011-3552)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.9.10.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68373", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-10-29T13:36:16"}, {"id": "REDHAT-RHSA-2011-1380.NASL", "type": "nessus", "title": "RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2011:1380) (BEAST)", "description": "Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nA flaw was found in the Java RMI (Remote Method Invocation) registry implementation. A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry. (CVE-2011-3556)\n\nA flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute code on the RMI server with unrestricted privileges. (CVE-2011-3557)\n\nA flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization code. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions by deserializing specially crafted input. (CVE-2011-3521)\n\nIt was found that the Java ScriptingEngine did not properly restrict the privileges of sandboxed applications. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3544)\n\nA flaw was found in the AWTKeyStroke implementation. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3548)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the Java2D code used to perform transformations of graphic shapes and images. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions.\n(CVE-2011-3551)\n\nAn insufficient error checking flaw was found in the unpacker for JAR files in pack200 format. A specially crafted JAR file could use this flaw to crash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code with JVM privileges. (CVE-2011-3554)\n\nIt was found that HttpsURLConnection did not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy. (CVE-2011-3560)\n\nA flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection. (CVE-2011-3389)\n\nNote: This update mitigates the CVE-2011-3389 issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag '-Djsse.enableCBCProtection=false' to the java command.\n\nAn information leak flaw was found in the InputStream.skip implementation. An untrusted Java application or applet could possibly use this flaw to obtain bytes skipped by other threads.\n(CVE-2011-3547)\n\nA flaw was found in the Java HotSpot virtual machine. An untrusted Java application or applet could use this flaw to disclose portions of the VM memory, or cause it to crash. (CVE-2011-3558)\n\nThe Java API for XML Web Services (JAX-WS) implementation in OpenJDK was configured to include the stack trace in error messages sent to clients. A remote client could possibly use this flaw to obtain sensitive information. (CVE-2011-3553)\n\nIt was found that Java applications running with SecurityManager restrictions were allowed to use too many UDP sockets by default. If multiple instances of a malicious application were started at the same time, they could exhaust all available UDP sockets on the system.\n(CVE-2011-3552)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.9.10.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2011-10-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=56553", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-10-29T13:36:50"}, {"id": "DEBIAN_DSA-2356.NASL", "type": "nessus", "title": "Debian DSA-2356-1 : openjdk-6 - several vulnerabilities (BEAST)", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform :\n\n - CVE-2011-3389 The TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode.\n\n - CVE-2011-3521 The CORBA implementation contains a deserialization vulnerability in the IIOP implementation, allowing untrusted Java code (such as applets) to elevate its privileges.\n\n - CVE-2011-3544 The Java scripting engine lacks necessary security manager checks, allowing untrusted Java code (such as applets) to elevate its privileges.\n\n - CVE-2011-3547 The skip() method in java.io.InputStream uses a shared buffer, allowing untrusted Java code (such as applets) to access data that is skipped by other code.\n\n - CVE-2011-3548 The java.awt.AWTKeyStroke class contains a flaw which allows untrusted Java code (such as applets) to elevate its privileges.\n\n - CVE-2011-3551 The Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code (such as applets) to elevate its privileges.\n\n - CVE-2011-3552 Malicous Java code can use up an excessive amount of UDP ports, leading to a denial of service.\n\n - CVE-2011-3553 JAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information.\n\n - CVE-2011-3554 JAR files in pack200 format are not properly checked for errors, potentially leading to arbitrary code execution when unpacking crafted pack200 files.\n\n - CVE-2011-3556 The RMI Registry server lacks access restrictions on certain methods, allowing a remote client to execute arbitary code.\n\n - CVE-2011-3557 The RMI Registry server fails to properly restrict privileges of untrusted Java code, allowing RMI clients to elevate their privileges on the RMI Registry server.\n\n - CVE-2011-3560 The com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory() method, allowing untrusted Java code to bypass security policy restrictions.", "published": "2011-12-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=56987", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-10-29T13:38:37"}, {"id": "FEDORA_2011-15020.NASL", "type": "nessus", "title": "Fedora 16 : java-1.6.0-openjdk-1.6.0.0-60.1.10.4.fc16 (2011-15020) (BEAST)", "description": "Update to latest upstream bugfix release\n\n - Security fixes\n\n - S7000600, CVE-2011-3547: InputStream skip() information leak\n\n - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor\n\n - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow\n\n - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager\n\n - S7046794, CVE-2011-3553: JAX-WS stack-traces information leak\n\n - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine\n\n - S7055902, CVE-2011-3521: IIOP deserialization code execution\n\n - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks\n\n - S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)\n\n - S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer\n\n - S7077466, CVE-2011-3556: RMI DGC server remote code execution\n\n - S7083012, CVE-2011-3557: RMI registry privileged code execution\n\n - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection\n\n - Bug fixes\n\n - RH727195: Japanese font mappings are broken\n\n - Backports\n\n - S6826104, RH730015: Getting a NullPointer exception when clicked on Application & Toolkit Modal dialog\n\n - Zero/Shark\n\n - PR690: Shark fails to JIT using hs20.\n\n - PR696: Zero fails to handle fast_aldc and fast_aldc_w in hs20.\n\n - Added Patch6 as (probably temporally) solution for S7103224 for buildability on newest glibc libraries.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-11-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=56719", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-10-29T13:37:34"}, {"id": "SL_20111018_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x i386/x86_64 (BEAST)", "description": "These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nA flaw was found in the Java RMI (Remote Method Invocation) registry implementation. A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry. (CVE-2011-3556)\n\nA flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute code on the RMI server with unrestricted privileges. (CVE-2011-3557)\n\nA flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization code. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions by deserializing specially crafted input. (CVE-2011-3521)\n\nIt was found that the Java ScriptingEngine did not properly restrict the privileges of sandboxed applications. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3544)\n\nA flaw was found in the AWTKeyStroke implementation. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3548)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the Java2D code used to perform transformations of graphic shapes and images. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions.\n(CVE-2011-3551)\n\nAn insufficient error checking flaw was found in the unpacker for JAR files in pack200 format. A specially crafted JAR file could use this flaw to crash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code with JVM privileges. (CVE-2011-3554)\n\nIt was found that HttpsURLConnection did not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy. (CVE-2011-3560)\n\nA flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection. (CVE-2011-3389)\n\nNote: This update mitigates the CVE-2011-3389 issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag '-Djsse.enableCBCProtection=false' to the java command.\n\nAn information leak flaw was found in the InputStream.skip implementation. An untrusted Java application or applet could possibly use this flaw to obtain bytes skipped by other threads.\n(CVE-2011-3547)\n\nA flaw was found in the Java HotSpot virtual machine. An untrusted Java application or applet could use this flaw to disclose portions of the VM memory, or cause it to crash. (CVE-2011-3558)\n\nThe Java API for XML Web Services (JAX-WS) implementation in OpenJDK was configured to include the stack trace in error messages sent to clients. A remote client could possibly use this flaw to obtain sensitive information. (CVE-2011-3553)\n\nIt was found that Java applications running with SecurityManager restrictions were allowed to use too many UDP sockets by default. If multiple instances of a malicious application were started at the same time, they could exhaust all available UDP sockets on the system.\n(CVE-2011-3552)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.9.10.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=61156", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-10-29T13:40:59"}, {"id": "CENTOS_RHSA-2011-1380.NASL", "type": "nessus", "title": "CentOS 5 : java-1.6.0-openjdk (CESA-2011:1380) (BEAST)", "description": "Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nA flaw was found in the Java RMI (Remote Method Invocation) registry implementation. A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry. (CVE-2011-3556)\n\nA flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute code on the RMI server with unrestricted privileges. (CVE-2011-3557)\n\nA flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization code. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions by deserializing specially crafted input. (CVE-2011-3521)\n\nIt was found that the Java ScriptingEngine did not properly restrict the privileges of sandboxed applications. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3544)\n\nA flaw was found in the AWTKeyStroke implementation. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. (CVE-2011-3548)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the Java2D code used to perform transformations of graphic shapes and images. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions.\n(CVE-2011-3551)\n\nAn insufficient error checking flaw was found in the unpacker for JAR files in pack200 format. A specially crafted JAR file could use this flaw to crash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code with JVM privileges. (CVE-2011-3554)\n\nIt was found that HttpsURLConnection did not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy. (CVE-2011-3560)\n\nA flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection. (CVE-2011-3389)\n\nNote: This update mitigates the CVE-2011-3389 issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag '-Djsse.enableCBCProtection=false' to the java command.\n\nAn information leak flaw was found in the InputStream.skip implementation. An untrusted Java application or applet could possibly use this flaw to obtain bytes skipped by other threads.\n(CVE-2011-3547)\n\nA flaw was found in the Java HotSpot virtual machine. An untrusted Java application or applet could use this flaw to disclose portions of the VM memory, or cause it to crash. (CVE-2011-3558)\n\nThe Java API for XML Web Services (JAX-WS) implementation in OpenJDK was configured to include the stack trace in error messages sent to clients. A remote client could possibly use this flaw to obtain sensitive information. (CVE-2011-3553)\n\nIt was found that Java applications running with SecurityManager restrictions were allowed to use too many UDP sockets by default. If multiple instances of a malicious application were started at the same time, they could exhaust all available UDP sockets on the system.\n(CVE-2011-3552)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.9.10.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2011-10-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=56558", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-10-29T13:45:36"}], "redhat": [{"id": "RHSA-2012:0343", "type": "redhat", "title": "(RHSA-2012:0343) Moderate: java-1.4.2-ibm-sap security update", "description": "The IBM 1.4.2 SR13-FP11 Java release includes the IBM Java 1.4.2 Runtime\nEnvironment and the IBM Java 1.4.2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime\nEnvironment and the IBM Java 1.4.2 Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM \"Security alerts\" page,\nlisted in the References section. (CVE-2011-3389, CVE-2011-3545,\nCVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3556,\nCVE-2011-3557, CVE-2011-3560)\n\nAll users of java-1.4.2-ibm-sap are advised to upgrade to these updated\npackages, which contain the IBM 1.4.2 SR13-FP11 Java release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "published": "2012-02-29T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0343", "cvelist": ["CVE-2011-3389", "CVE-2011-3545", "CVE-2011-3547", "CVE-2011-3548", "CVE-2011-3549", "CVE-2011-3552", "CVE-2011-3556", "CVE-2011-3557", "CVE-2011-3560"], "lastseen": "2017-09-09T07:19:31"}, {"id": "RHSA-2012:0006", "type": "redhat", "title": "(RHSA-2012:0006) Critical: java-1.4.2-ibm security update", "description": "The IBM Java SE version 1.4.2 release includes the IBM Java 1.4.2 Runtime\nEnvironment and the IBM Java 1.4.2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime\nEnvironment and the IBM Java 1.4.2 Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM \"Security alerts\" page,\nlisted in the References section. (CVE-2011-3389, CVE-2011-3545,\nCVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3556,\nCVE-2011-3557, CVE-2011-3560)\n\nAll users of java-1.4.2-ibm are advised to upgrade to these updated\npackages, which contain the IBM Java 1.4.2 SR13-FP11 release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "published": "2012-01-09T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0006", "cvelist": ["CVE-2011-3389", "CVE-2011-3545", "CVE-2011-3547", "CVE-2011-3548", "CVE-2011-3549", "CVE-2011-3552", "CVE-2011-3556", "CVE-2011-3557", "CVE-2011-3560"], "lastseen": "2017-09-09T07:20:06"}, {"id": "RHSA-2012:0508", "type": "redhat", "title": "(RHSA-2012:0508) Critical: java-1.5.0-ibm security update", "description": "The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and\nthe IBM Java 2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM \"Security alerts\" page,\nlisted in the References section. (CVE-2011-3389, CVE-2011-3557,\nCVE-2011-3560, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501,\nCVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM 1.5.0 SR13-FP1 Java release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "published": "2012-04-23T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0508", "cvelist": ["CVE-2011-3389", "CVE-2011-3557", "CVE-2011-3560", "CVE-2011-3563", "CVE-2012-0498", "CVE-2012-0499", "CVE-2012-0501", "CVE-2012-0502", "CVE-2012-0503", "CVE-2012-0505", "CVE-2012-0506", "CVE-2012-0507"], "lastseen": "2017-09-09T07:20:28"}, {"id": "RHSA-2011:1380", "type": "redhat", "title": "(RHSA-2011:1380) Critical: java-1.6.0-openjdk security update", "description": "These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nA flaw was found in the Java RMI (Remote Method Invocation) registry\nimplementation. A remote RMI client could use this flaw to execute\narbitrary code on the RMI server running the registry. (CVE-2011-3556)\n\nA flaw was found in the Java RMI registry implementation. A remote RMI\nclient could use this flaw to execute code on the RMI server with\nunrestricted privileges. (CVE-2011-3557)\n\nA flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization\ncode. An untrusted Java application or applet running in a sandbox could\nuse this flaw to bypass sandbox restrictions by deserializing\nspecially-crafted input. (CVE-2011-3521)\n\nIt was found that the Java ScriptingEngine did not properly restrict the\nprivileges of sandboxed applications. An untrusted Java application or\napplet running in a sandbox could use this flaw to bypass sandbox\nrestrictions. (CVE-2011-3544)\n\nA flaw was found in the AWTKeyStroke implementation. An untrusted Java\napplication or applet running in a sandbox could use this flaw to bypass\nsandbox restrictions. (CVE-2011-3548)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the Java2D code used to perform transformations of graphic shapes\nand images. An untrusted Java application or applet running in a sandbox\ncould use this flaw to bypass sandbox restrictions. (CVE-2011-3551)\n\nAn insufficient error checking flaw was found in the unpacker for JAR files\nin pack200 format. A specially-crafted JAR file could use this flaw to\ncrash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code\nwith JVM privileges. (CVE-2011-3554)\n\nIt was found that HttpsURLConnection did not perform SecurityManager checks\nin the setSSLSocketFactory method. An untrusted Java application or applet\nrunning in a sandbox could use this flaw to bypass connection restrictions\ndefined in the policy. (CVE-2011-3560)\n\nA flaw was found in the way the SSL 3 and TLS 1.0 protocols used block\nciphers in cipher-block chaining (CBC) mode. An attacker able to perform a\nchosen plain text attack against a connection mixing trusted and untrusted\ndata could use this flaw to recover portions of the trusted data sent over\nthe connection. (CVE-2011-3389)\n\nNote: This update mitigates the CVE-2011-3389 issue by splitting the first\napplication data record byte to a separate SSL/TLS protocol record. This\nmitigation may cause compatibility issues with some SSL/TLS implementations\nand can be disabled using the jsse.enableCBCProtection boolean property.\nThis can be done on the command line by appending the flag\n\"-Djsse.enableCBCProtection=false\" to the java command.\n\nAn information leak flaw was found in the InputStream.skip implementation.\nAn untrusted Java application or applet could possibly use this flaw to\nobtain bytes skipped by other threads. (CVE-2011-3547)\n\nA flaw was found in the Java HotSpot virtual machine. An untrusted Java\napplication or applet could use this flaw to disclose portions of the VM\nmemory, or cause it to crash. (CVE-2011-3558)\n\nThe Java API for XML Web Services (JAX-WS) implementation in OpenJDK was\nconfigured to include the stack trace in error messages sent to clients. A\nremote client could possibly use this flaw to obtain sensitive information.\n(CVE-2011-3553)\n\nIt was found that Java applications running with SecurityManager\nrestrictions were allowed to use too many UDP sockets by default. If\nmultiple instances of a malicious application were started at the same\ntime, they could exhaust all available UDP sockets on the system.\n(CVE-2011-3552)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.9.10. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2011-10-18T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:1380", "cvelist": ["CVE-2011-3389", "CVE-2011-3521", "CVE-2011-3544", "CVE-2011-3547", "CVE-2011-3548", "CVE-2011-3551", "CVE-2011-3552", "CVE-2011-3553", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3557", "CVE-2011-3558", "CVE-2011-3560"], "lastseen": "2017-12-25T20:05:45"}, {"id": "RHSA-2012:0034", "type": "redhat", "title": "(RHSA-2012:0034) Critical: java-1.6.0-ibm security update", "description": "The IBM Java SE version 6 release includes the IBM Java 6 Runtime\nEnvironment and the IBM Java 6 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 6 Runtime\nEnvironment and the IBM Java 6 Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM \"Security alerts\" page,\nlisted in the References section. (CVE-2011-3389, CVE-2011-3516,\nCVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547,\nCVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552,\nCVE-2011-3553, CVE-2011-3554, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560,\nCVE-2011-3561)\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java 6 SR10 release. All running instances\nof IBM Java must be restarted for the update to take effect.\n", "published": "2012-01-18T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0034", "cvelist": ["CVE-2011-3389", "CVE-2011-3516", "CVE-2011-3521", "CVE-2011-3544", "CVE-2011-3545", "CVE-2011-3546", "CVE-2011-3547", "CVE-2011-3548", "CVE-2011-3549", "CVE-2011-3550", "CVE-2011-3551", "CVE-2011-3552", "CVE-2011-3553", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3557", "CVE-2011-3560", "CVE-2011-3561"], "lastseen": "2017-09-09T07:19:33"}, {"id": "RHSA-2011:1384", "type": "redhat", "title": "(RHSA-2011:1384) Critical: java-1.6.0-sun security update", "description": "The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and\nthe Sun Java 6 Software Development Kit.\n\nThis update fixes several vulnerabilities in the Sun Java 6 Runtime\nEnvironment and the Sun Java 6 Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch page, listed in the References section. (CVE-2011-3389,\nCVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546,\nCVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551,\nCVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556,\nCVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561)\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide JDK and JRE 6 Update 29 and resolve these issues.\nAll running instances of Sun Java must be restarted for the update to take\neffect.\n", "published": "2011-10-19T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:1384", "cvelist": ["CVE-2011-3389", "CVE-2011-3516", "CVE-2011-3521", "CVE-2011-3544", "CVE-2011-3545", "CVE-2011-3546", "CVE-2011-3547", "CVE-2011-3548", "CVE-2011-3549", "CVE-2011-3550", "CVE-2011-3551", "CVE-2011-3552", "CVE-2011-3553", "CVE-2011-3554", "CVE-2011-3555", "CVE-2011-3556", "CVE-2011-3557", "CVE-2011-3558", "CVE-2011-3560", "CVE-2011-3561"], "lastseen": "2017-09-09T07:20:32"}, {"id": "RHSA-2013:1455", "type": "redhat", "title": "(RHSA-2013:1455) Low: Red Hat Network Satellite server IBM Java Runtime security update", "description": "This update corrects several security vulnerabilities in the IBM Java\nRuntime Environment shipped as part of Red Hat Network Satellite Server\n5.4. In a typical operating environment, these are of low security risk as\nthe runtime is not used on untrusted applets.\n\nSeveral flaws were fixed in the IBM Java 2 Runtime Environment.\n(CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0863, CVE-2011-0865,\nCVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0873,\nCVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545,\nCVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550,\nCVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3556,\nCVE-2011-3557, CVE-2011-3560, CVE-2011-3561, CVE-2011-3563, CVE-2011-5035,\nCVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501,\nCVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507,\nCVE-2012-0547, CVE-2012-0551, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533,\nCVE-2012-1541, CVE-2012-1682, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,\nCVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725,\nCVE-2012-3143, CVE-2012-3159, CVE-2012-3213, CVE-2012-3216, CVE-2012-3342,\nCVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069,\nCVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079,\nCVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089, CVE-2013-0169,\nCVE-2013-0351, CVE-2013-0401, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,\nCVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428,\nCVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438,\nCVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445,\nCVE-2013-0446, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1476,\nCVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1487,\nCVE-2013-1491, CVE-2013-1493, CVE-2013-1500, CVE-2013-1537, CVE-2013-1540,\nCVE-2013-1557, CVE-2013-1563, CVE-2013-1569, CVE-2013-1571, CVE-2013-2383,\nCVE-2013-2384, CVE-2013-2394, CVE-2013-2407, CVE-2013-2412, CVE-2013-2417,\nCVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2422, CVE-2013-2424,\nCVE-2013-2429, CVE-2013-2430, CVE-2013-2432, CVE-2013-2433, CVE-2013-2435,\nCVE-2013-2437, CVE-2013-2440, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444,\nCVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451,\nCVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456,\nCVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,\nCVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,\nCVE-2013-2472, CVE-2013-2473, CVE-2013-3743)\n\nUsers of Red Hat Network Satellite Server 5.4 are advised to upgrade to\nthese updated packages, which contain the IBM Java SE 6 SR14 release. For\nthis update to take effect, Red Hat Network Satellite Server must be\nrestarted (\"/usr/sbin/rhn-satellite restart\"), as well as all running\ninstances of IBM Java.\n", "published": "2013-10-23T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:1455", "cvelist": ["CVE-2013-2418", "CVE-2012-5089", "CVE-2013-0426", "CVE-2013-2468", "CVE-2013-2420", "CVE-2011-0865", "CVE-2013-2384", "CVE-2013-1491", "CVE-2013-1571", "CVE-2011-3557", "CVE-2012-1541", "CVE-2013-2417", "CVE-2013-2433", "CVE-2013-1500", "CVE-2013-2448", "CVE-2011-3551", "CVE-2013-0401", "CVE-2012-5073", "CVE-2013-0427", "CVE-2012-1725", "CVE-2013-2424", "CVE-2013-2407", "CVE-2012-1533", "CVE-2013-1478", "CVE-2011-3549", "CVE-2013-2456", "CVE-2011-0802", "CVE-2011-0868", "CVE-2013-0428", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-0169", "CVE-2012-1719", "CVE-2013-2394", "CVE-2011-3563", "CVE-2012-3159", "CVE-2013-0435", "CVE-2013-0809", "CVE-2013-0442", "CVE-2011-3561", "CVE-2013-2452", "CVE-2012-3342", "CVE-2013-2451", "CVE-2011-0869", "CVE-2013-2473", "CVE-2011-0863", "CVE-2012-5079", "CVE-2012-0507", "CVE-2012-5075", "CVE-2013-1473", "CVE-2013-0434", "CVE-2011-3548", "CVE-2012-5081", "CVE-2011-3547", "CVE-2012-0503", "CVE-2011-3521", "CVE-2013-0443", "CVE-2011-5035", "CVE-2013-2419", "CVE-2013-2463", "CVE-2013-1563", "CVE-2011-3389", "CVE-2013-2469", "CVE-2013-0351", "CVE-2013-2465", "CVE-2013-1537", "CVE-2013-3743", "CVE-2012-0498", "CVE-2011-3544", "CVE-2012-0551", "CVE-2011-3553", "CVE-2012-0506", "CVE-2013-0433", "CVE-2013-1480", "CVE-2012-1717", "CVE-2012-1721", "CVE-2011-3516", "CVE-2013-0409", "CVE-2011-0873", "CVE-2013-0438", "CVE-2012-1713", "CVE-2012-1716", "CVE-2012-5083", "CVE-2013-2429", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-1532", "CVE-2013-1486", "CVE-2013-1476", "CVE-2012-4823", "CVE-2013-1487", "CVE-2013-0445", "CVE-2012-5069", "CVE-2012-3216", "CVE-2012-4820", "CVE-2013-0432", "CVE-2012-0505", "CVE-2012-5084", "CVE-2011-3546", "CVE-2012-4822", "CVE-2012-1718", "CVE-2013-2440", "CVE-2013-2464", "CVE-2011-3554", "CVE-2013-0424", "CVE-2012-3213", "CVE-2013-2459", "CVE-2013-0450", "CVE-2012-5071", "CVE-2011-0867", "CVE-2013-2442", "CVE-2012-0499", "CVE-2012-0501", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-2432", "CVE-2012-1722", "CVE-2013-2443", "CVE-2013-1481", "CVE-2013-2446", "CVE-2011-3556", "CVE-2012-0547", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2472", "CVE-2013-1540", "CVE-2012-0500", "CVE-2011-3560", "CVE-2013-1493", "CVE-2012-1531", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-1557", "CVE-2013-2455", "CVE-2011-3545", "CVE-2013-2422", "CVE-2013-2435", "CVE-2013-2383", "CVE-2013-0425", "CVE-2011-3552", "CVE-2012-5068", "CVE-2012-1682", "CVE-2013-0441", "CVE-2012-3143", "CVE-2012-0502", "CVE-2011-3550", "CVE-2013-1569", "CVE-2013-2412", "CVE-2011-0862", "CVE-2013-2430", "CVE-2011-0871", "CVE-2013-2466", "CVE-2011-0814", "CVE-2013-0423", "CVE-2013-0419"], "lastseen": "2017-03-04T13:18:30"}, {"id": "RHSA-2011:1478", "type": "redhat", "title": "(RHSA-2011:1478) Critical: java-1.5.0-ibm security update", "description": "The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and\nthe IBM Java 2 Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM \"Security alerts\" page,\nlisted in the References section. (CVE-2011-3545, CVE-2011-3547,\nCVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3554, CVE-2011-3556)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM 1.5.0 SR13 Java release. All running instances\nof IBM Java must be restarted for this update to take effect.\n", "published": "2011-11-24T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2011:1478", "cvelist": ["CVE-2011-3545", "CVE-2011-3547", "CVE-2011-3548", "CVE-2011-3549", "CVE-2011-3552", "CVE-2011-3554", "CVE-2011-3556"], "lastseen": "2017-09-09T07:19:15"}, {"id": "RHSA-2012:1089", "type": "redhat", "title": "(RHSA-2012:1089) Critical: thunderbird security update", "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSeveral flaws were found in the processing of malformed content. Malicious\ncontent could cause Thunderbird to crash or, potentially, execute arbitrary\ncode with the privileges of the user running Thunderbird. (CVE-2012-1948,\nCVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958,\nCVE-2012-1962, CVE-2012-1967)\n\nMalicious content could bypass same-compartment security wrappers (SCSW)\nand execute arbitrary code with chrome privileges. (CVE-2012-1959)\n\nA flaw in the way Thunderbird called history.forward and history.back could\nallow an attacker to conceal a malicious URL, possibly tricking a user\ninto believing they are viewing trusted content. (CVE-2012-1955)\n\nA flaw in a parser utility class used by Thunderbird to parse feeds (such\nas RSS) could allow an attacker to execute arbitrary JavaScript with the\nprivileges of the user running Thunderbird. This issue could have affected\nother Thunderbird components or add-ons that assume the class returns\nsanitized input. (CVE-2012-1957)\n\nA flaw in the way Thunderbird handled X-Frame-Options headers could allow\nmalicious content to perform a clickjacking attack. (CVE-2012-1961)\n\nA flaw in the way Content Security Policy (CSP) reports were generated by\nThunderbird could allow malicious content to steal a victim's OAuth 2.0\naccess tokens and OpenID credentials. (CVE-2012-1963)\n\nA flaw in the way Thunderbird handled certificate warnings could allow a\nman-in-the-middle attacker to create a crafted warning, possibly tricking\na user into accepting an arbitrary certificate as trusted. (CVE-2012-1964)\n\nThe nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6\nintroduced a mitigation for the CVE-2011-3389 flaw. For compatibility\nreasons, it remains disabled by default in the nss packages. This update\nmakes Thunderbird enable the mitigation by default. It can be disabled by\nsetting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before\nlaunching Thunderbird. (BZ#838879)\n\nRed Hat would like to thank the Mozilla project for reporting these issues.\nUpstream acknowledges Benoit Jacob, Jesse Ruderman, Christian Holler, Bill\nMcCloskey, Abhishek Arya, Arthur Gerkis, Bill Keese, moz_bug_r_a4, Bobby\nHolley, Mariusz Mlynski, Mario Heiderich, Frederic Buclin, Karthikeyan\nBhargavan, and Matt McCutchen as the original reporters of these issues.\n\nNote: None of the issues in this advisory can be exploited by a\nspecially-crafted HTML mail message as JavaScript is disabled by default\nfor mail messages. They could be exploited another way in Thunderbird, for\nexample, when viewing the full remote content of an RSS feed.\n\nAll Thunderbird users should upgrade to this updated package, which\ncontains Thunderbird version 10.0.6 ESR, which corrects these issues. After\ninstalling the update, Thunderbird must be restarted for the changes to\ntake effect.\n", "published": "2012-07-17T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:1089", "cvelist": ["CVE-2011-3389", "CVE-2012-1948", "CVE-2012-1951", "CVE-2012-1952", "CVE-2012-1953", "CVE-2012-1954", "CVE-2012-1955", "CVE-2012-1957", "CVE-2012-1958", "CVE-2012-1959", "CVE-2012-1961", "CVE-2012-1962", "CVE-2012-1963", "CVE-2012-1964", "CVE-2012-1967"], "lastseen": "2017-09-09T07:20:27"}, {"id": "RHSA-2012:1088", "type": "redhat", "title": "(RHSA-2012:1088) Critical: firefox security update", "description": "Mozilla Firefox is an open source web browser. XULRunner provides the XUL\nRuntime environment for Mozilla Firefox.\n\nA web page containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nFirefox. (CVE-2012-1948, CVE-2012-1951, CVE-2012-1952, CVE-2012-1953,\nCVE-2012-1954, CVE-2012-1958, CVE-2012-1962, CVE-2012-1967)\n\nA malicious web page could bypass same-compartment security wrappers (SCSW)\nand execute arbitrary code with chrome privileges. (CVE-2012-1959)\n\nA flaw in the context menu functionality in Firefox could allow a malicious\nwebsite to bypass intended restrictions and allow a cross-site scripting\nattack. (CVE-2012-1966)\n\nA page different to that in the address bar could be displayed when\ndragging and dropping to the address bar, possibly making it easier for a\nmalicious site or user to perform a phishing attack. (CVE-2012-1950)\n\nA flaw in the way Firefox called history.forward and history.back could\nallow an attacker to conceal a malicious URL, possibly tricking a user\ninto believing they are viewing a trusted site. (CVE-2012-1955)\n\nA flaw in a parser utility class used by Firefox to parse feeds (such as\nRSS) could allow an attacker to execute arbitrary JavaScript with the\nprivileges of the user running Firefox. This issue could have affected\nother browser components or add-ons that assume the class returns\nsanitized input. (CVE-2012-1957)\n\nA flaw in the way Firefox handled X-Frame-Options headers could allow a\nmalicious website to perform a clickjacking attack. (CVE-2012-1961)\n\nA flaw in the way Content Security Policy (CSP) reports were generated by\nFirefox could allow a malicious web page to steal a victim's OAuth 2.0\naccess tokens and OpenID credentials. (CVE-2012-1963)\n\nA flaw in the way Firefox handled certificate warnings could allow a\nman-in-the-middle attacker to create a crafted warning, possibly tricking\na user into accepting an arbitrary certificate as trusted. (CVE-2012-1964)\n\nA flaw in the way Firefox handled feed:javascript URLs could allow output\nfiltering to be bypassed, possibly leading to a cross-site scripting\nattack. (CVE-2012-1965)\n\nThe nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6\nintroduced a mitigation for the CVE-2011-3389 flaw. For compatibility\nreasons, it remains disabled by default in the nss packages. This update\nmakes Firefox enable the mitigation by default. It can be disabled by\nsetting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before\nlaunching Firefox. (BZ#838879)\n\nFor technical details regarding these flaws, refer to the Mozilla security\nadvisories for Firefox 10.0.6 ESR. You can find a link to the Mozilla\nadvisories in the References section of this erratum.\n\nRed Hat would like to thank the Mozilla project for reporting these issues.\nUpstream acknowledges Benoit Jacob, Jesse Ruderman, Christian Holler, Bill\nMcCloskey, Abhishek Arya, Arthur Gerkis, Bill Keese, moz_bug_r_a4, Bobby\nHolley, Code Audit Labs, Mariusz Mlynski, Mario Heiderich, Frederic Buclin,\nKarthikeyan Bhargavan, Matt McCutchen, Mario Gomes, and Soroush Dalili as\nthe original reporters of these issues.\n\nAll Firefox users should upgrade to these updated packages, which contain\nFirefox version 10.0.6 ESR, which corrects these issues. After installing\nthe update, Firefox must be restarted for the changes to take effect.\n", "published": "2012-07-17T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:1088", "cvelist": ["CVE-2011-3389", "CVE-2012-1948", "CVE-2012-1950", "CVE-2012-1951", "CVE-2012-1952", "CVE-2012-1953", "CVE-2012-1954", "CVE-2012-1955", "CVE-2012-1957", "CVE-2012-1958", "CVE-2012-1959", "CVE-2012-1961", "CVE-2012-1962", "CVE-2012-1963", "CVE-2012-1964", "CVE-2012-1965", "CVE-2012-1966", "CVE-2012-1967"], "lastseen": "2017-12-25T20:05:01"}], "debian": [{"id": "DSA-2356", "type": "debian", "title": "openjdk-6 -- several vulnerabilities", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform:\n\n * [CVE-2011-3389](<https://security-tracker.debian.org/tracker/CVE-2011-3389>)\n\nThe TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode.\n\n * [CVE-2011-3521](<https://security-tracker.debian.org/tracker/CVE-2011-3521>)\n\nThe CORBA implementation contains a deserialization vulnerability in the IIOP implementation, allowing untrusted Java code (such as applets) to elevate its privileges.\n\n * [CVE-2011-3544](<https://security-tracker.debian.org/tracker/CVE-2011-3544>)\n\nThe Java scripting engine lacks necessary security manager checks, allowing untrusted Java code (such as applets) to elevate its privileges.\n\n * [CVE-2011-3547](<https://security-tracker.debian.org/tracker/CVE-2011-3547>)\n\nThe skip() method in java.io.InputStream uses a shared buffer, allowing untrusted Java code (such as applets) to access data that is skipped by other code.\n\n * [CVE-2011-3548](<https://security-tracker.debian.org/tracker/CVE-2011-3548>)\n\nThe java.awt.AWTKeyStroke class contains a flaw which allows untrusted Java code (such as applets) to elevate its privileges.\n\n * [CVE-2011-3551](<https://security-tracker.debian.org/tracker/CVE-2011-3551>)\n\nThe Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code (such as applets) to elevate its privileges.\n\n * [CVE-2011-3552](<https://security-tracker.debian.org/tracker/CVE-2011-3552>)\n\nMalicous Java code can use up an excessive amount of UDP ports, leading to a denial of service.\n\n * [CVE-2011-3553](<https://security-tracker.debian.org/tracker/CVE-2011-3553>)\n\nJAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information.\n\n * [CVE-2011-3554](<https://security-tracker.debian.org/tracker/CVE-2011-3554>)\n\nJAR files in pack200 format are not properly checked for errors, potentially leading to arbitrary code execution when unpacking crafted pack200 files.\n\n * [CVE-2011-3556](<https://security-tracker.debian.org/tracker/CVE-2011-3556>)\n\nThe RMI Registry server lacks access restrictions on certain methods, allowing a remote client to execute arbitary code.\n\n * [CVE-2011-3557](<https://security-tracker.debian.org/tracker/CVE-2011-3557>)\n\nThe RMI Registry server fails to properly restrict privileges of untrusted Java code, allowing RMI clients to elevate their privileges on the RMI Registry server.\n\n * [CVE-2011-3560](<https://security-tracker.debian.org/tracker/CVE-2011-3560>)\n\nThe com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory() method, allowing untrusted Java code to bypass security policy restrictions.\n\nFor the stable distribution (squeeze), this problem has been fixed in version 6b18-1.8.10-0+squeeze2.\n\nFor the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 6b23~pre11-1.\n\nWe recommend that you upgrade your openjdk-6 packages.", "published": "2011-12-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-2356", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2016-09-02T18:36:28"}, {"id": "DSA-2358", "type": "debian", "title": "openjdk-6 -- several vulnerabilities", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform. This combines the two previous openjdk-6 advisories, [DSA-2311-1](<dsa-2311>) and [DSA-2356-1](<dsa-2356>).\n\n * [CVE-2011-0862](<https://security-tracker.debian.org/tracker/CVE-2011-0862>)\n\nInteger overflow errors in the JPEG and font parser allow untrusted code (including applets) to elevate its privileges.\n\n * [CVE-2011-0864](<https://security-tracker.debian.org/tracker/CVE-2011-0864>)\n\nHotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code (including applets) to crash the virtual machine.\n\n * [CVE-2011-0865](<https://security-tracker.debian.org/tracker/CVE-2011-0865>)\n\nA race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact.\n\n * [CVE-2011-0867](<https://security-tracker.debian.org/tracker/CVE-2011-0867>)\n\nUntrusted code (including applets) could access information about network interfaces which was not intended to be public. (Note that the interface MAC address is still available to untrusted code.)\n\n * [CVE-2011-0868](<https://security-tracker.debian.org/tracker/CVE-2011-0868>)\n\nA float-to-long conversion could overflow, allowing untrusted code (including applets) to crash the virtual machine.\n\n * [CVE-2011-0869](<https://security-tracker.debian.org/tracker/CVE-2011-0869>)\n\nUntrusted code (including applets) could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection.\n\n * [CVE-2011-0871](<https://security-tracker.debian.org/tracker/CVE-2011-0871>)\n\nUntrusted code (including applets) could elevate its privileges through the Swing MediaTracker code.\n\n * [CVE-2011-3389](<https://security-tracker.debian.org/tracker/CVE-2011-3389>)\n\nThe TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode.\n\n * [CVE-2011-3521](<https://security-tracker.debian.org/tracker/CVE-2011-3521>)\n\nThe CORBA implementation contains a deserialization vulnerability in the IIOP implementation, allowing untrusted Java code (such as applets) to elevate its privileges.\n\n * [CVE-2011-3544](<https://security-tracker.debian.org/tracker/CVE-2011-3544>)\n\nThe Java scripting engine lacks necessary security manager checks, allowing untrusted Java code (such as applets) to elevate its privileges.\n\n * [CVE-2011-3547](<https://security-tracker.debian.org/tracker/CVE-2011-3547>)\n\nThe skip() method in java.io.InputStream uses a shared buffer, allowing untrusted Java code (such as applets) to access data that is skipped by other code.\n\n * [CVE-2011-3548](<https://security-tracker.debian.org/tracker/CVE-2011-3548>)\n\nThe java.awt.AWTKeyStroke class contains a flaw which allows untrusted Java code (such as applets) to elevate its privileges.\n\n * [CVE-2011-3551](<https://security-tracker.debian.org/tracker/CVE-2011-3551>)\n\nThe Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code (such as applets) to elevate its privileges.\n\n * [CVE-2011-3552](<https://security-tracker.debian.org/tracker/CVE-2011-3552>)\n\nMalicous Java code can use up an excessive amount of UDP ports, leading to a denial of service.\n\n * [CVE-2011-3553](<https://security-tracker.debian.org/tracker/CVE-2011-3553>)\n\nJAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information.\n\n * [CVE-2011-3554](<https://security-tracker.debian.org/tracker/CVE-2011-3554>)\n\nJAR files in pack200 format are not properly checked for errors, potentially leading to arbitrary code execution when unpacking crafted pack200 files.\n\n * [CVE-2011-3556](<https://security-tracker.debian.org/tracker/CVE-2011-3556>)\n\nThe RMI Registry server lacks access restrictions on certain methods, allowing a remote client to execute arbitary code.\n\n * [CVE-2011-3557](<https://security-tracker.debian.org/tracker/CVE-2011-3557>)\n\nThe RMI Registry server fails to properly restrict privileges of untrusted Java code, allowing RMI clients to elevate their privileges on the RMI Registry server.\n\n * [CVE-2011-3560](<https://security-tracker.debian.org/tracker/CVE-2011-3560>)\n\nThe com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory() method, allowing untrusted Java code to bypass security policy restrictions.\n\nFor the oldstable distribution (lenny), these problems have been fixed in version 6b18-1.8.10-0~lenny2.\n\nWe recommend that you upgrade your openjdk-6 packages.", "published": "2011-12-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-2358", "cvelist": ["CVE-2011-0865", "CVE-2011-3557", "CVE-2011-3551", "CVE-2011-0868", "CVE-2011-0869", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3554", "CVE-2011-0867", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-0864", "CVE-2011-3552", "CVE-2011-0862", "CVE-2011-0871"], "lastseen": "2016-09-02T18:30:07"}, {"id": "DSA-2368", "type": "debian", "title": "lighttpd -- multiple vulnerabilities", "description": "Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint.\n\n * [CVE-2011-4362](<https://security-tracker.debian.org/tracker/CVE-2011-4362>)\n\nXi Wang discovered that the base64 decoding routine which is used to decode user input during an HTTP authentication, suffers of a signedness issue when processing user input. As a result it is possible to force lighttpd to perform an out-of-bounds read which results in Denial of Service conditions.\n\n * [CVE-2011-3389](<https://security-tracker.debian.org/tracker/CVE-2011-3389>)\n\nWhen using CBC ciphers on an SSL enabled virtual host to communicate with certain client, a so called BEAST attack allows man-in-the-middle attackers to obtain plaintext HTTP traffic via a blockwise chosen-boundary attack (BCBA) on an HTTPS session. Technically this is no lighttpd vulnerability. However, lighttpd offers a workaround to mitigate this problem by providing a possibility to disable CBC ciphers.\n\nThis updates includes this option by default. System administrators are advised to read the NEWS file of this update (as this may break older clients).\n\nFor the oldstable distribution (lenny), this problem has been fixed in version 1.4.19-5+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in version 1.4.28-2+squeeze1.\n\nFor the testing distribution (wheezy), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in version 1.4.30-1.\n\nWe recommend that you upgrade your lighttpd packages.", "published": "2011-12-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2368", "cvelist": ["CVE-2011-3389", "CVE-2011-4362"], "lastseen": "2016-09-02T18:27:25"}, {"id": "DLA-154", "type": "debian", "title": "nss -- LTS security update", "description": "nss 3.12.8-1+squeeze11 fixes two security issues:\n\n * [CVE-2011-3389](<https://security-tracker.debian.org/tracker/CVE-2011-3389>)\n\nSSL 3.0 and TLS 1.0 connections were vulnerable to some chosen plaintext attacks which allowed man-in-the middle attackers to obtain plaintext HTTP headers on an HTTPS session. This issue is known as the BEAST attack.\n\n * [CVE-2014-1569](<https://security-tracker.debian.org/tracker/CVE-2014-1569>)\n\nPossible information leak with too-permissive ASN.1 DER decoding of length.\n\nFor Debian 6 Squeeze, these issues have been fixed in nss version 3.12.8-1+squeeze11", "published": "2015-02-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/2015/dla-154", "cvelist": ["CVE-2011-3389", "CVE-2014-1569"], "lastseen": "2016-09-02T12:56:53"}, {"id": "DSA-2398", "type": "debian", "title": "curl -- several vulnerabilities", "description": "Several vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2011-3389](<https://security-tracker.debian.org/tracker/CVE-2011-3389>)\n\nThis update enables OpenSSL workarounds against the BEAST attack. Additional information can be found in the [cURL advisory](<http://curl.haxx.se/docs/adv_20120124B.html>)\n\n * [CVE-2012-0036](<https://security-tracker.debian.org/tracker/CVE-2012-0036>)\n\nDan Fandrich discovered that cURL performs insufficient sanitising when extracting the file path part of an URL.\n\nFor the oldstable distribution (lenny), this problem has been fixed in version 7.18.2-8lenny6.\n\nFor the stable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze2.\n\nFor the unstable distribution (sid), this problem has been fixed in version 7.24.0-1.\n\nWe recommend that you upgrade your curl packages.", "published": "2012-03-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2398", "cvelist": ["CVE-2011-3389", "CVE-2012-0036"], "lastseen": "2016-09-02T18:25:18"}, {"id": "DLA-400", "type": "debian", "title": "pound -- LTS security update", "description": "This update fixes certain known vulnerabilities in pound in squeeze-lts by backporting the version in wheezy.\n\n * [CVE-2009-3555](<https://security-tracker.debian.org/tracker/CVE-2009-3555>)\n\nThe TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue.\n\n * [CVE-2011-3389](<https://security-tracker.debian.org/tracker/CVE-2011-3389>)\n\nThe SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a BEAST attack.\n\n * [CVE-2012-4929](<https://security-tracker.debian.org/tracker/CVE-2012-4929>)\n\nThe TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a CRIME attack.\n\n * [CVE-2014-3566](<https://security-tracker.debian.org/tracker/CVE-2014-3566>)\n\nThe SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the POODLE issue.", "published": "2016-01-24T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/2016/dla-400", "cvelist": ["CVE-2014-3566", "CVE-2011-3389", "CVE-2012-4929", "CVE-2009-3555"], "lastseen": "2016-09-02T12:56:43"}], "oraclelinux": [{"id": "ELSA-2011-1380", "type": "oraclelinux", "title": "java-1.6.0-openjdk security update", "description": "[1:1.6.0.0-1.40.1.9.10]\n- Resolves: rhbz#744788\n- Bumped to IcedTea6 1.9.8\n-removed font copying\n Security fixes\n - S7000600, CVE-2011-3547: InputStream skip() information leak\n - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor\n - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow\n - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager\n - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine\n - S7055902, CVE-2011-3521: IIOP deserialization code execution\n - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks\n - S7064341, CVE-2011-3389: JSSE\n - S7070134, CVE-2011-3558: Hotspot unspecified issue\n - S7077466, CVE-2011-3556: RMI DGC server remote code execution\n - S7083012, CVE-2011-3557: RMI registry privileged code execution\n - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection\n NetX\n - PR794: javaws does not work if a Web Start app jar has a Class-Path element in the manifest", "published": "2011-10-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-1380.html", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2016-09-04T11:15:56"}], "amazon": [{"id": "ALAS-2011-10", "type": "amazon", "title": "Critical: java-1.6.0-openjdk", "description": "**Issue Overview:**\n\nA flaw was found in the Java RMI (Remote Method Invocation) registry implementation. A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry. ([CVE-2011-3556 __](<https://access.redhat.com/security/cve/CVE-2011-3556>))\n\nA flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute code on the RMI server with unrestricted privileges. ([CVE-2011-3557 __](<https://access.redhat.com/security/cve/CVE-2011-3557>))\n\nA flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization code. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions by deserializing specially-crafted input. ([CVE-2011-3521 __](<https://access.redhat.com/security/cve/CVE-2011-3521>))\n\nIt was found that the Java ScriptingEngine did not properly restrict the privileges of sandboxed applications. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. ([CVE-2011-3544 __](<https://access.redhat.com/security/cve/CVE-2011-3544>))\n\nA flaw was found in the AWTKeyStroke implementation. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. ([CVE-2011-3548 __](<https://access.redhat.com/security/cve/CVE-2011-3548>))\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the Java2D code used to perform transformations of graphic shapes and images. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. ([CVE-2011-3551 __](<https://access.redhat.com/security/cve/CVE-2011-3551>))\n\nAn insufficient error checking flaw was found in the unpacker for JAR files in pack200 format. A specially-crafted JAR file could use this flaw to crash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code with JVM privileges. ([CVE-2011-3554 __](<https://access.redhat.com/security/cve/CVE-2011-3554>))\n\nIt was found that HttpsURLConnection did not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy. ([CVE-2011-3560 __](<https://access.redhat.com/security/cve/CVE-2011-3560>))\n\nA flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection. ([CVE-2011-3389 __](<https://access.redhat.com/security/cve/CVE-2011-3389>))\n\nNote: This update mitigates the [CVE-2011-3389 __](<https://access.redhat.com/security/cve/CVE-2011-3389>) issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag \"-Djsse.enableCBCProtection=false\" to the java command.\n\nAn information leak flaw was found in the InputStream.skip implementation. An untrusted Java application or applet could possibly use this flaw to obtain bytes skipped by other threads. ([CVE-2011-3547 __](<https://access.redhat.com/security/cve/CVE-2011-3547>))\n\nA flaw was found in the Java HotSpot virtual machine. An untrusted Java application or applet could use this flaw to disclose portions of the VM memory, or cause it to crash. ([CVE-2011-3558 __](<https://access.redhat.com/security/cve/CVE-2011-3558>))\n\nThe Java API for XML Web Services (JAX-WS) implementation in OpenJDK was configured to include the stack trace in error messages sent to clients. A remote client could possibly use this flaw to obtain sensitive information. ([CVE-2011-3553 __](<https://access.redhat.com/security/cve/CVE-2011-3553>))\n\nIt was found that Java applications running with SecurityManager restrictions were allowed to use too many UDP sockets by default. If multiple instances of a malicious application were started at the same time, they could exhaust all available UDP sockets on the system. ([CVE-2011-3552 __](<https://access.redhat.com/security/cve/CVE-2011-3552>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-demo-1.6.0.0-52.1.9.10.40.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.9.10.40.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.0-52.1.9.10.40.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.0-52.1.9.10.40.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.0-52.1.9.10.40.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.9.10.40.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.0-52.1.9.10.40.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-src-1.6.0.0-52.1.9.10.40.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.9.10.40.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.0-52.1.9.10.40.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.0-52.1.9.10.40.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.9.10.40.amzn1.x86_64 \n java-1.6.0-openjdk-1.6.0.0-52.1.9.10.40.amzn1.x86_64 \n \n \n", "published": "2011-10-31T18:22:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2011-10.html", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2016-09-28T21:03:59"}], "centos": [{"id": "CESA-2011:1380", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2011:1380\n\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nA flaw was found in the Java RMI (Remote Method Invocation) registry\nimplementation. A remote RMI client could use this flaw to execute\narbitrary code on the RMI server running the registry. (CVE-2011-3556)\n\nA flaw was found in the Java RMI registry implementation. A remote RMI\nclient could use this flaw to execute code on the RMI server with\nunrestricted privileges. (CVE-2011-3557)\n\nA flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization\ncode. An untrusted Java application or applet running in a sandbox could\nuse this flaw to bypass sandbox restrictions by deserializing\nspecially-crafted input. (CVE-2011-3521)\n\nIt was found that the Java ScriptingEngine did not properly restrict the\nprivileges of sandboxed applications. An untrusted Java application or\napplet running in a sandbox could use this flaw to bypass sandbox\nrestrictions. (CVE-2011-3544)\n\nA flaw was found in the AWTKeyStroke implementation. An untrusted Java\napplication or applet running in a sandbox could use this flaw to bypass\nsandbox restrictions. (CVE-2011-3548)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the Java2D code used to perform transformations of graphic shapes\nand images. An untrusted Java application or applet running in a sandbox\ncould use this flaw to bypass sandbox restrictions. (CVE-2011-3551)\n\nAn insufficient error checking flaw was found in the unpacker for JAR files\nin pack200 format. A specially-crafted JAR file could use this flaw to\ncrash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code\nwith JVM privileges. (CVE-2011-3554)\n\nIt was found that HttpsURLConnection did not perform SecurityManager checks\nin the setSSLSocketFactory method. An untrusted Java application or applet\nrunning in a sandbox could use this flaw to bypass connection restrictions\ndefined in the policy. (CVE-2011-3560)\n\nA flaw was found in the way the SSL 3 and TLS 1.0 protocols used block\nciphers in cipher-block chaining (CBC) mode. An attacker able to perform a\nchosen plain text attack against a connection mixing trusted and untrusted\ndata could use this flaw to recover portions of the trusted data sent over\nthe connection. (CVE-2011-3389)\n\nNote: This update mitigates the CVE-2011-3389 issue by splitting the first\napplication data record byte to a separate SSL/TLS protocol record. This\nmitigation may cause compatibility issues with some SSL/TLS implementations\nand can be disabled using the jsse.enableCBCProtection boolean property.\nThis can be done on the command line by appending the flag\n\"-Djsse.enableCBCProtection=false\" to the java command.\n\nAn information leak flaw was found in the InputStream.skip implementation.\nAn untrusted Java application or applet could possibly use this flaw to\nobtain bytes skipped by other threads. (CVE-2011-3547)\n\nA flaw was found in the Java HotSpot virtual machine. An untrusted Java\napplication or applet could use this flaw to disclose portions of the VM\nmemory, or cause it to crash. (CVE-2011-3558)\n\nThe Java API for XML Web Services (JAX-WS) implementation in OpenJDK was\nconfigured to include the stack trace in error messages sent to clients. A\nremote client could possibly use this flaw to obtain sensitive information.\n(CVE-2011-3553)\n\nIt was found that Java applications running with SecurityManager\nrestrictions were allowed to use too many UDP sockets by default. If\nmultiple instances of a malicious application were started at the same\ntime, they could exhaust all available UDP sockets on the system.\n(CVE-2011-3552)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.9.10. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-October/018121.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-October/018122.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-1380.html", "published": "2011-10-19T17:07:19", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2011-October/018121.html", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2017-10-03T18:24:26"}], "ubuntu": [{"id": "USN-1263-2", "type": "ubuntu", "title": "OpenJDK 6 regression", "description": "USN-1263-1 fixed vulnerabilities in OpenJDK 6. The upstream patch for the chosen plaintext attack on the block-wise AES encryption algorithm (CVE-2011-3389) introduced a regression that caused TLS/SSL connections to fail when using certain algorithms. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nDeepak Bhole discovered a flaw in the Same Origin Policy (SOP) implementation in the IcedTea web browser plugin. This could allow a remote attacker to open connections to certain hosts that should not be permitted. (CVE-2011-3377)\n\nJuliano Rizzo and Thai Duong discovered that the block-wise AES encryption algorithm block-wise as used in TLS/SSL was vulnerable to a chosen-plaintext attack. This could allow a remote attacker to view confidential data. (CVE-2011-3389)\n\nIt was discovered that a type confusion flaw existed in the in the Internet Inter-Orb Protocol (IIOP) deserialization code. A remote attacker could use this to cause an untrusted application or applet to execute arbitrary code by deserializing malicious input. (CVE-2011-3521)\n\nIt was discovered that the Java scripting engine did not perform SecurityManager checks. This could allow a remote attacker to cause an untrusted application or applet to execute arbitrary code with the full privileges of the JVM. (CVE-2011-3544)\n\nIt was discovered that the InputStream class used a global buffer to store input bytes skipped. An attacker could possibly use this to gain access to sensitive information. (CVE-2011-3547)\n\nIt was discovered that a vulnerability existed in the AWTKeyStroke class. A remote attacker could cause an untrusted application or applet to execute arbitrary code. (CVE-2011-3548)\n\nIt was discovered that an integer overflow vulnerability existed in the TransformHelper class in the Java2D implementation. A remote attacker could use this cause a denial of service via an application or applet crash or possibly execute arbitrary code. (CVE-2011-3551)\n\nIt was discovered that the default number of available UDP sockets for applications running under SecurityManager restrictions was set too high. A remote attacker could use this with a malicious application or applet exhaust the number of available UDP sockets to cause a denial of service for other applets or applications running within the same JVM. (CVE-2011-3552)\n\nIt was discovered that Java API for XML Web Services (JAX-WS) could incorrectly expose a stack trace. A remote attacker could potentially use this to gain access to sensitive information. (CVE-2011-3553)\n\nIt was discovered that the unpacker for pack200 JAR files did not sufficiently check for errors. An attacker could cause a denial of service or possibly execute arbitrary code through a specially crafted pack200 JAR file. (CVE-2011-3554)\n\nIt was discovered that the RMI registration implementation did not properly restrict privileges of remotely executed code. A remote attacker could use this to execute code with elevated privileges. (CVE-2011-3556, CVE-2011-3557)\n\nIt was discovered that the HotSpot VM could be made to crash, allowing an attacker to cause a denial of service or possibly leak sensitive information. (CVE-2011-3558)\n\nIt was discovered that the HttpsURLConnection class did not properly perform SecurityManager checks in certain situations. This could allow a remote attacker to bypass restrictions on HTTPS connections. (CVE-2011-3560)", "published": "2012-01-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1263-2/", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3377", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2018-03-29T18:17:40"}, {"id": "USN-1263-1", "type": "ubuntu", "title": "IcedTea-Web, OpenJDK 6 vulnerabilities", "description": "Deepak Bhole discovered a flaw in the Same Origin Policy (SOP) implementation in the IcedTea web browser plugin. This could allow a remote attacker to open connections to certain hosts that should not be permitted. (CVE-2011-3377)\n\nJuliano Rizzo and Thai Duong discovered that the block-wise AES encryption algorithm block-wise as used in TLS/SSL was vulnerable to a chosen-plaintext attack. This could allow a remote attacker to view confidential data. (CVE-2011-3389)\n\nIt was discovered that a type confusion flaw existed in the in the Internet Inter-Orb Protocol (IIOP) deserialization code. A remote attacker could use this to cause an untrusted application or applet to execute arbitrary code by deserializing malicious input. (CVE-2011-3521)\n\nIt was discovered that the Java scripting engine did not perform SecurityManager checks. This could allow a remote attacker to cause an untrusted application or applet to execute arbitrary code with the full privileges of the JVM. (CVE-2011-3544)\n\nIt was discovered that the InputStream class used a global buffer to store input bytes skipped. An attacker could possibly use this to gain access to sensitive information. (CVE-2011-3547)\n\nIt was discovered that a vulnerability existed in the AWTKeyStroke class. A remote attacker could cause an untrusted application or applet to execute arbitrary code. (CVE-2011-3548)\n\nIt was discovered that an integer overflow vulnerability existed in the TransformHelper class in the Java2D implementation. A remote attacker could use this cause a denial of service via an application or applet crash or possibly execute arbitrary code. (CVE-2011-3551)\n\nIt was discovered that the default number of available UDP sockets for applications running under SecurityManager restrictions was set too high. A remote attacker could use this with a malicious application or applet exhaust the number of available UDP sockets to cause a denial of service for other applets or applications running within the same JVM. (CVE-2011-3552)\n\nIt was discovered that Java API for XML Web Services (JAX-WS) could incorrectly expose a stack trace. A remote attacker could potentially use this to gain access to sensitive information. (CVE-2011-3553)\n\nIt was discovered that the unpacker for pack200 JAR files did not sufficiently check for errors. An attacker could cause a denial of service or possibly execute arbitrary code through a specially crafted pack200 JAR file. (CVE-2011-3554)\n\nIt was discovered that the RMI registration implementation did not properly restrict privileges of remotely executed code. A remote attacker could use this to execute code with elevated privileges. (CVE-2011-3556, CVE-2011-3557)\n\nIt was discovered that the HotSpot VM could be made to crash, allowing an attacker to cause a denial of service or possibly leak sensitive information. (CVE-2011-3558)\n\nIt was discovered that the HttpsURLConnection class did not properly perform SecurityManager checks in certain situations. This could allow a remote attacker to bypass restrictions on HTTPS connections. (CVE-2011-3560)", "published": "2011-11-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1263-1/", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3377", "CVE-2011-3560", "CVE-2011-3552"], "lastseen": "2018-03-29T18:17:42"}], "threatpost": [{"id": "APPLE-RELEASES-NEW-JAVA-UPDATES-FIX-17-FLAWS-110911/75873", "type": "threatpost", "title": "Apple Releases New Java Updates, Fix 17 Flaws", "description": "Apple pushed out a new batch of Java updates for Mac OS X 10.6.8 Snow Leopard and 10.7 Lion yesterday, bringing the two operating systems up to date with Oracle\u2019s Java SE 6 Update 29. \n\nIn its [update summary](<http://support.apple.com/kb/HT5045>), Apple claims multiple vulnerabilities exist in Java\u2019s previous build 1.6.0_26, including one that could allow an untrusted applet to execute arbitrary code outside the platform\u2019s sandbox. Another could bring about arbitrary code execution when it comes to the user\u2019s privileges. \n\n### Related Posts\n\n#### [Apple Patches Trident Vulnerabilities in OS X, Safari](<https://threatpost.com/apple-patches-trident-vulnerabilities-in-os-x-safari/120336/> \"Permalink to Apple Patches Trident Vulnerabilities in OS X, Safari\" )\n\nSeptember 2, 2016 , 10:00 am\n\n#### [Putting Apple Bug Bounty Rewards in Perspective](<https://threatpost.com/putting-apple-bug-bounty-rewards-in-perspective/119794/> \"Permalink to Putting Apple Bug Bounty Rewards in Perspective\" )\n\nAugust 10, 2016 , 11:00 am\n\n#### [Windows PDF Library Flaw Puts Edge Users at Risk for RCE](<https://threatpost.com/windows-pdf-library-flaw-puts-edge-users-at-risk-for-rce/119773/> \"Permalink to Windows PDF Library Flaw Puts Edge Users at Risk for RCE\" )\n\nAugust 9, 2016 , 2:59 pm\n\nThe update to version 1.6.0_29 fixes 17 flaws in total including:\n\n * CVE-2011-3389\n * CVE-2011-3521\n * CVE-2011-3544\n * CVE-2011-3545\n * CVE-2011-3546\n * CVE-2011-3547\n * CVE-2011-3548\n * CVE-2011-3549\n * CVE-2011-3551\n * CVE-2011-3552\n * CVE-2011-3553\n * CVE-2011-3554\n * CVE-2011-3556\n * CVE-2011-3557\n * CVE-2011-3558\n * CVE-2011-3560\n * CVE-2011-3561\n\nAs usual, the update can be downloaded via your computer\u2019s Software Update preferences or from [Apple\u2019s Downloads](<http://www.apple.com/support/downloads/>) page.", "published": "2011-11-09T17:09:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/apple-releases-new-java-updates-fix-17-flaws-110911/75873/", "cvelist": ["CVE-2011-3557", "CVE-2011-3551", "CVE-2011-3549", "CVE-2011-3561", "CVE-2011-3548", "CVE-2011-3547", "CVE-2011-3521", "CVE-2011-3389", "CVE-2011-3544", "CVE-2011-3553", "CVE-2011-3558", "CVE-2011-3546", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3560", "CVE-2011-3545", "CVE-2011-3552"], "lastseen": "2016-09-04T20:48:42"}, {"id": "RISE-CROSS-PLATFORM-MALWARE-082412/76947", "type": "threatpost", "title": "The Rise of Cross-Platform Malware", "description": "[](<https://threatpost.com/rise-cross-platform-malware-082412/>)For most of the recorded history of malware, viruses, Trojans and other malicious software have been specialists. Each piece of malware typically targeted one platform, be it Windows, OS X or now, one of the mobile platforms. But the last few months have seen the rise of cross-platform malware that have the ability to infect several different kinds of machines with small variations to their code.\n\nAttackers, like people in other walks of life, tend to specialize. They find something that they\u2019re good at, say, writing Windows rootkits or creating OS X Trojans, and they often will stick with that. There\u2019s not much reason to branch out if they\u2019re having success with something already. For a long time, most malware was written for Windows, because that\u2019s where most of the users are. Going after OS X or Linux didn\u2019t make a lot of sense.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\nBut that\u2019s begun to change lately. One recent example is the [Crisis Trojan](<https://threatpost.com/crisis-trojan-makes-its-way-virtual-machines-082112/>), which has the ability to infect both Windows and Mac OS X machines. The first version of Crisis that researchers discovered targeted various versions of OS X, and it was a typical data-stealing Trojan, listening in on email and instant messenger communications. The interesting thing about Crisis is not only that there are versions for multiple platforms, but also that the installer for the malware, which masquerades as an Adobe Flash installer, checks to see what operating system it\u2019s on and then installs the appropriate version.\n\nThe malware also has a function that looks for VMWare images stored on the infected machine, and if it finds one, it will mount the image and then copy itself to the virtual machine image.\n\nResearchers found a similar piece of malware back in April. That one was [disguised as a Java applet](<https://threatpost.com/new-java-malware-exploits-both-windows-and-mac-users-042412/>) that would install different payloads depending upon what OS the target machine was running. So, attackers have decided that more is better when it comes to platforms. Why restrict your creation to just Windows or OS X when you can have both?\n\nMicrosoft researchers looked at a recent attack that involved a piece of malware using similar techniques and found that the attackers have been honing their skills.\n\n\u201cIn the case of a cross-platform offering, the attacker utilizes a _decision agent_ to recognize the appropriate package or software for its target. When the victim pulls pages or content from the attacker\u2019s distribution channel, an _agent_ (often referred to as the browser\u2019s user-agent) provides information, and a decision is made on behalf of the victim \u2013 that is, it automatically identifies the appropriate package or software without asking the user,\u201d Methusela Cebrian Ferrer of Microsoft\u2019s malware Protection Center wrote in an analysis of the techniques used by [cross-platform malware](<https://blogs.technet.com/b/mmpc/archive/2012/08/23/the-role-of-agent-as-part-of-distribution-channel-decision.aspx?Redirected=true>).\n\n\u201cHowever, in the [recent event described](<http://blogs.technet.com/b/mmpc/archive/2012/07/31/economies-of-scale-a-perspective-on-cross-platform-vulnerabilities.aspx> \"Economies of scale: A perspective on cross-platform vulnerabilities\" ), we observed that the delivery of malicious code through vulnerabilities in Java employs a decision _agent_ as part of a cross-platform attack. As shown in the timeline below, we first noticed this feature used in a Java vulnerability referred to as [CVE-2011-3544](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3544> \"CVE-2011-3544\" ). It was followed last month by the use of a Java Signed Applet attack \u2013 a form of social engineering where the user is lured to accept a signed Java applet and thereafter allows the attacker to run any payload.\u201d\n\nOne thing that\u2019s helping drive this trend is the existence of vulnerabilities in apps such as Java that are installed on several platforms, giving attackers the ability to use one vulnerability to get their malware on more than one platform. That\u2019s a key advantage for the attackers, and highlights the importance of keeping third-party apps patched and up to date.", "published": "2012-08-24T14:57:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/rise-cross-platform-malware-082412/76947/", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-09-04T20:44:55"}, {"id": "NEW-JAVA-VULNERABILITY-COMING-BUNDLED-EXPLOIT-KITS-112811/75931", "type": "threatpost", "title": "New Java Vulnerability Coming Bundled With Exploit Kits", "description": "[](<https://threatpost.com/new-java-vulnerability-coming-bundled-exploit-kits-112811/>)A recently discovered Java vulnerability that\u2019s been circulating throughout the hacking underground has begun to show up alongside the BlackHole exploit kit, according to a post on Brian Krebs\u2019 [KrebsonSecurity blog](<http://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits/>).\n\n[The National Vulnerability Database](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3544>) claims the vulnerability is found in the Java Runtime Environment Component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier builds. Specifically, a weakness in Java\u2019s Rhino Script Engine allows attackers to run arbitrary Java code outside of the sandbox. Those with the latest version of Java, Java 6 Update 29, or Java 7 Update 1, are not affected. \n\n### Related Posts\n\n#### [Patched ColdFusion Flaw Exposes Applications to Attack](<https://threatpost.com/patched-coldfusion-flaw-exposes-applications-to-attack/120301/> \"Permalink to Patched ColdFusion Flaw Exposes Applications to Attack\" )\n\nSeptember 1, 2016 , 9:15 am\n\n#### [Browser Address Bar Spoofing Vulnerability Disclosed](<https://threatpost.com/browser-address-bar-spoofing-vulnerability-disclosed/119951/> \"Permalink to Browser Address Bar Spoofing Vulnerability Disclosed\" )\n\nAugust 17, 2016 , 12:54 pm\n\n#### [Windows PDF Library Flaw Puts Edge Users at Risk for RCE](<https://threatpost.com/windows-pdf-library-flaw-puts-edge-users-at-risk-for-rce/119773/> \"Permalink to Windows PDF Library Flaw Puts Edge Users at Risk for RCE\" )\n\nAugust 9, 2016 , 2:59 pm\n\nAccording to an interview Krebs had with the hacker that maintains the BlackHole kit, the Java exploit is now being distributed free-of-charge to existing exploit kit owners. Otherwise it\u2019s being sold for $4,000, in addition to a license for the kit, which normally runs for $700 for three months.\n\nEven after being [patched in mid-October](<https://threatpost.com/oracle-release-56-patches-plus-20-more-java-october-cpu-101811/>) along with 19 other script engine flaws, the vulnerability has become trickier to deal with when packaged with an exploit kit like BlackHole. Stumbling upon a vulnerability-laden site on Internet Explorer or Mozilla Firefox could trigger the installation of malware if users are running an out-of-date build of the software.\n\nJava vulnerabilities continue to gain steam, even [surpassing Adobe last year](<https://threatpost.com/apple-ships-java-patches-says-it-may-drop-java-future-os-x-releases-102110/>) when it comes to the number of exploits. [BlackHole](<https://threatpost.com/black-hole-exploit-kit-available-free-052311/>), one of the newer and more popular exploit kits this year, makes extensive use of Java flaws. The platform\u2019s OBE (Open Business Engine) frequently uses them to load malicious executables.\n\nTo read Krebs\u2019 full account, [head here](<http://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29>).", "published": "2011-11-28T16:39:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/new-java-vulnerability-coming-bundled-exploit-kits-112811/75931/", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-09-04T20:46:51"}, {"id": "JAVA-EXPLOIT-LINKED-RED-OCTOBER-ESPIONAGE-MALWARE-CAMPAIGN-011513/77405", "type": "threatpost", "title": "Java Exploit Linked to Red October Espionage Malware Campaign", "description": "Red October, the espionage campaign uncovered by Kaspersky Lab this week after attackers spent five years actively spying on diplomats, scientists, and governments worldwide, is using a Java exploit to infect its victims, bringing the exploit count to four in this campaign.\n\nSeculert, an Israeli security company, said today it has investigated one of the command and control servers in the [Red October infrastructure](<https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/>) and found a website serving an exploit targeting [CVE-2011-3544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544>). The vulnerability is in Java 7 and 6 u27 and earlier. According to the CVE alert, the flaw allows remote untrusted Java Web Start applications and untrusted applets to execute malicious scripts. Oracle patched the vulnerability in October 2011.[](<https://threatpost.com/java-exploit-linked-red-october-espionage-malware-campaign-011513/>)\n\n### Related Posts\n\n#### [APT Attackers Flying More False Flags Than Ever](<https://threatpost.com/apt-attackers-flying-more-false-flags-than-ever/116814/> \"Permalink to APT Attackers Flying More False Flags Than Ever\" )\n\nMarch 17, 2016 , 6:00 am\n\n#### [Stealthy GlassRAT Spies on Commercial Targets](<https://threatpost.com/stealthy-glassrat-spies-on-commercial-targets/115453/> \"Permalink to Stealthy GlassRAT Spies on Commercial Targets\" )\n\nNovember 23, 2015 , 2:58 pm\n\n#### [Updated DGA Changer Malware Generates Fake Domain Stream](<https://threatpost.com/updated-dga-changer-malware-generates-fake-domain-stream/114159/> \"Permalink to Updated DGA Changer Malware Generates Fake Domain Stream\" )\n\nAugust 6, 2015 , 1:46 pm\n\nKaspersky Lab had previously identified [three Red October exploits](<http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation>), all of them malicious Excel or Word documents attached to spear phishing emails. The company was alerted to the spear phishing campaign by an unidentified partner, which led them to Red October. Researchers found several hundred infections and initially identified the three exploits and upwards of 1,000 unique malware files in 30 different categories including reconnaissance, data collection, code execution, credential harvesting and more. The exploits targeted mobile devices, workstations and removable storage drives.\n\nKaspersky found 60 domains in the C&C infrastructure and server hosts mainly in Germany and Russia that act as proxies hiding the true C&C server. It was able to sinkhole a half-dozen of the C&C servers and observed 55,000 connections since Nov. 2 from close to 250 IP addresses in 39 countries.\n\nAviv Raff, CTO and cofounder of Seculert, said the Java-based attacks used in the campaign also relied on spear phishing emails, these containing a link to a malicious webpage, purporting to be a news site, coded in PHP that would exploit the Java flaw downloading malware quietly in the background. Raff said the exploit\u2019s JAR file was compiled in February, three months after the patch was released.\n\nRaff said the attackers have since moved from PHP to CGI as their C&C scripting engine.\n\n\u201cUnfortunately for the attackers, after moving their server-side engine to CGI, accessing the PHP exploit web pages now displays the source code of the server side, instead of rendering the exploit,\u201d Raff wrote in a [blogpost](<http://blog.seculert.com/2013/01/operation-red-october-java-angle.html>). \u201cThis allowed us to take a sneak peak to the behind the scenes of their operation.\u201d\n\nRaff was able to examine the exploit\u2019s source code and determined the malware payload URL is encoded before it is passed to the malicious applet and is decoded only when the exploit is executed. Raff said the all of the victim\u2019s information is logged.\n\n\u201cWe can see that the attackers are adding a fingerprint at the end of the malware executable, which includes the unique identifier of the targeted victim,\u201d Raff said. \u201cThis is the same unique identifier which is used by the malware later on while communicating with the [command and control] servers.\u201d\n\nKaspersky said each successful attack is customized for the victim based on the information collected by the malware on system configuration and more; activity is carefully managed and organized by the attackers.\n\n\u201cAll the attacks are carefully tuned to the specifics of the victims,\u201d said Kurt Baumgartner, senior security researcher at Kaspersky. \u201cFor instance, the initial documents are customized to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside.\u201d\n\n\u201cLater, there is a high degree of interaction between the attackers and the victim \u2013 the operation is driven by the kind of configuration the victim has, which type of documents the use, installed software, native language and so on,\u201d Baumgartner said. \u201cCompared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more personal and finely tuned for the victims.\u201d\n\nKaspersky researchers were unwilling to link Red October, also known as Rocra, to Flame and other such espionage malware campaigns. Red October could be a copycat; some Flame exploit sites also were news themed and had the same \u201cNewsForYou\u201d server side control handler, Raff said.\n\nThe campaign targets not only Office documents, email messages and a long list of document types including the acid* extension, which Kaspersky said refers to the classified Acid Cryptofiler software used by the European Union and NATO.\n\n\u201cThe main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide,\u201d the Kaspersky report said. \u201cDuring the past five years, the attackers collected information from hundreds of high profile victims although it\u2019s unknown how the information was used. It is possible that the information was sold on the black market, or used directly.\u201d", "published": "2013-01-15T17:40:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/java-exploit-linked-red-october-espionage-malware-campaign-011513/77405/", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-09-04T20:46:23"}, {"id": "POSSIBLE-TARGETED-ATTACK-AMNESTY-INTERNATIONAL-WEB-SITE-FOUND-SERVING-MALWARE-122311/76029", "type": "threatpost", "title": "In Possible Targeted Attack, Amnesty International Web Site Found Serving Malware", "description": "Amnesty International\u2019s United Kingdom website was compromised late last week and was being used to exploit a known Java runtime environment hole on machines belonging to unwitting visitors to the site, according to [Barracuda Labs](<http://www.barracudalabs.com/wordpress/index.php/2011/12/22/authoritarian-regime-uses-human-rights-group-to-spy-on-activists/>) researcher, Paul Royal.\n\nCiting historical data, Royal claims that AI\u2019s website was compromised on Friday, December 16, and remained compromised through December 22. Those who visited AI\u2019s UK page were redirected to a legitimate but compromised Brazilian automotive site via an iframe, which then installed malicious [Java](<https://threatpost.com/java-still-favorite-target-attackers-113011/>) content, Barracuda said. The exploit targeted a known vulnerability identified by the handle [CVE-2011-3544](<https://threatpost.com/apple-releases-new-java-updates-fix-17-flaws-110911/>).\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\nWhile the parties behind the attack are unknown, the decision to target a prominent human rights group like Amnesty may suggest that the attackers have other than financial motivations.\n\nAccording to Royal, the payload used in the attack is sophisticated enough to suggest that the hack was a targeted malware attack \u2013 though one being served through the exploitation of a popular public website. \n\nAmnesty said they were aware of the problem and were working to address it.\n\n\u201cWe have been working with our hosting service to resolve the problem,\u201d Emerson Povey of Amnesty International told [ZDNet\u2019s](<http://www.zdnet.com/blog/security/amnesty-international-uk-compromised-serving-exploits-and-malware/9861?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+zdnet%2Fsecurity+%28ZDNet+Zero+Day%29>) Dancho Danchev. \u201c[We] have cleaned both servers, rebooted, and removed the script. At 2pm today [we] confirmed that the issue is now resolved.\u201d", "published": "2011-12-23T17:09:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/possible-targeted-attack-amnesty-international-web-site-found-serving-malware-122311/76029/", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-09-04T20:45:50"}, {"id": "EXPLOIT-KITS-NOW-UPDATED-NEW-WARES-PATCHES-ARE-READY-122011/76015", "type": "threatpost", "title": "Exploit Kits Now Updated With New Wares Before Patches Are Ready", "description": "[](<https://threatpost.com/exploit-kits-now-updated-new-wares-patches-are-ready-122011/>)The creators and maintainers of exploit kits often rely on public reports of new exploits and proof-of-concept exploit code in order to be able to add new exploits to their software. And in many cases, the exploits included in kits such as Black Hole and Eleonore and others will be for vulnerabilities that are older and have long since been patched. But, if recent events are any indication, that could be changing.\n\nIn mid-October, details of a new Java vulnerability emerged in various places, and descriptions of the flaw showed it to be a serious one that could lead to remote code execution. The CVE-2011-3544 vulnerability, though serious, was just one of many that had been found in various Java components in recent months, and there already were plenty of others in the exploit kits that were being used in attacks.\n\n### Related Posts\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n#### [Misuse of Language: \u2018Cyber\u2019; When War is Not a War, and a Weapon is Not a Weapon](<https://threatpost.com/misuse-of-language-cyber-when-war-is-not-a-war-and-a-weapon-is-not-a-weapon/119740/> \"Permalink to Misuse of Language: \u2018Cyber\u2019; When War is Not a War, and a Weapon is Not a Weapon\" )\n\nAugust 9, 2016 , 9:00 am\n\n#### [Researchers Go Inside a Business Email Compromise Scam](<https://threatpost.com/researchers-go-inside-a-business-email-compromise-scam/119576/> \"Permalink to Researchers Go Inside a Business Email Compromise Scam\" )\n\nAugust 4, 2016 , 10:00 am\n\nBut within a few weeks of the details of the new Java bug becoming public, exploits for the flaw began showing up in some of the popular exploit kits, including Black Hole and Phoenix. Researchers say they began seeing new versions of the kits, which included the exploit for CVE-2011-3544, in the last few weeks, even before a patch was available. That\u2019s a somewhat unusual occurrence in exploit-kit land.\n\n\u201cThe Blackhole exploit kit presented above was modified to exploit clients that have Java installed, using the recently discovered CVE-2011-3544 vulnerability. This is the only vulnerability that is actually being exploited. A few days later, a new version of Phoenix exploit kit 3.0 was released, just a few weeks after the release of its predecessor, Phoenix 2.9,\u201d [Daniel Chechik of M86 Labs](<http://labs.m86security.com/2011/12/prevalent-exploit-kits-updated-with-a-new-java-exploit/>) wrote in an analysis of the exploits.\n\n\u201cA few weeks ago Michael \u2018mihi\u2019 Schierl [described a design error in Java.](<http://schierlm.users.sourceforge.net/CVE-2011-3544.html>) Basically this vulnerability is similar to other Java vulnerabilities where an untrusted code is executed in elevated privileges. Rhino is a Javascript engine that runs under the JVM and can interact with Java applets. An attacker can bypass the scripting engine protection by generating an error object, using Rhino script, which runs in elevated privileges and executing code that disables the Security Manager. Once the Security Manager is disabled, the attacker can execute code with full permissions.\u201d\n\nOne of the reasons that the authors of the exploit kits may have been so quick to add the exploit for CVE-2011-3544 to their creations is that the vulnerability affects all of the platforms on which Java is supported, Chechik said in his analysis.\n\n\u201cThe vulnerability is cross-platform and doesn\u2019t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits,\u201d he wrote.", "published": "2011-12-20T13:09:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/exploit-kits-now-updated-new-wares-patches-are-ready-122011/76015/", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-09-04T20:47:21"}, {"id": "NEW-TROJAN-MAC-USED-ATTACKS-TIBETAN-NGOS-032112/76352", "type": "threatpost", "title": "New Trojan For Mac Used In Attacks On Tibetan NGOs", "description": "[](<https://threatpost.com/new-trojan-mac-used-attacks-tibetan-ngos-032112/>)The security firm Alienvault reports that its own research on phishing attacks against non governmental organizations supporting the Tibetan Government in Exile is now being used as bait in a new round of phishing attacks on those same NGOs.\n\n### Related Posts\n\n#### [Apple Patches Trident Vulnerabilities in OS X, Safari](<https://threatpost.com/apple-patches-trident-vulnerabilities-in-os-x-safari/120336/> \"Permalink to Apple Patches Trident Vulnerabilities in OS X, Safari\" )\n\nSeptember 2, 2016 , 10:00 am\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\nThe [firm](<http://www.alienvault.com/>) warned the public on Monday about a round of spear phishing e-mails being sent to NGOs related to Tibet. The e-mails mentioned previous research by the company on targeted attacks against Tibetan organizations. The phishing e-mails contain malicious links and attachments, including a new variant of a malicious program that can infect systems running Apple\u2019s Mac OS X operating system, Alien Vault warned.\n\nAlien Vault researcher Greg Walton wrote in a blog post that the company had detected e-mails sent to NGOs involved with work on Tibet on Monday with the subject \u201cTargeted attacks against Tibet organizations.\u201d Those e-mails contained malicious attachments, including Java applet\u2019s that [exploit a common vulnerability in the Java Runtime Environment](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544>). \n\n\n\nThe attack used malware both for Windows and MacOSX devices, according to AlienVault researchers. The MacOSX Trojan used is believed to be a variant of the GhostNet family and was undetectable by antivirus products as of Monday, [according to a post by AlienVault\u2019s Jaime Blasco](<http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/>).\n\nThis isn\u2019t the first time that the Tibetan Government in Exile and organizations supporting the Tibetan cause have been targeted. In 2009, researchers in Canada and the UK raised the alarm about a widespread and long standing espionage campaign, dubbed GhostNet, against governments, human rights organizations and others. That campaign [included malware-based surveillance of the Tibetan Government in Exile and Free Tibet movement](<http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html>). Though no government has taken claim for the spying, most fingers point to the government of China, which closely monitors the doings of the Dalai Lama and the Tibetan Government in Exile.\n\nIn a report on March 13, AlienVault\u2019s Blasco said that the company detected several targeted attacks against Tibetan activist organizations including the Central Tibet Administration and International Campaign for Tibet, among others. \nResearchers there believe that the attacks originated with the same group of Chinese hackers [that launched the \u2018Nitro\u2019 attacks against chemical and defense companies late last year](<https://threatpost.com/symantec-traces-attacks-chemical-industry-20-year-old-chinese-hacker-hire-110111/>) \u2013 an intriguing link between industrial and political espionage that would seem to suggest government backing.\n\nAccording to AlienVault, the attacks in mid-March began with a spear phishing campaign related to the [Kalachakra Initiation](<http://en.wikipedia.org/wiki/Kalachakra>), a Tibetan religious festival that took place in early January. The phishing e-mails contained a contaminated Office file to exploit a known vulnerability in Microsoft. The malware that was ultimately installed on the machines of those who fell for the attack was a variant of the Gh0st RAT (remote access Trojan).\n\nThat malware, along with [Poison Ivy remote administration tool](<https://threatpost.com/poison-ivy-rat-still-giving-users-rash-110311/>) is a common element in GhostNet attacks. In fact, Gh0st RAT was the same malware used in the [Nitro attacks last year against energy and chemical industry firms](<https://threatpost.com/symantec-traces-attacks-chemical-industry-20-year-old-chinese-hacker-hire-110111/>). Other variants of it were used in the GhostNet attacks on governments, diplomatic missions and the private offices of the Dalai Lama in 2009. AlienVault claims that the variant it captured in the Tibetan attacks appeared to come from the same actors.", "published": "2012-03-21T18:31:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/new-trojan-mac-used-attacks-tibetan-ngos-032112/76352/", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-09-04T20:46:02"}, {"id": "CARBERP-IT-S-NOT-OVER-YET-032712/76370", "type": "threatpost", "title": "Carberp: It\u2019s Not Over Yet", "description": "\n\nOn 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. This is very good news, but unfortunately does not mark the end of the Carberp story.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Inside the Demise of the Angler Exploit Kit](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/> \"Permalink to Inside the Demise of the Angler Exploit Kit\" )\n\nAugust 30, 2016 , 2:25 pm\n\n#### [Wildfire Ransomware Campaign Disrupted](<https://threatpost.com/wildfire-ransomware-campaign-disrupted/120095/> \"Permalink to Wildfire Ransomware Campaign Disrupted\" )\n\nAugust 24, 2016 , 12:57 pm\n\nEvidently, those arrested were just one of the criminal gangs using the Trojan. At the same time, those who actually developed Carberp are still at large, openly selling the Trojan on cybercriminal forums.\n\nHere is a recent offer for the \u2018multifunctional bankbot\u2019, which appeared on 21 March:\n\n\n\n_A post advertising the sale of Carberp_\n\nThere are still numerous \u2018affiliate programs\u2019 involved in the distribution of Carberp, particularly \u201ctraffbiz.ru\u201d.\n\nWe detected a new Carberp distribution incident on 21 March. Infection was initiated at radio-moswar.ru, a website devoted to the MosWar online browser game.\n\n\n\n_The main page of radio-moswar.ru_\n\nA page on the site includes a script which quietly redirects visitors to a web page in a third-level domain.\n\n\n\n_The script redirecting users from radio-moswar.ru_\n\nThe second-level domain belongs to Dyn \u2013 a company that offers free services for the creation of free *.dyndns.TLD third-level domains. Such services are popular among cybercriminals as they make it unnecessary to register new domains.\n\n\n\n_Screenshot of the dyndns.tv website_\n\nA series of redirects to different DynDns domains ultimately leads to a script of the traffbiz affiliate program. Officially, the program acts as an intermediary between webmasters and traffic buyers, but according to our information, it is mostly used by cybercriminals to distribute malware.\n\n\n\n_Screenshot of the traffbiz.ru website_\n\nA script generates the hit counter image that is demonstrated to users. The script also includes two iframes which quietly redirect users to two links.\n\n\n\n_The hit counter code on traffbiz.ru_\n\nOne of the links leads to Java (CVE-2011-3544) and PDF (CVE-2010-0188) exploits that download Trojan-Spy.Win32.Carberp.epm to the victim machine and launch it.\n\nThe Trojan attempts to connect to the command server by sending requests to three domains:\n\n****case-now.com\n\n****ssunrise.com\n\n****owfood-cord.com\n\nCuriously, according to whois data, these domains were registered on 20 March:\n\n\n\nCuriously, according to whois data, these domains were registered on 20 March.\n\nThe command server to which Carberp connects is operational. It sends the command to the bot to download configuration files specifying which information the bot should steal and how. During the attack, Carberp intercepts the content of Citibank and Raiffeisen Bank webpages on the computer, as well as pages that use software created by BSS, a company which develops and deploys automated remote banking systems.\n\nThe second link leads to the infamous BlackHole Exploit Pack, which downloads and launches two malicious programs: a version of Carberp (Trojan-Spy.Win32.Carberp.epl) and a password-stealing Trojan (Trojan-PSW.Win32.Agent.acne).\n\nCarberp also connects to a server located in Germany which has a different IP address. The domain name ****ltd.info was registered on 21 March:\n\n\n\nThe command center is operational but is not sending any commands as yet. The Trojan receives a list of plugins from that server.\n\nThe second piece of malware installed by the BlackHole Exploit Pack is designed to steal sensitive user data, such as FTP passwords. In addition, the Trojan modifies the hosts file to redirect users from vkontakte.ru and narod.ru sites to malicious servers.\n\nIn short, those responsible for developing Carberp remain at large and the cybercriminal gangs using the Trojan remain active. In other words, victory is a long way off.\n\n_*Vyacheslav Zakorzhevsky is a Senior Malware Analyst in Kaspersky Lab\u2019s heuristic detection group._", "published": "2012-03-27T15:40:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/carberp-it-s-not-over-yet-032712/76370/", "cvelist": ["CVE-2011-3544", "CVE-2010-0188"], "lastseen": "2016-09-04T20:53:17"}, {"id": "CROSS-PLATFORM-FLAWS-BOON-ATTACKERS-073112/76864", "type": "threatpost", "title": "Cross-Platform Flaws a Boon For Attackers", "description": "Attackers and malware writers, like many other people, tend to specialize, honing their skills in one particular discipline in order to maximize their chances for success. But Microsoft researchers have come across a series of malware samples and exploits that show that some attackers are beginning to target the same vulnerability across multiple platforms as a way to make the most out of their efforts.\n\nEven though Windows and Mac are still pretty well separated as platforms, there are a number of applications that run on both operating systems, including things such as Adobe Flash, Reader and Java. Attackers, not wanting to waste any time on small target bases and looking to maximize their profits, are focusing their efforts on vulnerabilities in these applications.\n\n### Related Posts\n\n#### [Apple Patches Trident Vulnerabilities in OS X, Safari](<https://threatpost.com/apple-patches-trident-vulnerabilities-in-os-x-safari/120336/> \"Permalink to Apple Patches Trident Vulnerabilities in OS X, Safari\" )\n\nSeptember 2, 2016 , 10:00 am\n\n#### [EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics](<https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/> \"Permalink to EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics\" )\n\nAugust 18, 2016 , 4:38 pm\n\n#### [Latest Windows UAC Bypass Permits Code Execution](<https://threatpost.com/latest-windows-uac-bypass-permits-code-execution/119887/> \"Permalink to Latest Windows UAC Bypass Permits Code Execution\" )\n\nAugust 15, 2016 , 3:35 pm\n\nMicrosoft researchers looked at a specific set of vulnerabilities that are found in applications on both Windows and Mac OS X and found that some attackers are going after flaws from as far back as 2009 in Office documents, and 2010 in Flash and Java and Reader.\n\n\u201cThis observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker\u2019s motive, the value and demand for these vulnerabilities is likely to persist \u2013 we know for a fact that Java vulnerabilities [CVE-2011-3544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544>) and [CVE-2012-0507](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0507>) are widely used by cybercriminals\u2019 in exploit kits, such as [Blacole/Blackhole](<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Blacole>),\u201d [Methusela Cebrian Ferrer](<https://blogs.technet.com/b/mmpc/archive/2012/07/31/economies-of-scale-a-perspective-on-cross-platform-vulnerabilities.aspx?Redirected=true>) of the Microsoft Malware Protection Center wrote.\n\nMicrosoft\u2019s investigation of the way that attackers are using cross-platform vulnerabilities began about a year ago when the company\u2019s researchers came across a backdoor aimed at Mac users. The malware disguised itself as a Google app on the infected machine and then initiated a remote connection to a command-and-control server.\n\n\u201cOnce connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory. For more detail, have a look at the [Backdoor:MacOS_X/Olyx.A description](<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:MacOS_X/Olyx.A>) in our encyclopedia,\u201d Ferrer wrote at the time. \n\n\u201cFurthermore, another interesting observation here is that the feature set and the code found in this backdoor appear to be similar to that of Gh0st RAT 3.6, also known as \u2018Ghostnet\u2019.\u201d\n\nThe backdoor included both a Mac and Windows executable in the files it installed on infected machines, an unusual behavior for a piece of malware. That got the researchers thinking about what might be going on and whether there were other attackers employing the same strategy and going after bugs on both Windows and OS X.\n\nThis highlights the importance of keeping security software up-to-date, and ensuring operating system and 3rd party security patches are installed (soon after they become available) in order to reduce the risk of malware infection. And, this best practice should extend to all devices and platforms, especially those in large enterprise networks,\u201d Ferrer wrote.", "published": "2012-07-31T13:46:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/cross-platform-flaws-boon-attackers-073112/76864/", "cvelist": ["CVE-2012-0507", "CVE-2011-3544"], "lastseen": "2016-09-04T20:51:36"}, {"id": "ATTACKERS-EXPLOIT-JAVA-COMPROMISES-REPORTERS-WITHOUT-BORDERS-SITE-012313/77443", "type": "threatpost", "title": "Attackers Exploit Java, Compromise Reporters Without Borders Site", "description": "[](<https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/>)The [Java saga](<https://threatpost.com/its-time-abandon-java-012113/>) continued when unknown, and apparently well concealed goons exploited recent Java and Internet Explorer zero-days to compromise the website of the French-based, free-press advocacy group, Reporters Without Borders. The attack, which attempted to take advantage of the time-gulf that separates Oracle\u2019s patch release from their users\u2019 application of it, is part of a [watering hole campaign](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) also targeting [Tibetan](<https://threatpost.com/new-trojan-mac-used-attacks-tibetan-ngos-032112/>) and Uygur human rights groups as well as Hong Kong and Taiwanese political parties and other non-governmental organizations.\n\n[Writing on the Avast Security blog](<https://blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/>), Jindrich Kubec claims it is safe to assume that China is behind these attacks. Kubec\u2019s assertion appears to be based, at least in part, on the reality that visitors to the [watering hole](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>) sites (and the sites themselves for that matter), are, for lack of a better way to put it, individuals, organizations, and political entities that the People\u2019s Republic publically does not like.\n\n### Related Posts\n\n#### [Threatpost News Wrap, August 19, 2016](<https://threatpost.com/threatpost-news-wrap-august-19-2016/120003/> \"Permalink to Threatpost News Wrap, August 19, 2016\" )\n\nAugust 19, 2016 , 9:00 am\n\n#### [Patched IE Zero Day Incorporated into Neutrino EK](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/> \"Permalink to Patched IE Zero Day Incorporated into Neutrino EK\" )\n\nJuly 15, 2016 , 4:16 pm\n\n#### [Congressional Report: China Hacked FDIC And Agency Covered It Up](<https://threatpost.com/congressional-report-china-hacked-fdic-and-agency-covered-it-up/119276/> \"Permalink to Congressional Report: China Hacked FDIC And Agency Covered It Up\" )\n\nJuly 13, 2016 , 4:23 pm\n\nThe watering hole attack is a social engineering technique whereby attackers attempt to compromise websites that are not directly or officially related to their intended targets but which they believe members of an intended target organization are likely to visit.\n\nAccording to the Avast report, the attackers used the recent Internet Explorer and Java vulnerabilities, identified as CVE-2012-4792 and CVE-2013-0422 respectively. Microsoft resolved the IE bug with [MS13-008](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>) and Oracle fixed theirs with [Java 7 update 11](<https://threatpost.com/newest-java-7-update-still-exploitable-researcher-says-090412/>).\n\nIn the end, if the exploits succeed they will infect victim machines with either a [remote access trojan](<https://threatpost.com/fakem-rat-mimics-normal-network-traffic-011813/>) that phones home to the Singapore-based \u201cluckmevnc.myvnc.com\u201d (IP address 112.140.186.252) or an injector that flashes a fake error page while downloading a similar remote access tool that communicates with the Hong Kong-based \u201cd.wt.ikwb.com\u201d (58.64.179.139).\n\nAn English version of the Reporters Without Borders site contained a suspicious jacvascript inclusion. That inclusion creates a cookie called \u201csomethingbbbbb\u201d designed to expire after one day. The same cookie was used in similar attacks a few years ago and Kubec believes it could be related to the legitimate m.js cookie, \u201csomethingeeee,\u201d used by a Honk Kong political party.\n\nKubec also determined that an iframe from hxxp://newsite.acmetoy.com/m/d/pdf.html targeted users visiting the site in IE 8. There were an additional two iframes, hxxp://newsite.acmetoy.com/m/d/pdf.html and hxxp://newsite.acmetoy.com/m/d/javapdf.html reserved for those that visited the site on a browser other than IE.\n\nAccording to Kubec\u2019s analysis of newsite.acmetoy.com, a number of files relating to the IE exploit listed above, including a DOITYOUR obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability as well as DOITYOUR variants of \u201ctoday.swf,\u201d \u201cnews.html,\u201d and \u201crobots.txt.\u201d\n\nThe site also attempted to exploit at least one other Java vulnerability from back in 2011 as well (CVE-2011-3544) and contained the related files, \u201cjavapdf.html,\u201d a javascript file for both vulnerabilities, \u201cAppletHigh.jar,\u201d a CVE-2013-0422 exploit, and \u201cAppletLow.jar,\u201d a CVE-2011-3544 exploit.\n\nIn an analysis of other site (98.129.194.210), Kubec found that it contained the same malicious Java-related content and reasons that it probably serves as a backup to the first in the event of a takedown.\n\nAvast said it notified Reporters Without Borders.", "published": "2013-01-23T18:53:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/77443/", "cvelist": ["CVE-2012-4792", "CVE-2011-3544", "CVE-2013-0422"], "lastseen": "2016-09-04T20:46:38"}], "seebug": [{"id": "SSV:60220", "type": "seebug", "title": "IBM Rational AppScan 8.x/7.x \u591a\u4e2a\u5b89\u5168\u6f0f\u6d1e", "description": "CVE ID: CVE-2011-3389,CVE-2011-3516,CVE-2011-3521,CVE-2011-3544,CVE-2011-3545,CVE-2011-3546,CVE-2011-3547,CVE-2011-3548,CVE-2011-3549,CVE-2011-3550,CVE-2011-3551,CVE-2011-3552,CVE-2011-3553,CVE-2011-3554,CVE-2011-3556,CVE-2011-3557,CVE-2011-3560,CVE-2011-3561,CVE-2011-3563,CVE-2011-5035,CVE-2012-0497,CVE-2012-0498,CVE-2012-0499,CVE-2012-0500,CVE-2012-0501,CVE-2012-0502,CVE-2012-0503,CVE-2012-0505,CVE-2012-0506,CVE-2012-0507,CVE-2012-0732,CVE-2012-2159,CVE-2012-2161\r\n\r\nIBM Rational AppScan\u662f\u5e94\u7528\u5b89\u5168\u6027\u8f6f\u4ef6\uff0c\u80fd\u591f\u5728\u5f00\u53d1\u7684\u5404\u4e2a\u9636\u6bb5\u626b\u63cf\u5e76\u6d4b\u8bd5\u6240\u6709\u5e38\u89c1\u7684Web\u5e94\u7528\u6f0f\u6d1e\u3002\r\n\r\nIBM Rational AppScan 8.6\u4e4b\u524d\u7248\u672c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u591a\u4e2a\u6f0f\u6d1e\uff0c\u53ef\u88ab\u6076\u610f\u7528\u6237\u5229\u7528\u6cc4\u9732\u654f\u611f\u4fe1\u606f\u3001\u6267\u884c\u6b3a\u9a97\u548cXSS\u653b\u51fb\u3001\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3001\u5bf9DNS\u7f13\u5b58\u6295\u6bd2\u3001\u64cd\u4f5c\u67d0\u4e9b\u6570\u636e\u3001\u9020\u6210\u62d2\u7edd\u670d\u52a1\u548c\u63a7\u5236\u53d7\u5f71\u54cd\u7cfb\u7edf\u3002\n0\nIBM Rational AppScan 8.x\r\nIBM Rational AppScan 7.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nIBM\r\n---\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://www.ers.ibm.com/", "published": "2012-06-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-60220", "cvelist": ["CVE-2011-3389", "CVE-2011-3516", "CVE-2011-3521", "CVE-2011-3544", "CVE-2011-3545", "CVE-2011-3546", "CVE-2011-3547", "CVE-2011-3548", "CVE-2011-3549", "CVE-2011-3550", "CVE-2011-3551", "CVE-2011-3552", "CVE-2011-3553", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3557", "CVE-2011-3560", "CVE-2011-3561", "CVE-2011-3563", "CVE-2011-5035", "CVE-2012-0497", "CVE-2012-0498", "CVE-2012-0499", "CVE-2012-0500", "CVE-2012-0501", "CVE-2012-0502", "CVE-2012-0503", "CVE-2012-0505", "CVE-2012-0506", "CVE-2012-0507", "CVE-2012-0732", "CVE-2012-2159", "CVE-2012-2161"], "lastseen": "2017-11-19T21:33:03"}, {"id": "SSV:20957", "type": "seebug", "title": "Microsoft Windows SSL/TLS\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e", "description": "CVE ID: CVE-2011-3389\r\n\r\nMicrosoft Windows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nMicrosoft Windows\u5728SSL/TLS\u534f\u8bae\u7684\u5b9e\u73b0\u4e0a\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u6cc4\u9732\u654f\u611f\u4fe1\u606f\u5e76\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3002\r\n\r\n\u6b64\u6f0f\u6d1e\u6e90\u4e8e\u5728CBC\u6a21\u5f0f\u4e2d\u7ed3\u5408\u5bf9\u79f0\u5bc6\u7801\u5957\u4ef6\u4f7f\u7528Secure Sockets Layer 3.0 (SSL)\u548cTransport Layer Security 1.0 (TLS) \u534f\u8bae\u65f6\u51fa\u73b0\u7684\u8bbe\u8ba1\u9519\u8bef\uff0c\u901a\u8fc7\u4e2d\u95f4\u4eba\u653b\u51fb\u52a0\u5bc6HTTPS\u4f1a\u8bdd\u3002\n\nMicrosoft Windows\r\nMicrosoft Windows XP Home\r\nMicrosoft Windows XP Professional\r\nMicrosoft Windows Server 2003\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff082588513\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\n2588513\uff1aMicrosoft releases Security Advisory 2588513\r\n\r\n\u94fe\u63a5\uff1ahttp://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx", "published": "2011-09-29T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-20957", "cvelist": ["CVE-2011-3389"], "lastseen": "2017-11-19T17:59:04"}, {"id": "SSV:60296", "type": "seebug", "title": "Apple XCode 4.x \u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e", "description": "BUGTRAQ ID: 54679\r\nCVE ID: CVE-2012-3698,CVE-2011-3389\r\n\r\nXcode\u662f\u82f9\u679c\u673a\u5668\u4e0a\u6240\u4f7f\u7528\u7684\u5f00\u53d1\u5de5\u5177\u3002\r\n\r\nApple Xcode 4.4\u4e4b\u524d\u7248\u672c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u53ef\u88ab\u6076\u610f\u7528\u6237\u5229\u7528\u6cc4\u9732\u654f\u611f\u4fe1\u606f\uff0c\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\uff0c\u7ed5\u8fc7\u67d0\u4e9b\u5b89\u5168\u9650\u5236\u3002\r\n\r\n1\uff09 SSL 3.0\u548cTLS 1.0\u534f\u8bae\u7684\u5b9e\u73b0\u4e2d\u5b58\u5728\u8bbe\u8ba1\u9519\u8bef\u3002\r\n2\uff09 DR\u5b9e\u73b0\u4e2d\u7684\u9519\u8bef\u53ef\u5141\u8bb8App Store\u5e94\u7528\u8bbf\u95ee\u7528Xcode\u6784\u5efa\u7684Helper\u5de5\u5177\u4e2d\u7684\u5bc6\u94a5\u94fe\u9879\u76ee\u3002\n0\nApple XCode 4.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApple\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://support.apple.com/", "published": "2012-07-27T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-60296", "cvelist": ["CVE-2011-3389", "CVE-2012-3698"], "lastseen": "2017-11-19T17:49:53"}, {"id": "SSV:72368", "type": "seebug", "title": "Java Applet Rhino Script Engine Remote Code Execution", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-72368", "cvelist": ["CVE-2011-3544"], "lastseen": "2017-11-19T16:12:59"}, {"id": "SSV:24273", "type": "seebug", "title": "Oracle Java Applet Rhino\u811a\u672c\u5f15\u64ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "description": "Bugtraq ID: 50218\r\nCVE ID\uff1aCVE-2011-3544\r\n\r\nSun Java Runtime Environment\u662f\u4e00\u6b3e\u4e3aJAVA\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u53ef\u9760\u7684\u8fd0\u884c\u73af\u5883\u7684\u89e3\u51b3\u65b9\u6848\u3002\r\nJava\u5904\u7406Rhino JavaScript\u9519\u8bef\u5b58\u5728\u7f3a\u9677\uff0cJava\u4e2d\u7684\u5185\u7f6ejavascript\u5f15\u64ce\u6ca1\u6709\u5bf9javascript\u9519\u8bef\u5bf9\u8c61\u6267\u884c\u5145\u5206\u8fc7\u6ee4\uff0c\u7ed3\u679c\u5bfc\u81f4\u4e0d\u53ef\u4fe1\u4ee3\u7801\u4ee5\u7279\u6743\u4e0a\u4e0b\u6587\u8fd0\u884c\n\nSun SDK (Windows Production Release) 1.4.2 _24\r\n Sun SDK (Windows Production Release) 1.4.2 _15\r\n Sun SDK (Windows Production Release) 1.4.2 _10\r\n Sun SDK (Windows Production Release) 1.4.2 _09\r\n Sun SDK (Windows Production Release) 1.4.2 _08\r\n Sun SDK (Windows Production Release) 1.4.2 _07\r\n Sun SDK (Windows Production Release) 1.4.2 _06\r\n Sun SDK (Windows Production Release) 1.4.2 _05\r\n Sun SDK (Windows Production Release) 1.4.2 _04\r\n Sun SDK (Windows Production Release) 1.4.2 _03\r\n Sun SDK (Windows Production Release) 1.4.2\r\n Sun SDK (Windows Production Release) 1.4.2_33\r\n Sun SDK (Windows Production Release) 1.4.2_32\r\n Sun SDK (Windows Production Release) 1.4.2_31\r\n Sun SDK (Windows Production Release) 1.4.2_30\r\n Sun SDK (Windows Production Release) 1.4.2_29\r\n Sun SDK (Windows Production Release) 1.4.2_28\r\n Sun SDK (Windows Production Release) 1.4.2_27\r\n Sun SDK (Windows Production Release) 1.4.2_26\r\n Sun SDK (Windows Production Release) 1.4.2_25\r\n Sun SDK (Windows Production Release) 1.4.2_22\r\n Sun SDK (Windows Production Release) 1.4.2_20\r\n Sun SDK (Windows Production Release) 1.4.2_19\r\n Sun SDK (Windows Production Release) 1.4.2_18\r\n Sun SDK (Windows Production Release) 1.4.2_17\r\n Sun SDK (Windows Production Release) 1.4.2_16\r\n Sun SDK (Windows Production Release) 1.4.2_14\r\n Sun SDK (Windows Production Release) 1.4.2_13\r\n Sun SDK (Windows Production Release) 1.4.2_12\r\n Sun SDK (Windows Production Release) 1.4.2_11\r\n Sun SDK (Solaris Production Release) 1.4.2 _24\r\n Sun SDK (Solaris Production Release) 1.4.2 _15\r\n Sun SDK (Solaris Production Release) 1.4.2 _10\r\n Sun SDK (Solaris Production Release) 1.4.2 _09\r\n Sun SDK (Solaris Production Release) 1.4.2 _08\r\n Sun SDK (Solaris Production Release) 1.4.2 _07\r\n Sun SDK (Solaris Production Release) 1.4.2 _06\r\n Sun SDK (Solaris Production Release) 1.4.2 _05\r\n Sun SDK (Solaris Production Release) 1.4.2 _04\r\n Sun SDK (Solaris Production Release) 1.4.2 _03\r\n Sun SDK (Solaris Production Release) 1.4.2\r\n Sun SDK (Solaris Production Release) 1.4.2_33\r\n Sun SDK (Solaris Production Release) 1.4.2_32\r\n Sun SDK (Solaris Production Release) 1.4.2_31\r\n Sun SDK (Solaris Production Release) 1.4.2_30\r\n Sun SDK (Solaris Production Release) 1.4.2_29\r\n Sun SDK (Solaris Production Release) 1.4.2_28\r\n Sun SDK (Solaris Production Release) 1.4.2_27\r\n Sun SDK (Solaris Production Release) 1.4.2_26\r\n Sun SDK (Solaris Production Release) 1.4.2_25\r\n Sun SDK (Solaris Production Release) 1.4.2_22\r\n Sun SDK (Solaris Production Release) 1.4.2_20\r\n Sun SDK (Solaris Production Release) 1.4.2_19\r\n Sun SDK (Solaris Production Release) 1.4.2_18\r\n Sun SDK (Solaris Production Release) 1.4.2_17\r\n Sun SDK (Solaris Production Release) 1.4.2_16\r\n Sun SDK (Solaris Production Release) 1.4.2_14\r\n Sun SDK (Solaris Production Release) 1.4.2_13\r\n Sun SDK (Solaris Production Release) 1.4.2_12\r\n Sun SDK (Solaris Production Release) 1.4.2_11\r\n Sun SDK (Linux Production Release) 1.4.2 _24\r\n Sun SDK (Linux Production Release) 1.4.2 _15\r\n Sun SDK (Linux Production Release) 1.4.2 _10\r\n Sun SDK (Linux Production Release) 1.4.2 _09\r\n Sun SDK (Linux Production Release) 1.4.2 _08\r\n Sun SDK (Linux Production Release) 1.4.2 _07\r\n Sun SDK (Linux Production Release) 1.4.2 _06\r\n Sun SDK (Linux Production Release) 1.4.2 _05\r\n Sun SDK (Linux Production Release) 1.4.2 _04\r\n Sun SDK (Linux Production Release) 1.4.2 _03\r\n Sun SDK (Linux Production Release) 1.4.2 _02\r\n Sun SDK (Linux Production Release) 1.4.2 _01\r\n Sun SDK (Linux Production Release) 1.4.2\r\n Sun SDK (Linux Production Release) 1.4.2_33\r\n Sun SDK (Linux Production Release) 1.4.2_32\r\n Sun SDK (Linux Production Release) 1.4.2_31\r\n Sun SDK (Linux Production Release) 1.4.2_30\r\n Sun SDK (Linux Production Release) 1.4.2_29\r\n Sun SDK (Linux Production Release) 1.4.2_28\r\n Sun SDK (Linux Production Release) 1.4.2_27\r\n Sun SDK (Linux Production Release) 1.4.2_26\r\n Sun SDK (Linux Production Release) 1.4.2_25\r\n Sun SDK (Linux Production Release) 1.4.2_22\r\n Sun SDK (Linux Production Release) 1.4.2_20\r\n Sun SDK (Linux Production Release) 1.4.2_19\r\n Sun SDK (Linux Production Release) 1.4.2_18\r\n Sun SDK (Linux Production Release) 1.4.2_17\r\n Sun SDK (Linux Production Release) 1.4.2_16\r\n Sun SDK (Linux Production Release) 1.4.2_14\r\n Sun SDK (Linux Production Release) 1.4.2_13\r\n Sun SDK (Linux Production Release) 1.4.2_12\r\n Sun SDK (Linux Production Release) 1.4.2_11\r\n Sun JRE (Windows Production Release) 1.6 _17\r\n Sun JRE (Windows Production Release) 1.6 _13\r\n Sun JRE (Windows Production Release) 1.6 _12\r\n Sun JRE (Windows Production Release) 1.6 _10\r\n Sun JRE (Windows Production Release) 1.6 _07\r\n Sun JRE (Windows Production Release) 1.6 _06\r\n Sun JRE (Windows Production Release) 1.6 _05\r\n Sun JRE (Windows Production Release) 1.6 _04\r\n Sun JRE (Windows Production Release) 1.6\r\n Sun JRE (Windows Production Release) 1.5 _22\r\n Sun JRE (Windows Production Release) 1.5 _18\r\n Sun JRE (Windows Production Release) 1.5 _16\r\n Sun JRE (Windows Production Release) 1.5 _15\r\n Sun JRE (Windows Production Release) 1.5 _06\r\n Sun JRE (Windows Production Release) 1.5 _05\r\n Sun JRE (Windows Production Release) 1.5 _04\r\n Sun JRE (Windows Production Release) 1.5 _03\r\n Sun JRE (Windows Production Release) 1.5 _02\r\n Sun JRE (Windows Production Release) 1.5 _01\r\n Sun JRE (Windows Production Release) 1.5\r\n Sun JRE (Windows Production Release) 1.4.2 _28\r\n Sun JRE (Windows Production Release) 1.4.2 _27\r\n Sun JRE (Windows Production Release) 1.4.2 _24\r\n Sun JRE (Windows Production Release) 1.4.2 _10\r\n Sun JRE (Windows Production Release) 1.4.2 _09\r\n Sun JRE (Windows Production Release) 1.4.2 _09\r\n Sun JRE (Windows Production Release) 1.4.2 _08\r\n Sun JRE (Windows Production Release) 1.4.2 _08\r\n Sun JRE (Windows Production Release) 1.4.2 _07\r\n Sun JRE (Windows Production Release) 1.4.2 _07\r\n Sun JRE (Windows Production Release) 1.4.2 _06\r\n Sun JRE (Windows Production Release) 1.4.2 _05\r\n Sun JRE (Windows Production Release) 1.4.2 _04\r\n Sun JRE (Windows Production Release) 1.4.2 _03\r\n Sun JRE (Windows Production Release) 1.4.2 _02\r\n Sun JRE (Windows Production Release) 1.4.2 _01\r\n Sun JRE (Windows Production Release) 1.4.2\r\n Sun JRE (Windows Production Release) 1.6.0_27\r\n Sun JRE (Windows Production Release) 1.6.0_26\r\n Sun JRE (Windows Production Release) 1.6.0_25\r\n Sun JRE (Windows Production Release) 1.6.0_24\r\n Sun JRE (Windows Production Release) 1.6.0_23\r\n Sun JRE (Windows Production Release) 1.6.0_22\r\n Sun JRE (Windows Production Release) 1.6.0_21\r\n Sun JRE (Windows Production Release) 1.6.0_20\r\n Sun JRE (Windows Production Release) 1.6.0_2\r\n Sun JRE (Windows Production Release) 1.6.0_19\r\n Sun JRE (Windows Production Release) 1.6.0_18\r\n Sun JRE (Windows Production Release) 1.6.0_15\r\n Sun JRE (Windows Production Release) 1.6.0_14\r\n Sun JRE (Windows Production Release) 1.6.0_11\r\n Sun JRE (Windows Production Release) 1.6.0_03\r\n Sun JRE (Windows Production Release) 1.6.0_02\r\n Sun JRE (Windows Production Release) 1.6.0_01\r\n Sun JRE (Windows Production Release) 1.5.0_31\r\n Sun JRE (Windows Production Release) 1.5.0_30\r\n Sun JRE (Windows Production Release) 1.5.0_29\r\n Sun JRE (Windows Production Release) 1.5.0_28\r\n Sun JRE (Windows Production Release) 1.5.0_27\r\n Sun JRE (Windows Production Release) 1.5.0_26\r\n Sun JRE (Windows Production Release) 1.5.0_25\r\n Sun JRE (Windows Production Release) 1.5.0_23\r\n Sun JRE (Windows Production Release) 1.5.0_20\r\n Sun JRE (Windows Production Release) 1.5.0_17\r\n Sun JRE (Windows Production Release) 1.5.0_14\r\n Sun JRE (Windows Production Release) 1.5.0_13\r\n Sun JRE (Windows Production Release) 1.5.0_12\r\n Sun JRE (Windows Production Release) 1.5.0_11\r\n Sun JRE (Windows Production Release) 1.5.0_10\r\n Sun JRE (Windows Production Release) 1.5.0.0_09\r\n Sun JRE (Windows Production Release) 1.5.0.0_08\r\n Sun JRE (Windows Production Release) 1.5.0.0_07\r\n Sun JRE (Windows Production Release) 1.4.2_33\r\n Sun JRE (Windows Production Release) 1.4.2_32\r\n Sun JRE (Windows Production Release) 1.4.2_31\r\n Sun JRE (Windows Production Release) 1.4.2_30\r\n Sun JRE (Windows Production Release) 1.4.2_29\r\n Sun JRE (Windows Production Release) 1.4.2_25\r\n Sun JRE (Windows Production Release) 1.4.2_22\r\n Sun JRE (Windows Production Release) 1.4.2_20\r\n Sun JRE (Windows Production Release) 1.4.2_19\r\n Sun JRE (Windows Production Release) 1.4.2_18\r\n Sun JRE (Windows Production Release) 1.4.2_17\r\n Sun JRE (Windows Production Release) 1.4.2_16\r\n Sun JRE (Windows Production Release) 1.4.2_15\r\n Sun JRE (Windows Production Release) 1.4.2_14\r\n Sun JRE (Windows Production Release) 1.4.2_13\r\n Sun JRE (Windows Production Release) 1.4.2_12\r\n Sun JRE (Windows Production Release) 1.4.2_11\r\n Sun JRE (Solaris Production Release) 1.6 _17\r\n Sun JRE (Solaris Production Release) 1.6 _13\r\n Sun JRE (Solaris Production Release) 1.6 _12\r\n Sun JRE (Solaris Production Release) 1.6 _10\r\n Sun JRE (Solaris Production Release) 1.6 _07\r\n Sun JRE (Solaris Production Release) 1.6 _06\r\n Sun JRE (Solaris Production Release) 1.6 _05\r\n Sun JRE (Solaris Production Release) 1.6 _04\r\n Sun JRE (Solaris Production Release) 1.6\r\n Sun JRE (Solaris Production Release) 1.5 _22\r\n Sun JRE (Solaris Production Release) 1.5 _18\r\n Sun JRE (Solaris Production Release) 1.5 _16\r\n Sun JRE (Solaris Production Release) 1.5 _15\r\n Sun JRE (Solaris Production Release) 1.5 _06\r\n Sun JRE (Solaris Production Release) 1.5 _05\r\n Sun JRE (Solaris Production Release) 1.5 _04\r\n Sun JRE (Solaris Production Release) 1.5 _03\r\n Sun JRE (Solaris Production Release) 1.5 _02\r\n Sun JRE (Solaris Production Release) 1.5 _01\r\n Sun JRE (Solaris Production Release) 1.5\r\n Sun JRE (Solaris Production Release) 1.4.2 _24\r\n Sun JRE (Solaris Production Release) 1.4.2 _10\r\n Sun JRE (Solaris Production Release) 1.4.2 _09\r\n Sun JRE (Solaris Production Release) 1.4.2 _09\r\n Sun JRE (Solaris Production Release) 1.4.2 _08\r\n Sun JRE (Solaris Production Release) 1.4.2 _08\r\n Sun JRE (Solaris Production Release) 1.4.2 _07\r\n Sun JRE (Solaris Production Release) 1.4.2 _07\r\n Sun JRE (Solaris Production Release) 1.4.2 _06\r\n Sun JRE (Solaris Production Release) 1.4.2 _05\r\n Sun JRE (Solaris Production Release) 1.4.2 _04\r\n Sun JRE (Solaris Production Release) 1.4.2 _03\r\n Sun JRE (Solaris Production Release) 1.4.2 _02\r\n Sun JRE (Solaris Production Release) 1.4.2 _01\r\n Sun JRE (Solaris Production Release) 1.4.2\r\n Sun JRE (Solaris Production Release) 1.6.0_27\r\n Sun JRE (Solaris Production Release) 1.6.0_26\r\n Sun JRE (Solaris Production Release) 1.6.0_25\r\n Sun JRE (Solaris Production Release) 1.6.0_24\r\n Sun JRE (Solaris Production Release) 1.6.0_23\r\n Sun JRE (Solaris Production Release) 1.6.0_22\r\n Sun JRE (Solaris Production Release) 1.6.0_21\r\n Sun JRE (Solaris Production Release) 1.6.0_2\r\n Sun JRE (Solaris Production Release) 1.6.0_19\r\n Sun JRE (Solaris Production Release) 1.6.0_18\r\n Sun JRE (Solaris Production Release) 1.6.0_15\r\n Sun JRE (Solaris Production Release) 1.6.0_14\r\n Sun JRE (Solaris Production Release) 1.6.0_11\r\n Sun JRE (Solaris Production Release) 1.6.0_03\r\n Sun JRE (Solaris Production Release) 1.6.0_02\r\n Sun JRE (Solaris Production Release) 1.6.0_01\r\n Sun JRE (Solaris Production Release) 1.5.0_31\r\n Sun JRE (Solaris Production Release) 1.5.0_30\r\n Sun JRE (Solaris Production Release) 1.5.0_29\r\n Sun JRE (Solaris Production Release) 1.5.0_28\r\n Sun JRE (Solaris Production Release) 1.5.0_27\r\n Sun JRE (Solaris Production Release) 1.5.0_26\r\n Sun JRE (Solaris Production Release) 1.5.0_25\r\n Sun JRE (Solaris Production Release) 1.5.0_23\r\n Sun JRE (Solaris Production Release) 1.5.0_20\r\n Sun JRE (Solaris Production Release) 1.5.0_17\r\n Sun JRE (Solaris Production Release) 1.5.0_14\r\n Sun JRE (Solaris Production Release) 1.5.0_13\r\n Sun JRE (Solaris Production Release) 1.5.0_12\r\n Sun JRE (Solaris Production Release) 1.5.0_11\r\n Sun JRE (Solaris Production Release) 1.5.0_10\r\n Sun JRE (Solaris Production Release) 1.5.0.0_09\r\n Sun JRE (Solaris Production Release) 1.5.0.0_08\r\n Sun JRE (Solaris Production Release) 1.5.0.0_07\r\n Sun JRE (Solaris Production Release) 1.4.2_33\r\n Sun JRE (Solaris Production Release) 1.4.2_32\r\n Sun JRE (Solaris Production Release) 1.4.2_31\r\n Sun JRE (Solaris Production Release) 1.4.2_30\r\n Sun JRE (Solaris Production Release) 1.4.2_29\r\n Sun JRE (Solaris Production Release) 1.4.2_28\r\n Sun JRE (Solaris Production Release) 1.4.2_27\r\n Sun JRE (Solaris Production Release) 1.4.2_25\r\n Sun JRE (Solaris Production Release) 1.4.2_22\r\n Sun JRE (Solaris Production Release) 1.4.2_20\r\n Sun JRE (Solaris Production Release) 1.4.2_19\r\n Sun JRE (Solaris Production Release) 1.4.2_18\r\n Sun JRE (Solaris Production Release) 1.4.2_17\r\n Sun JRE (Solaris Production Release) 1.4.2_16\r\n Sun JRE (Solaris Production Release) 1.4.2_15\r\n Sun JRE (Solaris Production Release) 1.4.2_14\r\n Sun JRE (Solaris Production Release) 1.4.2_13\r\n Sun JRE (Solaris Production Release) 1.4.2_12\r\n Sun JRE (Solaris Production Release) 1.4.2_11\r\n Sun JRE (Linux Production Release) 1.6 _17\r\n Sun JRE (Linux Production Release) 1.6 _13\r\n Sun JRE (Linux Production Release) 1.6 _12\r\n Sun JRE (Linux Production Release) 1.6 _10\r\n Sun JRE (Linux Production Release) 1.6 _07\r\n Sun JRE (Linux Production Release) 1.6 _06\r\n Sun JRE (Linux Production Release) 1.6 _05\r\n Sun JRE (Linux Production Release) 1.6 _04\r\n Sun JRE (Linux Production Release) 1.6\r\n Sun JRE (Linux Production Release) 1.5 _22\r\n Sun JRE (Linux Production Release) 1.5 _18\r\n Sun JRE (Linux Production Release) 1.5 _16\r\n Sun JRE (Linux Production Release) 1.5 _15\r\n Sun JRE (Linux Production Release) 1.5 _07\r\n Sun JRE (Linux Production Release) 1.5 _06\r\n Sun JRE (Linux Production Release) 1.5 _05\r\n Sun JRE (Linux Production Release) 1.5 _04\r\n Sun JRE (Linux Production Release) 1.5 _03\r\n Sun JRE (Linux Production Release) 1.5 _02\r\n Sun JRE (Linux Production Release) 1.5 _01\r\n Sun JRE (Linux Production Release) 1.5 .0 beta\r\n Sun JRE (Linux Production Release) 1.5\r\n Sun JRE (Linux Production Release) 1.4.2 _24\r\n Sun JRE (Linux Production Release) 1.4.2 _10-b03\r\n Sun JRE (Linux Production Release) 1.4.2 _10\r\n Sun JRE (Linux Production Release) 1.4.2 _09\r\n Sun JRE (Linux Production Release) 1.4.2 _08\r\n Sun JRE (Linux Production Release) 1.4.2 _07\r\n Sun JRE (Linux Production Release) 1.4.2 _06\r\n Sun JRE (Linux Production Release) 1.4.2 _05\r\n Sun JRE (Linux Production Release) 1.4.2 _04\r\n Sun JRE (Linux Production Release) 1.4.2 _03\r\n Sun JRE (Linux Production Release) 1.4.2 _02\r\n Sun JRE (Linux Production Release) 1.4.2 _01\r\n Sun JRE (Linux Production Release) 1.4.2\r\n Sun JRE (Linux Production Release) 1.6.0_27\r\n Sun JRE (Linux Production Release) 1.6.0_26\r\n Sun JRE (Linux Production Release) 1.6.0_25\r\n Sun JRE (Linux Production Release) 1.6.0_24\r\n Sun JRE (Linux Production Release) 1.6.0_23\r\n Sun JRE (Linux Production Release) 1.6.0_22\r\n Sun JRE (Linux Production Release) 1.6.0_21\r\n Sun JRE (Linux Production Release) 1.6.0_20\r\n Sun JRE (Linux Production Release) 1.6.0_19\r\n Sun JRE (Linux Production Release) 1.6.0_18\r\n Sun JRE (Linux Production Release) 1.6.0_15\r\n Sun JRE (Linux Production Release) 1.6.0_14\r\n Sun JRE (Linux Production Release) 1.6.0_11\r\n Sun JRE (Linux Production Release) 1.6.0_03\r\n Sun JRE (Linux Production Release) 1.6.0_02\r\n Sun JRE (Linux Production Release) 1.6.0_01\r\n Sun JRE (Linux Production Release) 1.5.0_31\r\n Sun JRE (Linux Production Release) 1.5.0_30\r\n Sun JRE (Linux Production Release) 1.5.0_29\r\n Sun JRE (Linux Production Release) 1.5.0_28\r\n Sun JRE (Linux Production Release) 1.5.0_27\r\n Sun JRE (Linux Production Release) 1.5.0_26\r\n Sun JRE (Linux Production Release) 1.5.0_25\r\n Sun JRE (Linux Production Release) 1.5.0_23\r\n Sun JRE (Linux Production Release) 1.5.0_20\r\n Sun JRE (Linux Production Release) 1.5.0_17\r\n Sun JRE (Linux Production Release) 1.5.0_14\r\n Sun JRE (Linux Production Release) 1.5.0_13\r\n Sun JRE (Linux Production Release) 1.5.0_12\r\n Sun JRE (Linux Production Release) 1.5.0_11\r\n Sun JRE (Linux Production Release) 1.5.0_10\r\n Sun JRE (Linux Production Release) 1.5.0_09\r\n Sun JRE (Linux Production Release) 1.5.0_08\r\n Sun JRE (Linux Production Release) 1.4.2_33\r\n Sun JRE (Linux Production Release) 1.4.2_32\r\n Sun JRE (Linux Production Release) 1.4.2_31\r\n Sun JRE (Linux Production Release) 1.4.2_30\r\n Sun JRE (Linux Production Release) 1.4.2_29\r\n Sun JRE (Linux Production Release) 1.4.2_28\r\n Sun JRE (Linux Production Release) 1.4.2_27\r\n Sun JRE (Linux Production Release) 1.4.2_25\r\n Sun JRE (Linux Production Release) 1.4.2_22\r\n Sun JRE (Linux Production Release) 1.4.2_20\r\n Sun JRE (Linux Production Release) 1.4.2_19\r\n Sun JRE (Linux Production Release) 1.4.2_18\r\n Sun JRE (Linux Production Release) 1.4.2_17\r\n Sun JRE (Linux Production Release) 1.4.2_16\r\n Sun JRE (Linux Production Release) 1.4.2_15\r\n Sun JRE (Linux Production Release) 1.4.2_14\r\n Sun JRE (Linux Production Release) 1.4.2_13\r\n Sun JRE (Linux Production Release) 1.4.2_12\r\n Sun JRE (Linux Production Release) 1.4.2_11\r\n Sun JDK (Windows Production Release) 1.6 _17\r\n Sun JDK (Windows Production Release) 1.6 _14\r\n Sun JDK (Windows Production Release) 1.6 _13\r\n Sun JDK (Windows Production Release) 1.6 _11\r\n Sun JDK (Windows Production Release) 1.6 _10\r\n Sun JDK (Windows Production Release) 1.6 _07\r\n Sun JDK (Windows Production Release) 1.6 _06\r\n Sun JDK (Windows Production Release) 1.6 _05\r\n Sun JDK (Windows Production Release) 1.6 _04\r\n Sun JDK (Windows Production Release) 1.6\r\n Sun JDK (Windows Production Release) 1.5 0_10\r\n Sun JDK (Windows Production Release) 1.5 _22\r\n Sun JDK (Windows Production Release) 1.5 _18\r\n Sun JDK (Windows Production Release) 1.5 _17\r\n Sun JDK (Windows Production Release) 1.5 _15\r\n Sun JDK (Windows Production Release) 1.5 _14\r\n Sun JDK (Windows Production Release) 1.5 _02\r\n Sun JDK (Windows Production Release) 1.5 _01\r\n Sun JDK (Windows Production Release) 1.5 .0_05\r\n Sun JDK (Windows Production Release) 1.5 .0_04\r\n Sun JDK (Windows Production Release) 1.5 .0_03\r\n Sun JDK (Windows Production Release) 1.6.0_27\r\n Sun JDK (Windows Production Release) 1.6.0_26\r\n Sun JDK (Windows Production Release) 1.6.0_25\r\n Sun JDK (Windows Production Release) 1.6.0_24\r\n Sun JDK (Windows Production Release) 1.6.0_23\r\n Sun JDK (Windows Production Release) 1.6.0_22\r\n Sun JDK (Windows Production Release) 1.6.0_21\r\n Sun JDK (Windows Production Release) 1.6.0_20\r\n Sun JDK (Windows Production Release) 1.6.0_19\r\n Sun JDK (Windows Production Release) 1.6.0_18\r\n Sun JDK (Windows Production Release) 1.6.0_15\r\n Sun JDK (Windows Production Release) 1.6.0_03\r\n Sun JDK (Windows Production Release) 1.6.0_02\r\n Sun JDK (Windows Production Release) 1.6.0_01-b06\r\n Sun JDK (Windows Production Release) 1.6.0_01\r\n Sun JDK (Windows Production Release) 1.5.0_31\r\n Sun JDK (Windows Production Release) 1.5.0_30\r\n Sun JDK (Windows Production Release) 1.5.0_29\r\n Sun JDK (Windows Production Release) 1.5.0_28\r\n Sun JDK (Windows Production Release) 1.5.0_27\r\n Sun JDK (Windows Production Release) 1.5.0_26\r\n Sun JDK (Windows Production Release) 1.5.0_25\r\n Sun JDK (Windows Production Release) 1.5.0_24\r\n Sun JDK (Windows Production Release) 1.5.0_23\r\n Sun JDK (Windows Production Release) 1.5.0_20\r\n Sun JDK (Windows Production Release) 1.5.0_16\r\n Sun JDK (Windows Production Release) 1.5.0_13\r\n Sun JDK (Windows Production Release) 1.5.0_12\r\n Sun JDK (Windows Production Release) 1.5.0_11-b03\r\n Sun JDK (Windows Production Release) 1.5.0_07-b03\r\n Sun JDK (Windows Production Release) 1.5.0.0_12\r\n Sun JDK (Windows Production Release) 1.5.0.0_11\r\n Sun JDK (Windows Production Release) 1.5.0.0_09\r\n Sun JDK (Windows Production Release) 1.5.0.0_08\r\n Sun JDK (Windows Production Release) 1.5.0.0_06\r\n Sun JDK (Solaris Production Release) 1.6 _17\r\n Sun JDK (Solaris Production Release) 1.6 _14\r\n Sun JDK (Solaris Production Release) 1.6 _13\r\n Sun JDK (Solaris Production Release) 1.6 _11\r\n Sun JDK (Solaris Production Release) 1.6 _10\r\n Sun JDK (Solaris Production Release) 1.6 _07\r\n Sun JDK (Solaris Production Release) 1.6 _06\r\n Sun JDK (Solaris Production Release) 1.6 _05\r\n Sun JDK (Solaris Production Release) 1.6 _04\r\n Sun JDK (Solaris Production Release) 1.6 _01-b06\r\n Sun JDK (Solaris Production Release) 1.6\r\n Sun JDK (Solaris Production Release) 1.5 0_10\r\n Sun JDK (Solaris Production Release) 1.5 0_09\r\n Sun JDK (Solaris Production Release) 1.5 0_03\r\n Sun JDK (Solaris Production Release) 1.5 _22\r\n Sun JDK (Solaris Production Release) 1.5 _18\r\n Sun JDK (Solaris Production Release) 1.5 _17\r\n Sun JDK (Solaris Production Release) 1.5 _15\r\n Sun JDK (Solaris Production Release) 1.5 _14\r\n Sun JDK (Solaris Production Release) 1.5 _11-b03\r\n Sun JDK (Solaris Production Release) 1.5 _07-b03\r\n Sun JDK (Solaris Production Release) 1.5 _06\r\n Sun JDK (Solaris Production Release) 1.5 _02\r\n Sun JDK (Solaris Production Release) 1.5 _01\r\n Sun JDK (Solaris Production Release) 1.5 .0_05\r\n Sun JDK (Solaris Production Release) 1.5 .0_04\r\n Sun JDK (Solaris Production Release) 1.5 .0_03\r\n Sun JDK (Solaris Production Release) 1.6.0_27\r\n Sun JDK (Solaris Production Release) 1.6.0_26\r\n Sun JDK (Solaris Production Release) 1.6.0_25\r\n Sun JDK (Solaris Production Release) 1.6.0_24\r\n Sun JDK (Solaris Production Release) 1.6.0_23\r\n Sun JDK (Solaris Production Release) 1.6.0_22\r\n Sun JDK (Solaris Production Release) 1.6.0_21\r\n Sun JDK (Solaris Production Release) 1.6.0_20\r\n Sun JDK (Solaris Production Release) 1.6.0_19\r\n Sun JDK (Solaris Production Release) 1.6.0_18\r\n Sun JDK (Solaris Production Release) 1.6.0_15\r\n Sun JDK (Solaris Production Release) 1.6.0_03\r\n Sun JDK (Solaris Production Release) 1.6.0_02\r\n Sun JDK (Solaris Production Release) 1.6.0_01\r\n Sun JDK (Solaris Production Release) 1.5.0_31\r\n Sun JDK (Solaris Production Release) 1.5.0_30\r\n Sun JDK (Solaris Production Release) 1.5.0_29\r\n Sun JDK (Solaris Production Release) 1.5.0_28\r\n Sun JDK (Solaris Production Release) 1.5.0_27\r\n Sun JDK (Solaris Production Release) 1.5.0_26\r\n Sun JDK (Solaris Production Release) 1.5.0_25\r\n Sun JDK (Solaris Production Release) 1.5.0_24\r\n Sun JDK (Solaris Production Release) 1.5.0_23\r\n Sun JDK (Solaris Production Release) 1.5.0_20\r\n Sun JDK (Solaris Production Release) 1.5.0_16\r\n Sun JDK (Solaris Production Release) 1.5.0_13\r\n Sun JDK (Solaris Production Release) 1.5.0_12\r\n Sun JDK (Solaris Production Release) 1.5.0_11\r\n Sun JDK (Linux Production Release) 1.6 _17\r\n Sun JDK (Linux Production Release) 1.6 _14\r\n Sun JDK (Linux Production Release) 1.6 _13\r\n Sun JDK (Linux Production Release) 1.6 _11\r\n Sun JDK (Linux Production Release) 1.6 _10\r\n Sun JDK (Linux Production Release) 1.6 _07\r\n Sun JDK (Linux Production Release) 1.6 _06\r\n Sun JDK (Linux Production Release) 1.6 _05\r\n Sun JDK (Linux Production Release) 1.6 _04\r\n Sun JDK (Linux Production Release) 1.6 _01-b06\r\n Sun JDK (Linux Production Release) 1.6 _01\r\n Sun JDK (Linux Production Release) 1.6\r\n Sun JDK (Linux Production Release) 1.5 0_10\r\n Sun JDK (Linux Production Release) 1.5 _22\r\n Sun JDK (Linux Production Release) 1.5 _18\r\n Sun JDK (Linux Production Release) 1.5 _17\r\n Sun JDK (Linux Production Release) 1.5 _15\r\n Sun JDK (Linux Production Release) 1.5 _14\r\n Sun JDK (Linux Production Release) 1.5 _11-b03\r\n Sun JDK (Linux Production Release) 1.5 _07-b03\r\n Sun JDK (Linux Production Release) 1.5 _07\r\n Sun JDK (Linux Production Release) 1.5 _06\r\n Sun JDK (Linux Production Release) 1.5 _02\r\n Sun JDK (Linux Production Release) 1.5 _01\r\n Sun JDK (Linux Production Release) 1.5 .0_05\r\n Sun JDK (Linux Production Release) 1.5\r\n Sun JDK (Linux Production Release) 1.6.0_27\r\n Sun JDK (Linux Production Release) 1.6.0_26\r\n Sun JDK (Linux Production Release) 1.6.0_25\r\n Sun JDK (Linux Production Release) 1.6.0_24\r\n Sun JDK (Linux Production Release) 1.6.0_23\r\n Sun JDK (Linux Production Release) 1.6.0_22\r\n Sun JDK (Linux Production Release) 1.6.0_21\r\n Sun JDK (Linux Production Release) 1.6.0_20\r\n Sun JDK (Linux Production Release) 1.6.0_19\r\n Sun JDK (Linux Production Release) 1.6.0_18\r\n Sun JDK (Linux Production Release) 1.6.0_15\r\n Sun JDK (Linux Production Release) 1.6.0_03\r\n Sun JDK (Linux Production Release) 1.6.0_02\r\n Sun JDK (Linux Production Release) 1.5.0_31\r\n Sun JDK (Linux Production Release) 1.5.0_30\r\n Sun JDK (Linux Production Release) 1.5.0_29\r\n Sun JDK (Linux Production Release) 1.5.0_28\r\n Sun JDK (Linux Production Release) 1.5.0_27\r\n Sun JDK (Linux Production Release) 1.5.0_26\r\n Sun JDK (Linux Production Release) 1.5.0_25\r\n Sun JDK (Linux Production Release) 1.5.0_24\r\n Sun JDK (Linux Production Release) 1.5.0_23\r\n Sun JDK (Linux Production Release) 1.5.0_20\r\n Sun JDK (Linux Production Release) 1.5.0_16\r\n Sun JDK (Linux Production Release) 1.5.0_13\r\n Sun JDK (Linux Production Release) 1.5.0.0_12\r\n Sun JDK (Linux Production Release) 1.5.0.0_11\r\n Sun JDK (Linux Production Release) 1.5.0.0_09\r\n Sun JDK (Linux Production Release) 1.5.0.0_08\r\n Sun JDK (Linux Production Release) 1.5.0.0_04\r\n Sun JDK (Linux Production Release) 1.5.0.0_03\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html", "published": "2011-12-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-24273", "cvelist": ["CVE-2011-3544"], "lastseen": "2017-11-19T17:56:49"}], "gentoo": [{"id": "GLSA-201111-02", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "description": "### Background\n\nThe Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform). \n\n### Description\n\nMultiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below and the associated Oracle Critical Patch Update Advisory for details. \n\n### Impact\n\nA remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JDK 1.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/sun-jdk-1.6.0.29\"\n \n\nAll Oracle JRE 1.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/sun-jre-bin-1.6.0.29\"\n \n\nAll users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/emul-linux-x86-java-1.6.0.29\"\n \n\nNOTE: As Oracle has revoked the DLJ license for its Java implementation, the packages can no longer be updated automatically. This limitation is not present on a non-fetch restricted implementation such as dev-java/icedtea-bin.", "published": "2011-11-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201111-02", "cvelist": ["CVE-2010-3562", "CVE-2010-4475", "CVE-2011-0865", "CVE-2011-3557", "CVE-2010-4468", "CVE-2010-3557", "CVE-2011-3551", "CVE-2010-3563", "CVE-2011-3549", "CVE-2010-3551", "CVE-2011-0802", "CVE-2011-0868", "CVE-2010-3552", "CVE-2010-3553", "CVE-2010-3550", "CVE-2010-4452", "CVE-2011-3561", "CVE-2010-4462", "CVE-2010-3566", "CVE-2010-4448", "CVE-2010-4465", "CVE-2011-0869", "CVE-2010-3565", "CVE-2011-0863", "CVE-2010-4454", "CVE-2010-3572", "CVE-2010-4451", "CVE-2011-3548", "CVE-2010-4422", "CVE-2011-3547", "CVE-2010-4469", "CVE-2011-3521", "CVE-2011-3389", "CVE-2010-4450", "CVE-2010-4463", "CVE-2010-3574", "CVE-2011-3544", "CVE-2011-3553", "CVE-2010-4473", "CVE-2010-4474", "CVE-2011-3516", "CVE-2010-3541", "CVE-2011-3558", "CVE-2011-0873", "CVE-2010-3571", "CVE-2011-3555", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-3560", "CVE-2010-3559", "CVE-2011-0815", "CVE-2011-3546", "CVE-2010-3556", "CVE-2011-3554", "CVE-2011-0867", "CVE-2010-3561", "CVE-2010-4447", "CVE-2010-3549", "CVE-2011-3556", "CVE-2010-3554", "CVE-2010-4470", "CVE-2011-3560", "CVE-2010-3555", "CVE-2011-0864", "CVE-2010-3570", "CVE-2011-3545", "CVE-2011-3552", "CVE-2010-3567", "CVE-2010-3573", "CVE-2010-3548", "CVE-2011-3550", "CVE-2010-4467", "CVE-2010-3568", "CVE-2011-0862", "CVE-2010-3558", "CVE-2010-4466", "CVE-2010-3569", "CVE-2011-0871", "CVE-2011-0814", "CVE-2011-0872"], "lastseen": "2016-09-06T19:47:03"}, {"id": "GLSA-201406-32", "type": "gentoo", "title": "IcedTea JDK: Multiple vulnerabilities", "description": "### Background\n\nIcedTea is a distribution of the Java OpenJDK source code built with free build tools. \n\n### Description\n\nMultiple vulnerabilities have been discovered in the IcedTea JDK. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll IcedTea JDK users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-6.1.13.3\"", "published": "2014-06-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201406-32", "cvelist": ["CVE-2012-5089", "CVE-2013-0426", "CVE-2013-2431", "CVE-2010-3562", "CVE-2013-2420", "CVE-2011-0865", "CVE-2013-2384", "CVE-2013-2415", "CVE-2012-1711", "CVE-2014-2397", "CVE-2013-1571", "CVE-2013-5782", "CVE-2011-3557", "CVE-2013-2417", "CVE-2013-1500", "CVE-2013-2448", "CVE-2010-3557", "CVE-2011-3551", "CVE-2013-4002", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2013-0427", "CVE-2012-1725", "CVE-2013-2424", "CVE-2014-0457", "CVE-2013-5850", "CVE-2013-2407", "CVE-2013-5778", "CVE-2013-1478", "CVE-2013-2456", "CVE-2010-3551", "CVE-2011-0868", "CVE-2013-0428", "CVE-2014-0446", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-0169", "CVE-2010-3553", "CVE-2012-1719", "CVE-2014-1876", "CVE-2014-0458", "CVE-2013-0429", "CVE-2014-2427", "CVE-2011-3563", "CVE-2013-1475", "CVE-2013-2421", "CVE-2013-1518", "CVE-2013-0435", "CVE-2012-5087", "CVE-2013-0809", "CVE-2013-0442", "CVE-2010-3566", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-5842", "CVE-2010-4448", "CVE-2013-0431", "CVE-2010-4465", "CVE-2012-5085", "CVE-2012-4540", "CVE-2011-0869", "CVE-2010-3565", "CVE-2012-5076", "CVE-2013-5830", "CVE-2013-2473", "CVE-2013-6954", "CVE-2012-4416", "CVE-2012-5075", "CVE-2014-0453", "CVE-2013-1488", "CVE-2012-0424", "CVE-2013-0434", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2011-3548", "CVE-2012-5081", "CVE-2011-3547", "CVE-2013-5817", "CVE-2010-4469", "CVE-2012-0503", "CVE-2011-3521", "CVE-2013-0443", "CVE-2011-5035", "CVE-2013-2419", "CVE-2014-0461", "CVE-2012-1723", "CVE-2013-2463", "CVE-2011-3571", "CVE-2010-3860", "CVE-2011-3389", "CVE-2013-2469", "CVE-2014-0459", "CVE-2014-0456", "CVE-2010-4450", "CVE-2012-1726", "CVE-2013-2465", "CVE-2013-1537", "CVE-2014-0429", "CVE-2013-5806", "CVE-2010-3574", "CVE-2011-3544", "CVE-2013-5805", "CVE-2011-3553", "CVE-2013-0444", "CVE-2012-0506", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-5825", "CVE-2012-1717", "CVE-2013-2423", "CVE-2010-3541", "CVE-2013-5823", "CVE-2011-3558", "CVE-2014-2403", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2009-3555", "CVE-2013-2429", "CVE-2013-5849", "CVE-2014-2412", "CVE-2010-2548", "CVE-2012-5086", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-5077", "CVE-2013-1486", "CVE-2013-1476", "CVE-2010-4476", "CVE-2010-4472", "CVE-2013-5780", "CVE-2010-4471", "CVE-2014-2421", "CVE-2012-5069", "CVE-2012-3216", "CVE-2014-0460", "CVE-2011-0870", "CVE-2011-0815", "CVE-2013-0432", "CVE-2012-0505", "CVE-2012-5084", "CVE-2012-1718", "CVE-2010-2783", "CVE-2013-2458", "CVE-2011-3554", "CVE-2013-0424", "CVE-2013-2459", "CVE-2013-0450", "CVE-2012-5071", "CVE-2013-5814", "CVE-2010-3561", "CVE-2011-0025", "CVE-2012-0501", "CVE-2010-3564", "CVE-2013-0440", "CVE-2013-2443", "CVE-2010-3549", "CVE-2012-3422", "CVE-2013-2446", "CVE-2011-3556", "CVE-2012-0547", "CVE-2013-5829", "CVE-2010-3554", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2472", "CVE-2014-2423", "CVE-2010-4470", "CVE-2011-0822", "CVE-2011-3560", "CVE-2013-1493", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2010-4351", "CVE-2011-0864", "CVE-2013-2453", "CVE-2013-1557", "CVE-2013-2426", "CVE-2013-2455", "CVE-2013-2422", "CVE-2013-2383", "CVE-2013-0425", "CVE-2013-1484", "CVE-2011-3552", "CVE-2013-5774", "CVE-2012-1724", "CVE-2010-3567", "CVE-2010-3573", "CVE-2013-6629", "CVE-2012-5068", "CVE-2013-3829", "CVE-2013-0441", "CVE-2010-3548", "CVE-2011-0706", "CVE-2012-5979", "CVE-2012-0502", "CVE-2013-5783", "CVE-2010-4467", "CVE-2012-3423", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2014-2398", "CVE-2010-3568", "CVE-2014-0451", "CVE-2013-1569", "CVE-2013-2412", "CVE-2014-0452", "CVE-2011-0862", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2014-2414", "CVE-2010-3569", "CVE-2011-0871", "CVE-2013-2449", "CVE-2011-0872", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-06T19:46:20"}, {"id": "GLSA-201203-02", "type": "gentoo", "title": "cURL: Multiple vulnerabilities", "description": "### Background\n\ncURL is a command line tool for transferring files with URL syntax, supporting numerous protocols. \n\n### Description\n\nMultiple vulnerabilities have been found in cURL:\n\n * When zlib is enabled, the amount of data sent to an application for automatic decompression is not restricted (CVE-2010-0734). \n * When performing GSSAPI authentication, credential delegation is always used (CVE-2011-2192). \n * When SSL is enabled, cURL improperly disables the OpenSSL workaround to mitigate an information disclosure vulnerability in the SSL and TLS protocols (CVE-2011-3389). \n * libcurl does not properly verify file paths for escape control characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036). \n\n### Impact\n\nA remote attacker could entice a user or automated process to open a specially crafted file or URL using cURL, possibly resulting in the remote execution of arbitrary code, a Denial of Service condition, disclosure of sensitive information, or unwanted actions performed via the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be able to impersonate clients via GSSAPI requests. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll cURL users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/curl-7.24.0\"", "published": "2012-03-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201203-02", "cvelist": ["CVE-2011-3389", "CVE-2010-0734", "CVE-2012-0036", "CVE-2011-2192"], "lastseen": "2016-09-06T19:46:50"}], "zdi": [{"id": "ZDI-11-306", "type": "zdi", "title": "Oracle Java IIOP Deserialization Type Confusion Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the way Java handles IIOP deserialization. Due to insufficient type checking it is possible to trick java into allowing access to otherwise protected and private fields in built-in objects. This could be used, for example, to disable to security manager normally in place for applets. This leads to remote code execution under the context of the current user.", "published": "2011-10-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-11-306", "cvelist": ["CVE-2011-3521"], "lastseen": "2016-11-09T00:17:54"}, {"id": "ZDI-11-305", "type": "zdi", "title": "Oracle Java Applet Rhino Script Engine Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the way Java handles Rhino Javascript errors. The built-in javascript engine in Java fails to perform sufficient sanitation on javascript error objects. The effect is that untrusted code can run in privileged context. This can result in remote code execution under the context of the current user.", "published": "2011-10-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-11-305", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-11-09T00:17:55"}], "f5": [{"id": "F5:K13400", "type": "f5", "title": "SSL 3.0/TLS 1.0 BEAST vulnerability CVE-2011-3389 and TLS protocol vulnerability CVE-2012-1870", "description": "\nF5 Product Development has assigned ID 368796 (BIG-IP and Enterprise Manager), ID 677660 (BIG-IQ), ID 677978 (F5 iWorkflow), ID 369724 (FirePass), and ID 376745 (ARX) to this vulnerability. To find out whether F5 has determined that your release is vulnerable, and to obtain information about releases or hotfixes that resolve the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | 9.0.0 - 9.4.8 \n10.0.0 - 10.2.2 \n*10.2.3 - 10.2.4 \n*11.0.0 - 12.1.3 \n*13.0.0 - 13.1.0 | None | Configuration utility \nSSL virtual servers \nBIG-IP GTM | 9.2.2 - 9.4.8 \n10.0.0 - 10.2.2 \n*10.2.3 - 10.2.4 \n*11.0.0 - 11.6.0 | None | Configuration utility \nSSL virtual servers \nBIG-IP DNS | *12.0.0 - 12.1.3 \n*13.0.0 - 13.1.0 | None | Configuration utility \nSSL virtual servers \nBIG-IP ASM | 9.2.0 - 9.4.8 \n10.0.0 - 10.2.2 \n*10.2.3 - 10.2.4 \n*11.0.0 - 12.1.3 \n*13.0.0 - 13.1.0 | None | Configuration utility \nSSL virtual servers \nBIG-IP Link Controller | 9.2.2 - 9.4.8 \n10.0.0 - 10.2.2 \n*10.2.3 - 10.2.4 \n*11.0.0 - 12.1.3 \n*13.0.0 - 13.1.0 | None | Configuration utility \nSSL virtual servers \nBIG-IP WebAccelerator | 9.4.0 - 9.4.8 \n10.0.0 - 10.2.2 \n*10.2.3 - 10.2.4 \n*11.0.0 - 11.3.0 | None | Configuration utility \nSSL virtual servers \nBIG-IP PSM | 9.4.0 - 9.4.8 \n10.0.0 - 10.2.2 \n \n*10.2.3 - 10.2.4 \n*11.0.0 - 11.4.1 | None | Configuration utility \n \nSSL virtual servers \nBIG-IP WOM | 10.0.0 - 10.2.2 \n*10.2.3 - 10.2.4 \n*11.0.0 - 11.3.0 | None | Configuration utility \n \nSSL virtual servers \nBIG-IP APM | 10.1.0 - 10.2.2 \n*10.2.3 - 10.2.4 \n*11.0.0 - 12.1.3 \n*13.0.0 - 13.1.0 | None | Configuration utility \n \nSSL virtual servers \nBIG-IP Edge Gateway | 10.1.0 - 10.2.2 \n \n*10.2.3 - 10.2.4 \n*11.0.0 - 11.3.0 | None | Configuration utility \nSSL virtual servers \nBIG-IP Analytics | *11.0.0 - 12.1.3 \n*13.0.0 - 13.1.0 | None | Configuration utility \nBIG-IP AFM | *11.3.0 - 12.1.3 \n*13.0.0 - 13.1.0 | None | Configuration utility \nSSL virtual servers \nBIG-IP PEM | *11.3.0 - 12.1.3 \n*13.0.0 - 13.1.0 | None | Configuration utility \nSSL virtual servers \nBIG-IP AAM | *11.4.0 - 12.1.3 \n*13.0.0 - 13.1.0 | None | Configuration utility \nSSL virtual servers \nFirePass | 6.0.0 - 6.1.0 \n7.0.0 | None | Administrative interface \nWebServices \nEnterprise Manager | 1.8.0 \n2.0.0 - 2.3.0 \n3.0.0 - 3.1.1 | None | Configuration utility \nARX | 5.0.0 - 5.3.1 \n6.0.0 - 6.4.0 | None | ARX Manager GUI \nAPI (disabled by default) \nBIG-IQ Cloud | *4.4.0 - 4.5.0 | None | BIG-IQ user interface (webd) \nBIG-IQ Device | *4.4.0 - 4.5.0 | None | BIG-IQ user interface (webd) \nBIG-IQ Security | *4.4.0 - 4.5.0 | None | BIG-IQ user interface (webd) \nBIG-IQ ADC | *4.5.0 | None | BIG-IQ user interface (webd) \nBIG-IQ Centralized Management | *5.0.0 - 5.4.0 \n*4.6.0 | None | BIG-IQ user interface (webd) \nBIG-IQ Cloud and Orchestration | *1.0.0 | None | BIG-IQ user interface (webd) \nF5 iWorkflow | *2.0.0 - 2.3.0 | None | iWorkflow user interface (webd) \n \n* Mitigation is available for these BIG-IP, BIG-IQ, and iWorkflow versions with the introduction of support for TLS 1.2. For more information, refer to the **Security Advisory Recommended Actions** section.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [BIG-IP](<https://support.f5.com/csp/article/K13400#bigip>)\n * [BIG-IQ/iWorkflow](<https://support.f5.com/csp/article/K13400#bigiq>)\n * [FirePass](<https://support.f5.com/csp/article/K13400#firepass>)\n * [Enterprise Manager](<https://support.f5.com/csp/article/K13400#2.x>)\n * [ARX](<https://support.f5.com/csp/article/K13400#arx>)\n\nBIG-IP\n\nThis vulnerability is exploited on the client-browser side of an SSL connection to either a virtual server or to the Configuration utility. In the case of client-browser access to a virtual server, the vulnerability is exploitable without server access, and no exploited packets are sent to the remote server. The following mitigations for this vulnerability are available for SSL profiles and the Configuration utility:\n\nSSL profiles\n\nMitigation of this vulnerability is possible for virtual servers using an SSL profile by performing one of the following procedures:\n\n * [Configuring the SSL profile to use only TLS 1.1 or TLS 1.2 compatible, or ](<https://support.f5.com/csp/article/K13400#ssl_p1>)[RC4-SHA ciphers](<https://support.f5.com/csp/article/K13400#p1>)\n * TLS 1.1 protocol compatible ciphers are available only for BIG-IP 11.2.0 and later.\n * TLS 1.2 protocol compatible ciphers and RC4-SHA ciphers are available only for BIG-IP 10.2.4 and later, and BIG-IP 11.0.0 and later.\n * [Configuring the SSL profile to use only RC4-SHA ciphers](<https://support.f5.com/csp/article/K13400#ssl_p2>)\n * RC4-SHA ciphers are available for all BIG-IP versions.\n * RC4 ciphers are not FIPS compliant.\n\nConfiguration utility\n\nMitigation of this vulnerability is possible for the Configuration utility by performing one of the following procedures:\n\n * [Restricting the Configuration utility to use only TLS 1.2 compatible or RC4-SHA ciphers](<https://support.f5.com/csp/article/K13400#config_p1>)\n * This option is available only for BIG-IP 11.5.0 and later.\n * Feature enhancements allowing the use of this procedure have also been included in the following software versions: 11.4.1 HF6, 11.4.0 HF9, 11.2.1 HF13, and 10.2.4 HF10.\n * [Restricting the Configuration utility to use only RC4-SHA ciphers](<https://support.f5.com/csp/article/K13400#config_p2>)\n * All BIG-IP versions\n\nConfiguring the SSL profile to use TLS 1.1 or TLS 1.2 compatible ciphers, or RC4-SHA ciphers\n\n**Note**: Support for TLS 1.2 was introduced in BIG-IP 10.2.3 and 11.0.0.\n\nFor BIG-IP 10.2.4 and 11.x, you can mitigate this vulnerability for an SSL virtual server by configuring the SSL profile to use only TLS 1.1-compatible ciphers, TLS 1.2-compatible ciphers, or RC4-SHA ciphers. For information about configuring the ciphers used by an SSL profile, refer to the following articles:\n\n * [K13171: Configuring the cipher strength for SSL profiles (11.x)](<https://support.f5.com/csp/article/K13171>)\n * [K7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)](<https://support.f5.com/csp/article/K7815>)\n\nFor example, to configure an SSL profile to use only TLS 1.1-compatible ciphers, TLS 1.2-compatible ciphers, or RC4-SHA ciphers, perform the following procedure:\n\n**Note: **When you modify cipher strings, it is helpful to understand the exclamation (**!**) and minus (**-**) negation symbols. When you use the **! **symbol preceding a cipher, the SSL profile permanently removes the cipher from the cipher list, even if it is explicitly stated later in the cipher string. When you use the **\\- **symbol preceding a cipher, the SSL profile removes the cipher from the cipher list, but it can be added back to the cipher list if there are later options that allow it. For more information about building and viewing custom cipher lists, refer to [K15194: Overview of the BIG-IP SSL/TLS cipher suite](<https://support.f5.com/csp/article/K15194>).\n\nConfiguring the SSL profile to use only the RC4-SHA cipher\n\nFor BIG-IP versions that do not support TLS 1.1 or 1.2, you can mitigate this vulnerability for an SSL virtual server by configuring the SSL profile to use only RC4-SHA ciphers. For example, to configure an SSL profile to use only RC4-SHA ciphers, perform the following procedure:\n\n**Impact of workaround:** Only RC4-SHA ciphers are allowed. Limiting the ciphers supported by the SSL profile may result in clients being unable to establish an SSL connection.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **Local Traffic** > **Profiles**.\n 3. From the **SSL** menu, choose **Client**.\n 4. Click **Create**.\n 5. Type a name for the **SSL** profile.\n 6. From the **Parent Profile** menu, choose **clientssl**.\n 7. From the **Configuration** menu, choose **Advanced**.\n 8. Click the **Custom** box for **Ciphers**.\n 9. Delete the DEFAULT cipher string from the **Ciphers** box.\n 10. Enter the desired cipher string in the **Ciphers** box. \n\nFor example, the following string would configure an SSL profile to use only RC4-SHA ciphers:\n\nRC4-SHA\n\n 11. Click **Finished**. \n\nYou must now associate the SSL profile with the virtual server.\n\n**Note**: Alternatively, to configure an SSL profile to use only RC4-SHA ciphers using the** **TMOS Shell (**tmsh**), use the following syntax:\n\ntmsh create /ltm profile client-ssl <name> ciphers RC4-SHA\n\nRestricting the Configuration utility to use only TLS 1.2 compatible or RC4-SHA ciphers\n\n**Note**: Support for TLS 1.2 in the Configuration utility was introduced in BIG-IP 11.5.0.\n\nFor BIG-IP 11.5.0 and later, you can mitigate this vulnerability for the Configuration utility by restricting the utility to use only TLS 1.2-compatible ciphers or RC4-SHA ciphers. For example, to restrict the utility to use only TLS 1.2-compatible ciphers or RC4-SHA ciphers, perform the following procedure:\n\n**Note**: Feature enhancements allowing the use of this procedure have also been included in the following software versions: 11.4.1 HF6, 11.4.0 HF9, 11.2.1 HF13, and 10.2.4 HF10.\n\n**Impact of workaround**: The Configuration utility will use only TLS 1.2-compatible ciphers or RC4-SHA ciphers. There is limited client browser support for TLS 1.2. Clients who do not support TLS 1.2 may not be able to connect, or will connect using an RC4-SHA cipher.\n\n**Important**: Many client browsers do not support TLS 1.2.\n\n 1. Log in to **tmsh** by typing the following command: \n\ntmsh\n\n 2. Before you change the SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, type the following command: \n\nlist /sys httpd ssl-ciphersuite\n\nFor example, the BIG-IP 11.5.1 system displays the following cipher string:\n\nALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2\n\n 3. To restrict Configuration utility access to clients using TLS 1.2 or RC4-SHA ciphers, type the following command: \n\nmodify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'\n\nAlternatively, if you can restrict to only TLS 1.1 and TLS 1.2 ciphers, then type the following command instead:\n\nmodify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1'\n\n 4. Save the configuration change by typing the following command: \n\nsave /sys config\n\nRestricting the Configuration utility to use only RC4-SHA ciphers\n\nFor BIG-IP versions that do not support TLS 1.2, you can mitigate this vulnerability for the Configuration utility by restricting the utility to use only RC4-SHA ciphers. For example, to restrict the utility to use only RC4-SHA ciphers, perform the following procedure:\n\n**Impact of workaround**: Only RC4-SHA ciphers are allowed. Limiting the ciphers supported by The Configuration utility may result in clients being unable to connect.\n\n 1. Log in to **tmsh** by typing the following command: \n\ntmsh\n\n 2. Before you change the SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, type the following command: \n\nlist /sys httpd ssl-ciphersuite\n\nFor example, the BIG-IP 11.5.1 system displays the following cipher string:\n\nALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2\n\n 3. To restrict Configuration utility access to clients using RC4-SHA ciphers, type the following command: \n\nmodify /sys httpd ssl-ciphersuite 'RC4-SHA'\n\n 4. Save the configuration change by typing the following command: \n\nsave /sys config\n\nBIG-IQ/iWorkflow\n\nThis vulnerability is exploited on the client-browser side of an SSL connection to the BIG-IQ or iWorkflow user interface. Mitigation of this vulnerability is available for the BIG-IQ and iWorkflow user interface by removing all SSL and TLS 1.0 protocols from the BIG-IQ or iWorkflow user interface configuration. To do so, perform the following procedure:\n\n**Impact of workaround**: This procedure restarts the **webd** process and temporarily disrupts traffic to the BIG-IQ or iWorkflow system. You should perform this procedure during a maintenance window.\n\n 1. Log in to the BIG-IQ or iWorkflow command line.\n 2. Back up a copy of the **/etc/webd/webd.conf** file by typing the following command: \n\ncp -p /etc/webd/webd.conf /var/tmp/webd.conf.k13400\n\n 3. Edit the **/etc/webd/webd.conf** file using a text editor of your choice, for example **vi**.\n 4. In the **/etc/webd/webd.conf** file, locate the following line: \n\nssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;\n\n 5. Remove all SSL and TLS 1.0 protocols from this line. After editing, this line should appear similar to the following example: \n\nssl_protocols TLSv1.1 TLSv1.2;\n\n 6. Save the changes and exit the text editor.\n 7. Restart the **webd** process by typing the following command: \n\ntmsh restart sys service webd\n\nFirePass\n\n * None\n\n****Enterprise Manager\n\n * None\n\n****ARX\n\n * None\n\n * [K8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles](<https://support.f5.com/csp/article/K8802>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x)](<https://support.f5.com/csp/article/K13405>)\n * [K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x)](<https://support.f5.com/csp/article/K13309>)\n * [K13163: SSL ciphers supported on BIG-IP platforms (11.x - 13.x)](<https://support.f5.com/csp/article/K13163>)\n * [K11444: SSL ciphers supported on BIG-IP platforms (10.x)](<https://support.f5.com/csp/article/K11444>)\n * [K13156: SSL ciphers used in the default SSL profiles (11.x - 13.x)](<https://support.f5.com/csp/article/K13156>)\n * [K10262: SSL ciphers used in the default SSL profiles (10.x)](<https://support.f5.com/csp/article/K10262>)\n * [K9677: BIG-IP LTM compliance with standard FIPS-197](<https://support.f5.com/csp/article/K9677>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n\n**Note**: The following link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.\n\n * <http://vnhacker.blogspot.com/2011/09/beast.html>\n\n**Note**: For more information about various TLS protocol level attacks and F5 recommendations for mitigating the attacks, refer to the following DevCentral article. A DevCentral login is required to access this content.\n\n * [Which TLS algorithm should I use?](<https://devcentral.f5.com/articles/which-tls-algorithm-should-i-use#.UiZGfF3n-Ul>)\n", "published": "2012-03-07T05:33:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://support.f5.com/csp/article/K13400", "cvelist": ["CVE-2011-3389", "CVE-2012-1870"], "lastseen": "2018-03-10T07:57:00"}, {"id": "SOL13400", "type": "f5", "title": "SOL13400 - SSL 3.0/TLS 1.0 BEAST vulnerability CVE-2011-3389 and TLS protocol vulnerability CVE-2012-1870", "description": "If the previous table lists a version in the** Versions known to be not vulnerable **column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\n * BIG-IP\n * FirePass\n * Enterprise Manager\n * ARX\n\nVulnerability Recommended Actions\n\n**BIG-IP**\n\nThis vulnerability is exploited on the client-browser side of an SSL connection to either a virtual server or to the Configuration utility. In the case of client-browser access to a virtual server, the vulnerability is exploitable without server access, and no exploited packets are sent to the remote server. The following mitigations for this vulnerability are available for SSL profiles and the Configuration utility:\n\n**SSL Profiles**\n\nMitigation of this vulnerability is possible for virtual servers using an SSL profile by performing one of the following procedures:\n\n * Configuring the SSL profile to use only TLS 1.1 or TLS 1.2 compatible, or RC4-SHA ciphers \n \n\n * TLS 1.1 protocol compatible ciphers are available only for BIG-IP 11.2.0 and later.\n * TLS 1.2 protocol compatible ciphers and RC4-SHA ciphers are available only for BIG-IP 10.2.4 and later, and BIG-IP 11.0.0 and later.\n * Configuring the SSL profile to use only RC4-SHA ciphers \n \n\n * RC4-SHA ciphers are available for all BIG-IP versions.\n * RC4 ciphers are not FIPS compliant.\n\n**Configuration utility**\n\nMitigation of this vulnerability is possible for the Configuration utility by performing one of the following procedures:\n\n * Restricting the Configuration utility to use only TLS 1.2 compatible or RC4-SHA ciphers \n \n\n * This option is available only for BIG-IP 11.5.0 and later.\n * Feature enhancements allowing the use of this procedure have also been included in the following software versions: 11.4.1 HF6, 11.4.0 HF9, 11.2.1 HF13, and 10.2.4 HF10.\n * Restricting the Configuration utility to use only RC4-SHA ciphers \n \n\n * All BIG-IP versions\n\n**Configuring the SSL profile to use TLS 1.1 or TLS 1.2 compatible ciphers, or RC4-SHA ciphers**\n\n**Note**: Support for TLS 1.2 was introduced in BIG-IP 10.2.3 and 11.0.0.\n\nFor BIG-IP 10.2.4 and 11.x, you can mitigate this vulnerability for an SSL virtual server by configuring the SSL profile to use only TLS 1.1-compatible ciphers, TLS 1.2-compatible ciphers, or RC4-SHA ciphers. For information about configuring the ciphers used by an SSL profile, refer to the following articles:\n\n * SOL13171: Configuring the cipher strength for SSL profiles (11.x)\n * SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)\n\nFor example, to configure an SSL profile to use only TLS 1.1-compatible ciphers, TLS 1.2-compatible ciphers, or RC4-SHA ciphers, perform the following procedure:\n\n**Note**: This workaround cannot be applied to BIG-IP 10.2.3. For more information, refer to SOL13543: The BIG-IP SSL profiles may not allow cipher strings containing AES128, AES256, or TLS1.2.\n\n**Impact of workaround:** An SSL virtual server configured to use this SSL profile will use only TLS 1.1-compatible ciphers, TLS 1.2-compatible ciphers, or RC4-SHA ciphers. There is limited client browser support for TLS 1.2. Clients who do not support TLS 1.1 or 1.2 may not be able to connect, or will connect using an RC4-SHA cipher. However, RC4 ciphers are not FIPS compliant.\n\n**Important**: Many client browsers do not support TLS 1.2.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **Local Traffic** > **Profiles**.\n 3. Choose **Client** from the **SSL** menu.\n 4. Click **Create**.\n 5. Type a name for the **SSL** profile.\n 6. From the **Parent Profile** menu, choose **clientssl**.\n 7. From the **Configuration** menu, choose **Advanced**.\n 8. Click the **Custom** box for **Ciphers**.\n 9. Delete the DEFAULT cipher string from the **Ciphers** box.\n 10. Enter the desired cipher string in the **Ciphers** box. \n\nFor example, the following string can configure an SSL profile to use only TLS 1.1-compatible and TLS 1.2-compatible ciphers:\n\nDEFAULT:!SSLv3:!TLSv1 \n \nIf you want the SSL profile to support TLS 1.0 and SSL 3.0 clients, use the following string: \n \nDEFAULT:-SSLv3:-TLSv1:RC4-SHA \n \nIf you want the SSL profile to support TLS 1.0, but not SSL 3.0 clients, use the following string: \n \nDEFAULT:!SSLv3:-TLSv1:RC4-SHA\n\n 11. Click **Finished**. \n\nYou must now associate the SSL profile with the virtual server.\n\nAlternatively, to configure an SSL profile to use only TLS 1.1-compatible and TLS 1.2-compatible ciphers using the** tmsh **utility, use the following syntax:\n\ntmsh create /ltm profile client-ssl <name> ciphers DEFAULT:!SSLv3:!TLSv1 \n \nSimilarly, if you want the SSL profile to support TLS 1.0 and SSL 3.0 clients, you can configure an SSL profile using the following **tmsh **command syntax: \n \ntmsh create /ltm profile client-ssl <name> ciphers DEFAULT:-SSLv3:-TLSv1:RC4-SHA \n \nAnd if you want the SSL profile to support TLS 1.0, but not SSL 3.0 clients, you can configure an SSL profile using the following **tmsh **command syntax: \n \ntmsh create /ltm profile client-ssl <name> ciphers DEFAULT:!SSLv3:-TLSv1:RC4-SHA\n\n******Configuring the SSL profile to use only the RC4-SHA cipher**\n\nFor BIG-IP versions that do not support TLS 1.1 or 1.2, you can mitigate this vulnerability for an SSL virtual server by configuring the SSL profile to use only RC4-SHA ciphers. For example, to configure an SSL profile to use only RC4-SHA ciphers, perform the following procedure:\n\n**Impact of workaround:** Only RC4-SHA ciphers are allowed. Limiting the ciphers supported by the SSL profile may result in clients being unable to establish an SSL connection.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **Local Traffic** > **Profiles**.\n 3. From the **SSL** menu, choose **Client**.\n 4. Click **Create**.\n 5. Type a name for the **SSL** profile.\n 6. From the **Parent Profile** menu, choose **clientssl**.\n 7. From the **Configuration** menu, choose **Advanced**.\n 8. Click the **Custom** box for **Ciphers**.\n 9. Delete the DEFAULT cipher string from the **Ciphers** box.\n 10. Enter the desired cipher string in the **Ciphers** box. \n\nFor example, the following string would configure an SSL profile to use only RC4-SHA ciphers:\n\nRC4-SHA\n\n 11. Click **Finished**. \n\nYou must now associate the SSL profile with the virtual server.\n\n**Note**: Alternatively, to configure an SSL profile to use only RC4-SHA ciphers using the** tmsh **utility, use the following syntax:\n\ntmsh create /ltm profile client-ssl <name> ciphers RC4-SHA\n\n**Restricting the Configuration utility to use only TLS 1.2 compatible or RC4-SHA ciphers**\n\n**Note**: Support for TLS 1.2 in the Configuration utility was introduced in BIG-IP 11.5.0. \n \nFor BIG-IP 11.5.0 and later, you can mitigate this vulnerability for the Configuration utility by restricting the utility to use only TLS 1.2-compatible ciphers or RC4-SHA ciphers. For example, to restrict the utility to use only TLS 1.2-compatible ciphers or RC4-SHA ciphers, perform the following procedure:\n\n**Note**: Feature enhancements allowing the use of this procedure have also been included in the following software versions: 11.4.1 HF6, 11.4.0 HF9, 11.2.1 HF13, and 10.2.4 HF10.\n\n**Impact of workaround**: The Configuration utility will use only TLS 1.2-compatible ciphers or RC4-SHA ciphers. There is limited client browser support. TLS 1.2.Clients who do not support TLS 1.2 may not be able to connect, or will connect using an RC4-SHA cipher.\n\n**Important**: Many client browsers do not support TLS 1.2.\n\n 1. Log in to the Traffic Management Shell (**tmsh**) by typing the following command: \n\ntmsh\n\n 2. Before you change the SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, type the following command: \n\nlist /sys httpd ssl-ciphersuite\n\nFor example, the BIG-IP 11.5.1 system displays the following cipher string: \n\nALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2\n\n 3. To restrict Configuration utility access to clients using TLS 1.2 or RC4-SHA ciphers, type the following command: \n\nmodify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA' \n \nAlternatively, if you can restrict to only TLS 1.1 and TLS 1.2 ciphers, then type the following command instead: \n \nmodify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1'\n\n 4. Save the configuration change by typing the following command: \n\nsave /sys config\n\n**Restricting the Configuration utility to use only RC4-SHA ciphers**\n\nFor BIG-IP versions that do not support TLS 1.2, you can mitigate this vulnerability for the Configuration utility by restricting the utility to use only RC4-SHA ciphers. For example, to restrict the utility to use only RC4-SHA ciphers, perform the following procedure:\n\n**Impact of workaround**: Only RC4-SHA ciphers are allowed. Limiting the ciphers supported by The Configuration utility may result in clients being unable to connect.\n\n 1. Log in to the Traffic Management Shell (**tmsh**) by typing the following command: \n\ntmsh\n\n 2. Before you change the SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, type the following command: \n\nlist /sys httpd ssl-ciphersuite\n\nFor example, the BIG-IP 11.5.1 system displays the following cipher string: \n\nALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2\n\n 3. To restrict Configuration utility access to clients using RC4-SHA ciphers, type the following command: \n\nmodify /sys httpd ssl-ciphersuite 'RC4-SHA'\n\n 4. Save the configuration change by typing the following command: \n\nsave /sys config\n\n**FirePass**\n\n * None\n\n**Enterprise Manager**\n\n * None\n\n**ARX**\n\n * None\n\nSupplemental Information\n\n * SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles\n * SOL13171: Configuring the cipher strength for SSL profiles (11.x)\n * SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)\n * SOL13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x)\n * SOL13309: Restricting access to the Configuration utility by source IP address (11.x)\n * SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)\n * SOL11444: SSL ciphers supported on BIG-IP platforms (10.x)\n * SOL13156: SSL ciphers used in the default SSL profiles (11.x)\n * SOL10262: SSL ciphers used in the default SSL profiles (10.x)\n * SOL9677: BIG-IP LTM compliance with standard FIPS-197\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n**Note**: The following link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.\n\n * <http://vnhacker.blogspot.com/2011/09/beast.html>\n\n**Note**: For more information about various TLS protocol level attacks and F5 recommendations for mitigating the attacks, refer to the following DevCentral article:\n\n * [Which TLS algorithm should I use?](<https://devcentral.f5.com/articles/which-tls-algorithm-should-i-use#.UiZGfF3n-Ul>)\n", "published": "2012-03-06T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13400.html", "cvelist": ["CVE-2011-3389", "CVE-2012-1870"], "lastseen": "2016-09-26T17:23:00"}], "cert": [{"id": "VU:864643", "type": "cert", "title": "SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes", "description": "### Overview\n\nA vulnerability in the specification of the SSL 3.0 and TLS 1.0 protocols could allow an attacker to decrypt encrypted traffic.\n\n### Description\n\nThe Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network application protocols such as HTTP, IMAP, POP3, LDAP, SMTP, and others. Several different versions of the SSL and TLS protocols have been standardized and are in widespread use. These protocols support the use of both block-based and stream-based ciphers. \n\nA vulnerability in the way the SSL 3.0 and TLS 1.0 protocols select the initialization vector (IV) when operating in cipher-block chaining (CBC) modes allows an attacker to perform a chosen-plaintext attack on encrypted traffic. This vulnerability has been addressed in the specification for the TLS 1.1 and TLS 1.2 protocols. \n \nWhile this vulnerability exists in the underlying specification of the affected protocols, a practical attack called BEAST has been demonstrated in the context of a web browser and the use of the HTTPS protocol. Because of the software functionality available to an attacker in this environment, it represents the most likely attack vector and the most significant risk for affected users. An effective BEAST attack appears to require a cross-domain vulnerability that allows the attacker to issue specially crafted HTTPS requests. A blog post by Th\u00e1i Duong discusses \"...a way to bypass the same-origin policy (SOP)...\" using a Java applet. \n \n--- \n \n### Impact\n\nAn attacker with the ability to pose as a man-in-the-middle and to generate specially-crafted plaintext input could decrypt the contents of an SSL- or TLS-encrypted session. This could allow the attacker to recover potentially sensitive information (e.g., HTTP authentication cookies). \n \n--- \n \n### Solution\n\nWe are currently unaware of a practical solution to this problem. \n \n--- \n \n**Workarounds** \n \nSome vendors have published specific mitigation advice for the attacks related to this issues. Please see the Vendor Information section of this document for more information. \n \nThe following general workarounds can be effective in mitigating this issue: \n\n\n * Prioritize the use of the RC4 algorithm over block ciphers in server software \nNote that this workaround is not feasible to implement on systems that require [FIPS-140](<http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>) compliance since RC4 is not a FIPS-approved cryptographic algorithm. \n * Enable support for TLS 1.1 and/or TLS 1.2 in the web browser \n * Enable support for TLS 1.1 in server software \nNote that both the web servers and the client web browser must support TLS 1.1 or TLS 1.2 for these workarounds to be effective. The session will fallback to an earlier version of the TLS or SSL protocol in the event that either is incompatible with TLS 1.1 or TLS 1.2. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nGoogle| | -| 27 Sep 2011 \nMicrosoft Corporation| | -| 27 Sep 2011 \nMozilla| | -| 28 Sep 2011 \nOpera| | -| 08 Dec 2011 \nApple Inc.| | -| 27 Sep 2011 \nGnuTLS| | -| 27 Sep 2011 \nOpenSSL| | -| 27 Sep 2011 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23864643 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.openssl.org/~bodo/tls-cbc.txt>\n * <http://www.imperialviolet.org/2011/09/23/chromeandbeast.html>\n * <http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php>\n * <http://vnhacker.blogspot.com/2011/09/beast.html>\n * <https://blog.torproject.org/blog/tor-and-beast-ssl-attack>\n * <http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx>\n * <http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx>\n * [http://src.chromium.org/viewvc/chrome?view=rev&revision;=97269](<http://src.chromium.org/viewvc/chrome?view=rev&revision=97269>)\n * <https://bugzilla.mozilla.org/show_bug.cgi?id=665814>\n * <http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html>\n * <http://www.ekoparty.org/2011/juliano-rizzo.php>\n\n### Credit\n\nThanks to Th\u00e1i Duong working with Matasano and Juliano Rizzo of Netifera for reporting the practical attack against this vulnerability. Wei Dai and Bodo M\u00f6ller identified the underlying flaw in the context of SSL and TLS.\n\nThis document was written by Chad R Dougherty.\n\n### Other Information\n\n * CVE IDs: [CVE-2011-3389](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389>)\n * Date Public: 08 Feb 2002\n * Date First Published: 27 Sep 2011\n * Date Last Updated: 08 Dec 2011\n * Severity Metric: 3.37\n * Document Revision: 36\n\n", "published": "2011-09-27T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.kb.cert.org/vuls/id/864643", "cvelist": ["CVE-2011-3389", "CVE-2011-3389"], "lastseen": "2016-02-03T09:12:52"}], "freebsd": [{"id": "18CE9A90-F269-11E1-BE53-080027EF73EC", "type": "freebsd", "title": "fetchmail -- chosen plaintext attack against SSL CBC initialization vectors", "description": "\nMatthias Andree reports:\n\nFetchmail version 6.3.9 enabled \"all SSL workarounds\" (SSL_OP_ALL)\n\t which contains a switch to disable a countermeasure against certain\n\t attacks against block ciphers that permit guessing the\n\t initialization vectors, providing that an attacker can make the\n\t application (fetchmail) encrypt some data for him -- which is not\n\t easily the case.\nStream ciphers (such as RC4) are unaffected.\nCredits to Apple Product Security for reporting this.\n\n", "published": "2012-01-19T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vuxml.freebsd.org/freebsd/18ce9a90-f269-11e1-be53-080027ef73ec.html", "cvelist": ["CVE-2011-3389"], "lastseen": "2016-09-26T17:24:36"}, {"id": "559F3D1B-CB1D-11E5-80A4-001999F8D30B", "type": "freebsd", "title": "asterisk -- Multiple vulnerabilities", "description": "\nThe Asterisk project reports:\n\nAST-2016-001 - BEAST vulnerability in HTTP server\nAST-2016-002 - File descriptor exhaustion in chan_sip\nAST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data\n\n", "published": "2016-02-03T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/559f3d1b-cb1d-11e5-80a4-001999f8d30b.html", "cvelist": ["CVE-2016-2316", "CVE-2011-3389", "CVE-2016-2232"], "lastseen": "2016-09-26T17:24:09"}, {"id": "A4A809D8-25C8-11E1-B531-00215C6A37BB", "type": "freebsd", "title": "opera -- multiple vulnerabilities", "description": "\nOpera software reports:\n\n\nFixed a moderately severe issue; details will be\n\t disclosed at a later date\nFixed an issue that could allow pages to set cookies\n\t or communicate cross-site for some top level domains;\n\t see our advisory\nImproved handling of certificate revocation corner\n\t cases\nAdded a fix for a weakness in the SSL v3.0 and TLS 1.0\n\t specifications, as reported by Thai Duong and Juliano Rizzo;\n\t see our advisory\nFixed an issue where the JavaScript \"in\" operator\n\t allowed leakage of cross-domain information, as reported\n\t by David Bloom; see our advisory\n\n\n", "published": "2011-12-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/a4a809d8-25c8-11e1-b531-00215c6a37bb.html", "cvelist": ["CVE-2011-4681", "CVE-2011-3389", "CVE-2011-4682", "CVE-2011-4683"], "lastseen": "2016-09-26T17:24:41"}], "ics": [{"id": "ICSA-14-098-03", "type": "ics", "title": "Siemens Ruggedcom WIN Products BEAST Attack Vulnerability", "description": "## OVERVIEW\n\nSiemens has identified a BEAST (Browser Exploit Against SSL/TLS) attack vulnerability in Siemens Ruggedcom WIN products. This vulnerability was originally reported directly to Siemens ProductCERT by Dan Frein and Paul Cotter of West Monroe Partners. Siemens has produced a firmware update that fixes compatibility issues with BEAST mitigations of current browser versions.\n\nThis vulnerability could be exploited remotely.\n\n## AFFECTED PRODUCTS\n\nThe following Siemens Ruggedcom WIN product lines are affected:\n\n * WIN7000: all versions prior to v4.4,\n * WIN7200: all versions prior to v4.4,\n * WIN5100: all versions prior to v4.4, and\n * WIN5200: all versions prior to v4.4.\n\n## IMPACT\n\nAn attacker who successfully exploits a system using this vulnerability may be able to access the session ID of the user\u2019s current web session. If combined with a social engineering attack, the attacker may be able to read traffic exchanged between the user and the device.\n\nImpact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nSiemens is a multinational company headquartered in Munich, Germany.\n\nThe Ruggedcom WIN product line is a family of products compliant with the WiMAX 802.16e Wave 2 mobile broadband wireless standard. The product family includes a variety of base stations and subscriber stations. Siemens estimates that these products are used primarily in the United States and Europe with a small percentage in Asia.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### IMPROPER INPUT VALIDATIONa\n\nThe SSL/TLS secured web interface of the affected products is vulnerable to the BEAST attack. As it uses SSL libraries, which are not compatible with 1/n-1 record splitting, some newer browser versions are not able to connect to the web interface.\n\nCVE-2011-3389b has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:N/A:N).c\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThis vulnerability could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target this vulnerability.\n\n#### DIFFICULTY\n\nAn attacker with a moderate skill would be able to exploit this vulnerability.\n\n## MITIGATION\n\nSiemens has provided a firmware update (Ruggedcom WIN v4.4) that supports the mitigation technique and recommends customers to update to this version. The update does not fix the BEAST vulnerability itself. After the update, it is possible for customers to securely access the web interface with current version browsers, as the mitigation for the BEAST attack is contained in the browser code.\n\nFor more information on this vulnerability and detailed instructions, please see Siemens Security Advisory SSA-353456 at the following location:\n\n<http://www.siemens.com/cert/advisories>\n\nICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: <http://ics-cert.us-cert.gov/content/recommended-practices>. Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.](<http://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf>) ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Mitigation Strategies](<http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B>), that is available for download from the ICS-CERT web site (<http://ics-cert.us-cert.gov/>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * a. CWE-20: Improper Input Validation, <http://cwe.mitre.org/data/definitions/20.html>, web site last accessed April 08, 2014.\n * b. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389>, web site last accessed April 08, 2014.\n * c. CVSS Calculator, [http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N>), web site last accessed April 08, 2014.\n", "published": "2014-04-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://ics-cert.us-cert.gov//advisories/ICSA-14-098-03", "cvelist": ["CVE-2011-3389"], "lastseen": "2017-12-04T19:02:39"}], "packetstorm": [{"id": "PACKETSTORM:107407", "type": "packetstorm", "title": "Java Applet Rhino Script Engine Remote Code Execution", "description": "", "published": "2011-11-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/107407/Java-Applet-Rhino-Script-Engine-Remote-Code-Execution.html", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-12-05T22:14:53"}], "metasploit": [{"id": "MSF:EXPLOIT/MULTI/BROWSER/JAVA_RHINO", "type": "metasploit", "title": "Java Applet Rhino Script Engine Remote Code Execution", "description": "This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)", "published": "2011-11-30T00:05:20", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2011-3544"], "lastseen": "2018-04-11T16:18:38"}, {"id": "MSF:AUXILIARY/SCANNER/MISC/JAVA_RMI_SERVER", "type": "metasploit", "title": "Java RMI Server Insecure Endpoint Code Execution Scanner", "description": "Detect Java RMI endpoints", "published": "2012-04-29T23:10:49", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2011-3556"], "lastseen": "2018-04-04T14:21:13"}, {"id": "MSF:EXPLOIT/MULTI/MISC/JAVA_RMI_SERVER", "type": "metasploit", "title": "Java RMI Server Insecure Default Configuration Java Code Execution", "description": "This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.", "published": "2014-11-14T00:00:11", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2011-3556"], "lastseen": "2018-04-07T20:25:06"}], "saint": [{"id": "SAINT:EA207030303A0FBD6604688A96A1F85F", "type": "saint", "title": "Oracle Java Rhino Script Engine Code Execution", "description": "Added: 12/02/2011 \nCVE: [CVE-2011-3544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544>) \nBID: [50218](<http://www.securityfocus.com/bid/50218>) \nOSVDB: [76500](<http://www.osvdb.org/76500>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \nJava includes a version of Javascript called Rhino. In addition to providing basic Javascript functionality, Rhino also allows Java objects to interact with Javascript variables. \n\n### Problem\n\nRhino content is run outside the control of the Java SecurityManager, with its own security layer. A vulnerability exists when a Rhino script defines a toString method for the '_this_' object, where the method can disable the SecurityManager for the entire applet and run malicious payload. If an _error_ object's _message_ property is set to _this_ and returned, an attacker can execute arbitrary code on the target system. \n\n### Resolution\n\nUpgrade to Oracle JRE 6 Update 28 or later. \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html> \n<http://schierlm.users.sourceforge.net/CVE-2011-3544.html> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 6 Update 27 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "published": "2011-12-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/oracle_java_rhino_script_exec", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-12-14T16:58:07"}, {"id": "SAINT:582666CF331D1209695508846FE3A6E0", "type": "saint", "title": "Oracle Java Rhino Script Engine Code Execution", "description": "Added: 12/02/2011 \nCVE: [CVE-2011-3544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544>) \nBID: [50218](<http://www.securityfocus.com/bid/50218>) \nOSVDB: [76500](<http://www.osvdb.org/76500>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \nJava includes a version of Javascript called Rhino. In addition to providing basic Javascript functionality, Rhino also allows Java objects to interact with Javascript variables. \n\n### Problem\n\nRhino content is run outside the control of the Java SecurityManager, with its own security layer. A vulnerability exists when a Rhino script defines a toString method for the '_this_' object, where the method can disable the SecurityManager for the entire applet and run malicious payload. If an _error_ object's _message_ property is set to _this_ and returned, an attacker can execute arbitrary code on the target system. \n\n### Resolution\n\nUpgrade to Oracle JRE 6 Update 28 or later. \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html> \n<http://schierlm.users.sourceforge.net/CVE-2011-3544.html> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 6 Update 27 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "published": "2011-12-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/oracle_java_rhino_script_exec", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-10-03T15:01:54"}, {"id": "SAINT:DEBA35B9575FFBBADB9C5A77DDDECF95", "type": "saint", "title": "Oracle Java Rhino Script Engine Code Execution", "description": "Added: 12/02/2011 \nCVE: [CVE-2011-3544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544>) \nBID: [50218](<http://www.securityfocus.com/bid/50218>) \nOSVDB: [76500](<http://www.osvdb.org/76500>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \nJava includes a version of Javascript called Rhino. In addition to providing basic Javascript functionality, Rhino also allows Java objects to interact with Javascript variables. \n\n### Problem\n\nRhino content is run outside the control of the Java SecurityManager, with its own security layer. A vulnerability exists when a Rhino script defines a toString method for the '_this_' object, where the method can disable the SecurityManager for the entire applet and run malicious payload. If an _error_ object's _message_ property is set to _this_ and returned, an attacker can execute arbitrary code on the target system. \n\n### Resolution\n\nUpgrade to Oracle JRE 6 Update 28 or later. \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html> \n<http://schierlm.users.sourceforge.net/CVE-2011-3544.html> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 6 Update 27 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "published": "2011-12-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/oracle_java_rhino_script_exec", "cvelist": ["CVE-2011-3544"], "lastseen": "2017-01-10T14:03:43"}], "canvas": [{"id": "JAVA_RHINO", "type": "canvas", "title": "Immunity Canvas: JAVA_RHINO", "description": "**Name**| java_rhino \n---|--- \n**CVE**| CVE-2011-3544 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| java_rhino \n**Notes**| CVE Name: CVE-2011-3544 \nVENDOR: Sun \nOSVDB: http://osvdb.org/show/osvdb/76500 \nRepeatability: Infinite (client side - no crash) \nReferences: http://schierlm.users.sourceforge.net/CVE-2011-3544.html \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544 \nDate public: 10/18/2011 \nCVSS: 10 \n\n", "published": "2011-10-19T17:55:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/java_rhino", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-09-25T14:14:00"}], "exploitdb": [{"id": "EDB-ID:18171", "type": "exploitdb", "title": "Java Applet Rhino Script Engine Remote Code Execution", "description": "Java Applet Rhino Script Engine Remote Code Execution. CVE-2011-3544. Remote exploits for multiple platform", "published": "2011-11-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/18171/", "cvelist": ["CVE-2011-3544"], "lastseen": "2016-02-02T09:17:31"}], "symantec": [{"id": "SMNTC-50218", "type": "symantec", "title": "Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability", "description": "### Description\n\nOracle Java SE is prone to a remote code-execution vulnerability in Java Runtime Environment. The vulnerability can be exploited over multiple protocols. This issue affects the 'Scripting' sub-component. This vulnerability affects the following supported versions: JDK and JRE 7, 6 Update 27\n\n### Technologies Affected\n\n * Apple Mac OS X 10.6 \n * Apple Mac OS X 10.6.1 \n * Apple Mac OS X 10.6.2 \n * Apple Mac OS X 10.6.3 \n * Apple Mac OS X 10.6.4 \n * Apple Mac OS X 10.6.5 \n * Apple Mac OS X 10.6.5 \n * Apple Mac OS X 10.6.6 \n * Apple Mac OS X 10.6.7 \n * Apple Mac OS X 10.6.8 \n * Apple Mac OS X 10.7 \n * Apple Mac OS X 10.7.1 \n * Apple Mac OS X 10.7.2 \n * Apple Mac OS X Server 10.6 \n * Apple Mac OS X Server 10.6.1 \n * Apple Mac OS X Server 10.6.2 \n * Apple Mac OS X Server 10.6.3 \n * Apple Mac OS X Server 10.6.4 \n * Apple Mac OS X Server 10.6.5 \n * Apple Mac OS X Server 10.6.6 \n * Apple Mac OS X Server 10.6.7 \n * Apple Mac OS X Server 10.6.8 \n * Apple Mac OS X Server 10.7 \n * Apple Mac OS X Server 10.7.1 \n * Apple Mac OS X Server 10.7.2 \n * Avaya Aura Application Enablement Services 5.2 \n * Avaya Aura Application Enablement Services 5.2.1 \n * Avaya Aura Application Enablement Services 5.2.2 \n * Avaya Aura Application Enablement Services 5.2.3 \n * Avaya Aura Application Enablement Services 6.1 \n * Avaya Aura Application Enablement Services 6.1.1 \n * Avaya Aura Application Server 5300 SIP Core 2.0 \n * Avaya Aura Communication Manager 4.0 \n * Avaya Aura Communication Manager 4.0 \n * Avaya Aura Communication Manager 5.1 \n * Avaya Aura Communication Manager 5.2 \n * Avaya Aura Communication Manager 5.2.1 \n * Avaya Aura Communication Manager Utility Services 6.0 \n * Avaya Aura Communication Manager Utility Services 6.1 \n * Avaya Aura Conferencing 6.0 Standard \n * Avaya Aura Conferencing 6.0.0 Standard \n * Avaya Aura Experience Portal 6.0 \n * Avaya Aura Messaging 6.0 \n * Avaya Aura Messaging 6.0.1 \n * Avaya Aura Presence Services 6.0 \n * Avaya Aura Presence Services 6.1 \n * Avaya Aura Presence Services 6.1.1 \n * Avaya Aura SIP Enablement Services 4.0 \n * Avaya Aura SIP Enablement Services 5.0 \n * Avaya Aura SIP Enablement Services 5.1 \n * Avaya Aura SIP Enablement Services 5.2 \n * Avaya Aura SIP Enablement Services 5.2.1 \n * Avaya Aura Session Manager 1.1 \n * Avaya Aura Session Manager 5.2 \n * Avaya Aura Session Manager 6.0 \n * Avaya Aura Session Manager 6.0 SP1 \n * Avaya Aura Session Manager 6.1 \n * Avaya Aura Session Manager 6.1 SP1 \n * Avaya Aura Session Manager 6.1 SP2 \n * Avaya Aura Session Manager 6.1.1 \n * Avaya Aura Session Manager 6.1.2 \n * Avaya Aura Session Manager 6.1.3 \n * Avaya Aura System Manager 6.1 \n * Avaya Aura System Manager 6.1 SP1 \n * Avaya Aura System Manager 6.1 SP2 \n * Avaya Aura System Manager 6.1.1 \n * Avaya Aura System Manager 6.1.2 \n * Avaya Aura System Manager 6.1.3 \n * Avaya Aura System Platform 1.0 \n * Avaya Aura System Platform 6.0 \n * Avaya Aura System Platform 6.0 SP2 \n * Avaya Aura System Platform 6.0 SP3 \n * Avaya Aura System Platform 6.0.1 \n * Avaya Aura System Platform 6.0.2 \n * Avaya CMS Server 15.0 \n * Avaya CMS Server 15.0 AUX \n * Avaya CMS Server 16.0 \n * Avaya CMS Server 16.1 \n * Avaya CMS Server 16.2 \n * Avaya IP Office Application Server 6.0 \n * Avaya IP Office Application Server 6.1 \n * Avaya IP Office Application Server 7.0 \n * Avaya IQ 5 \n * Avaya IQ 5.1 \n * Avaya IQ 5.1.1 \n * Avaya IQ 5.2 \n * Avaya IR 4.0 \n * Avaya Interactive Response 4.0 \n * Avaya Meeting Exchange 5.0 \n * Avaya Meeting Exchange 5.0 SP1 \n * Avaya Meeting Exchange 5.0 SP2 \n * Avaya Meeting Exchange 5.0.0.0.52 \n * Avaya Meeting Exchange 5.1 \n * Avaya Meeting Exchange 5.1 SP1 \n * Avaya Meeting Exchange 5.2 \n * Avaya Meeting Exchange 5.2 SP1 \n * Avaya Meeting Exchange 5.2 SP2 \n * Avaya Message Networking 5.2 \n * Avaya Message Networking 5.2 SP1 \n * Avaya Message Networking 5.2.1 \n * Avaya Message Networking 5.2.2 \n * Avaya Message Networking 5.2.3 \n * Avaya Message Networking 5.2.4 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Storage Server 5.2 \n * Avaya Messaging Storage Server 5.2 SP1 \n * Avaya Messaging Storage Server 5.2 SP2 \n * Avaya Messaging Storage Server 5.2 SP3 \n * Avaya Messaging Storage Server 5.2.2 \n * Avaya Messaging Storage Server 5.2.8 \n * Avaya Proactive Contact 4.0 \n * Avaya Proactive Contact 4.0.1 \n * Avaya Proactive Contact 4.1 \n * Avaya Proactive Contact 4.1.1 \n * Avaya Proactive Contact 4.1.2 \n * Avaya Proactive Contact 4.2 \n * Avaya Proactive Contact 4.2.1 \n * Avaya Proactive Contact 4.2.2 \n * Avaya Proactive Contact 5.0 \n * Avaya Voice Portal 4.0 \n * Avaya Voice Portal 4.1 \n * Avaya Voice Portal 4.1 SP1 \n * Avaya Voice Portal 4.1 SP2 \n * Avaya Voice Portal 5.0 \n * Avaya Voice Portal 5.0 SP1 \n * Avaya Voice Portal 5.0 SP2 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 SP1 \n * Avaya Voice Portal 5.1.1 \n * Avaya Voice Portal 5.1.2 \n * Debian Linux 6.0 amd64 \n * Debian Linux 6.0 arm \n * Debian Linux 6.0 ia-32 \n * Debian Linux 6.0 ia-64 \n * Debian Linux 6.0 mips \n * Debian Linux 6.0 powerpc \n * Debian Linux 6.0 s/390 \n * Debian Linux 6.0 sparc \n * Fedoraproject Fedora 14 \n * Fedoraproject Fedora 15 \n * Fedoraproject Fedora 16 \n * Gentoo Linux \n * HP HP-UX B.11.11 \n * HP HP-UX B.11.23 \n * HP HP-UX B.11.31 \n * HP Network Node Manager i 9.1 \n * HP NonStop Server H06.15.00 \n * HP NonStop Server H06.15.01 \n * HP NonStop Server H06.15.02 \n * HP NonStop Server H06.16.00 \n * HP NonStop Server H06.16.01 \n * HP NonStop Server H06.16.02 \n * HP NonStop Server H06.17.00 \n * HP NonStop Server H06.17.01 \n * HP NonStop Server H06.17.02 \n * HP NonStop Server H06.17.03 \n * HP NonStop Server H06.18.00 \n * HP NonStop Server H06.18.01 \n * HP NonStop Server H06.18.02 \n * HP NonStop Server H06.19.00 \n * HP NonStop Server H06.19.01 \n * HP NonStop Server H06.19.02 \n * HP NonStop Server H06.19.03 \n * HP NonStop Server H06.20.00 \n * HP NonStop Server H06.20.01 \n * HP NonStop Server H06.20.02 \n * HP NonStop Server H06.20.03 \n * HP NonStop Server H06.21.00 \n * HP NonStop Server H06.21.01 \n * HP NonStop Server H06.21.02 \n * HP NonStop Server H06.22.00 \n * HP NonStop Server H06.22.01 \n * HP NonStop Server H06.23 \n * HP NonStop Server H06.24 \n * HP NonStop Server H06.24.01 \n * HP NonStop Server H06.25 \n * HP NonStop Server H06.25.01 \n * HP NonStop Server H06.26 \n * HP NonStop Server H06.26.01 \n * HP NonStop Server H06.27 \n * HP NonStop Server J06.04.00 \n * HP NonStop Server J06.04.01 \n * HP NonStop Server J06.04.02 \n * HP NonStop Server J06.05.00 \n * HP NonStop Server J06.05.01 \n * HP NonStop Server J06.05.02 \n * HP NonStop Server J06.06.00 \n * HP NonStop Server J06.06.01 \n * HP NonStop Server J06.06.02 \n * HP NonStop Server J06.06.03 \n * HP NonStop Server J06.07.00 \n * HP NonStop Server J06.07.01 \n * HP NonStop Server J06.07.02 \n * HP NonStop Server J06.08.00 \n * HP NonStop Server J06.08.01 \n * HP NonStop Server J06.08.02 \n * HP NonStop Server J06.08.03 \n * HP NonStop Server J06.08.04 \n * HP NonStop Server J06.09.00 \n * HP NonStop Server J06.09.01 \n * HP NonStop Server J06.09.02 \n * HP NonStop Server J06.09.03 \n * HP NonStop Server J06.09.04 \n * HP NonStop Server J06.10.00 \n * HP NonStop Server J06.10.01 \n * HP NonStop Server J06.10.02 \n * HP NonStop Server J06.11.00 \n * HP NonStop Server J06.11.01 \n * HP NonStop Server J06.12.00 \n * HP NonStop Server J06.13 \n * HP NonStop Server J06.13.01 \n * HP NonStop Server J06.14 \n * HP NonStop Server J06.14.02 \n * HP NonStop Server J06.15 \n * HP NonStop Server J06.15.01 \n * HP NonStop Server J06.16 \n * HP NonStop Server J6.0.14.01 \n * IBM Java SE 6 \n * IBM Java SE 6 SR8 FP1 \n * IBM Java SE 6.0 \n * IBM Java SE 6.0 SR5 \n * IBM Java SE 6.0 SR6 \n * IBM Java SE 6.0 SR7 \n * IBM Java SE 6.0.0 SR9 \n * IBM Java SE 6.0.0 SR9-FP2 \n * IBM Java SE 7 \n * IBM Java SE 7.0 \n * IBM Rational AppScan Enterprise 8.0.0 \n * IBM Rational AppScan Enterprise 8.0.0.1 \n * IBM Rational AppScan Enterprise 8.0.1 \n * IBM Rational AppScan Enterprise 8.0.1.1 \n * IBM Rational AppScan Enterprise 8.5.0.1 \n * IBM Rational AppScan Enterprise 8.6 \n * IBM Rational AppScan Standard 7.8 \n * IBM Rational AppScan Standard 8.0.0 \n * IBM Rational AppScan Standard 8.0.0.3 \n * IBM Rational AppScan Standard 8.5.0.1 \n * IBM Rational Policy Tester 8.0 \n * IBM Rational Policy Tester 8.5 \n * IBM Rational Policy Tester 8.5.0.1 \n * Mandriva Enterprise Server 5 \n * Mandriva Enterprise Server 5 X86 64 \n * Mandriva Linux Mandrake 2010.1 \n * Mandriva Linux Mandrake 2010.1 X86 64 \n * Mandriva Linux Mandrake 2011 \n * Mandriva Linux Mandrake 2011 x86_64 \n * OpenJDK OpenJDK 1.6.0 \n * OpenJDK OpenJDK 6 \n * Oracle Enterprise Linux 5 \n * Oracle Enterprise Linux 6 \n * Oracle JDK (Linux Production Release) 1.6.0_22 \n * Oracle JDK (Linux Production Release) 1.6.0_23 \n * Oracle JDK (Linux Production Release) 1.6.0_24 \n * Oracle JDK (Linux Production Release) 1.6.0_25 \n * Oracle JDK (Linux Production Release) 1.6.0_26 \n * Oracle JDK (Linux Production Release) 1.6.0_27 \n * Oracle JDK (Linux Production Release) 1.7.0 \n * Oracle JDK (Solaris Production Release) 1.6.0_22 \n * Oracle JDK (Solaris Production Release) 1.6.0_23 \n * Oracle JDK (Solaris Production Release) 1.6.0_24 \n * Oracle JDK (Solaris Production Release) 1.6.0_25 \n * Oracle JDK (Solaris Production Release) 1.6.0_26 \n * Oracle JDK (Solaris Production Release) 1.6.0_27 \n * Oracle JDK (Solaris Production Release) 1.7.0 \n * Oracle JDK (Windows Production Release) 1.6.0_22 \n * Oracle JDK (Windows Production Release) 1.6.0_23 \n * Oracle JDK (Windows Production Release) 1.6.0_24 \n * Oracle JDK (Windows Production Release) 1.6.0_25 \n * Oracle JDK (Windows Production Release) 1.6.0_26 \n * Oracle JDK (Windows Production Release) 1.6.0_27 \n * Oracle JDK (Windows Production Release) 1.7.0 \n * Oracle JRE (Linux Production Release) 1.6.0_22 \n * Oracle JRE (Linux Production Release) 1.6.0_23 \n * Oracle JRE (Linux Production Release) 1.6.0_24 \n * Oracle JRE (Linux Production Release) 1.6.0_25 \n * Oracle JRE (Linux Production Release) 1.6.0_26 \n * Oracle JRE (Linux Production Release) 1.6.0_27 \n * Oracle JRE (Solaris Production Release) 1.6.0_22 \n * Oracle JRE (Solaris Production Release) 1.6.0_23 \n * Oracle JRE (Solaris Production Release) 1.6.0_24 \n * Oracle JRE (Solaris Production Release) 1.6.0_25 \n * Oracle JRE (Solaris Production Release) 1.6.0_26 \n * Oracle JRE (Solaris Production Release) 1.6.0_27 \n * Oracle JRE (Windows Production Release) 1.6.0_22 \n * Oracle JRE (Windows Production Release) 1.6.0_23 \n * Oracle JRE (Windows Production Release) 1.6.0_24 \n * Oracle JRE (Windows Production Release) 1.6.0_25 \n * Oracle JRE (Windows Production Release) 1.6.0_26 \n * Oracle JRE (Windows Production Release) 1.6.0_27 \n * Panda Antivirus 1.6.0 Update 1 \n * Panda Antivirus 1.6.0 Update 10 \n * Panda Antivirus 1.6.0 Update 11 \n * Panda Antivirus 1.6.0 Update 12 \n * Panda Antivirus 1.6.0 Update 13 \n * Panda Antivirus 1.6.0 Update 14 \n * Panda Antivirus 1.6.0 Update 15 \n * Panda Antivirus 1.6.0 Update 16 \n * Panda Antivirus 1.6.0 Update 17 \n * Panda Antivirus 1.6.0 Update 18 \n * Panda Antivirus 1.6.0 Update 19 \n * Panda Antivirus 1.6.0 Update 2 \n * Panda Antivirus 1.6.0 Update 20 \n * Panda Antivirus 1.6.0 Update 21 \n * Panda Antivirus 1.6.0 Update 3 \n * Panda Antivirus 1.6.0 Update 4 \n * Panda Antivirus 1.6.0 Update 5 \n * Panda Antivirus 1.6.0 Update 6 \n * Panda Antivirus 1.6.0 Update 7 \n * Redhat Desktop Extras 4 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux AS Extras 4 \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop Optional 6 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux ES Extras 4 \n * Redhat Enterprise Linux Extras 4 \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Optional 6 \n * Redhat Enterprise Linux HPC Node Supplementary 6 \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server Optional 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux WS Extras 4 \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Optional 6 \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * Schneider-Electric Trio TView Software 3.27.0 \n * SuSE SUSE Linux Enterprise Java 10 SP4 \n * SuSE SUSE Linux Enterprise Java 11 SP1 \n * SuSE SUSE Linux Enterprise SDK 11 SP1 \n * SuSE SUSE Linux Enterprise Server 10 SP4 \n * SuSE SUSE Linux Enterprise Server 11 SP1 \n * SuSE SUSE Linux Enterprise Server 11 SP1 for SP2 \n * SuSE SUSE Linux Enterprise Server for VMware 11 SP1 \n * SuSE SUSE Linux Enterprise Software Development Kit 11 SP1 for SP2 \n * Sun JDK (Linux Production Release) 1.6.0 17 \n * Sun JDK (Linux Production Release) 1.6.0 01 \n * Sun JDK (Linux Production Release) 1.6.0 01-B06 \n * Sun JDK (Linux Production Release) 1.6.0 02 \n * Sun JDK (Linux Production Release) 1.6.0 03 \n * Sun JDK (Linux Production Release) 1.6.0 04 \n * Sun JDK (Linux Production Release) 1.6.0 05 \n * Sun JDK (Linux Production Release) 1.6.0 06 \n * Sun JDK (Linux Production Release) 1.6.0 07 \n * Sun JDK (Linux Production Release) 1.6.0 10 \n * Sun JDK (Linux Production Release) 1.6.0 11 \n * Sun JDK (Linux Production Release) 1.6.0 13 \n * Sun JDK (Linux Production Release) 1.6.0 14 \n * Sun JDK (Linux Production Release) 1.6.0 15 \n * Sun JDK (Linux Production Release) 1.6.0 18 \n * Sun JDK (Linux Production Release) 1.6.0 19 \n * Sun JDK (Linux Production Release) 1.6.0 20 \n * Sun JDK (Linux Production Release) 1.6.0 \n * Sun JDK (Linux Production Release) 1.6.0 Update 10 \n * Sun JDK (Linux Production Release) 1.6.0 Update 11 \n * Sun JDK (Linux Production Release) 1.6.0 Update 12 \n * Sun JDK (Linux Production Release) 1.6.0 Update 13 \n * Sun JDK (Linux Production Release) 1.6.0 Update 14 \n * Sun JDK (Linux Production Release) 1.6.0 Update 15 \n * Sun JDK (Linux Production Release) 1.6.0 Update 16 \n * Sun JDK (Linux Production Release) 1.6.0 Update 17 \n * Sun JDK (Linux Production Release) 1.6.0 Update 18 \n * Sun JDK (Linux Production Release) 1.6.0 Update 19 \n * Sun JDK (Linux Production Release) 1.6.0 Update 20 \n * Sun JDK (Linux Production Release) 1.6.0 Update 21 \n * Sun JDK (Linux Production Release) 1.6.0 Update 3 \n * Sun JDK (Linux Production Release) 1.6.0 Update 4 \n * Sun JDK (Linux Production Release) 1.6.0 Update 5 \n * Sun JDK (Linux Production Release) 1.6.0 Update 6 \n * Sun JDK (Linux Production Release) 1.6.0 Update 7 \n * Sun JDK (Linux Production Release) 1.6.0_21 \n * Sun JDK (Solaris Production Release) 1.6.0 17 \n * Sun JDK (Solaris Production Release) 1.6.0 01 \n * Sun JDK (Solaris Production Release) 1.6.0 01-B06 \n * Sun JDK (Solaris Production Release) 1.6.0 02 \n * Sun JDK (Solaris Production Release) 1.6.0 03 \n * Sun JDK (Solaris Production Release) 1.6.0 04 \n * Sun JDK (Solaris Production Release) 1.6.0 05 \n * Sun JDK (Solaris Production Release) 1.6.0 06 \n * Sun JDK (Solaris Production Release) 1.6.0 07 \n * Sun JDK (Solaris Production Release) 1.6.0 10 \n * Sun JDK (Solaris Production Release) 1.6.0 11 \n * Sun JDK (Solaris Production Release) 1.6.0 13 \n * Sun JDK (Solaris Production Release) 1.6.0 14 \n * Sun JDK (Solaris Production Release) 1.6.0 15 \n * Sun JDK (Solaris Production Release) 1.6.0 18 \n * Sun JDK (Solaris Production Release) 1.6.0 19 \n * Sun JDK (Solaris Production Release) 1.6.0 20 \n * Sun JDK (Solaris Production Release) 1.6.0 \n * Sun JDK (Solaris Production Release) 1.6.0_21 \n * Sun JDK (Windows Production Release) 1.6.0 17 \n * Sun JDK (Windows Production Release) 1.6.0 01 \n * Sun JDK (Windows Production Release) 1.6.0 01-B06 \n * Sun JDK (Windows Production Release) 1.6.0 02 \n * Sun JDK (Windows Production Release) 1.6.0 03 \n * Sun JDK (Windows Production Release) 1.6.0 04 \n * Sun JDK (Windows Production Release) 1.6.0 05 \n * Sun JDK (Windows Production Release) 1.6.0 06 \n * Sun JDK (Windows Production Release) 1.6.0 07 \n * Sun JDK (Windows Production Release) 1.6.0 10 \n * Sun JDK (Windows Production Release) 1.6.0 11 \n * Sun JDK (Windows Production Release) 1.6.0 13 \n * Sun JDK (Windows Production Release) 1.6.0 14 \n * Sun JDK (Windows Production Release) 1.6.0 15 \n * Sun JDK (Windows Production Release) 1.6.0 18 \n * Sun JDK (Windows Production Release) 1.6.0 19 \n * Sun JDK (Windows Production Release) 1.6.0 20 \n * Sun JDK (Windows Production Release) 1.6.0 \n * Sun JDK (Windows Production Release) 1.6.0_21 \n * Sun JRE (Linux Production Release) 1.6.0 17 \n * Sun JRE (Linux Production Release) 1.6.0 01 \n * Sun JRE (Linux Production Release) 1.6.0 02 \n * Sun JRE (Linux Production Release) 1.6.0 03 \n * Sun JRE (Linux Production Release) 1.6.0 04 \n * Sun JRE (Linux Production Release) 1.6.0 05 \n * Sun JRE (Linux Production Release) 1.6.0 06 \n * Sun JRE (Linux Production Release) 1.6.0 07 \n * Sun JRE (Linux Production Release) 1.6.0 10 \n * Sun JRE (Linux Production Release) 1.6.0 11 \n * Sun JRE (Linux Production Release) 1.6.0 12 \n * Sun JRE (Linux Production Release) 1.6.0 13 \n * Sun JRE (Linux Production Release) 1.6.0 14 \n * Sun JRE (Linux Production Release) 1.6.0 15 \n * Sun JRE (Linux Production Release) 1.6.0 18 \n * Sun JRE (Linux Production Release) 1.6.0 19 \n * Sun JRE (Linux Production Release) 1.6.0 20 \n * Sun JRE (Linux Production Release) 1.6.0 \n * Sun JRE (Linux Production Release) 1.6.0_21 \n * Sun JRE (Linux Production Release) 1.7 \n * Sun JRE (Solaris Production Release) 1.6.0 17 \n * Sun JRE (Solaris Production Release) 1.6.0 01 \n * Sun JRE (Solaris Production Release) 1.6.0 02 \n * Sun JRE (Solaris Production Release) 1.6.0 03 \n * Sun JRE (Solaris Production Release) 1.6.0 04 \n * Sun JRE (Solaris Production Release) 1.6.0 05 \n * Sun JRE (Solaris Production Release) 1.6.0 06 \n * Sun JRE (Solaris Production Release) 1.6.0 07 \n * Sun JRE (Solaris Production Release) 1.6.0 10 \n * Sun JRE (Solaris Production Release) 1.6.0 11 \n * Sun JRE (Solaris Production Release) 1.6.0 12 \n * Sun JRE (Solaris Production Release) 1.6.0 13 \n * Sun JRE (Solaris Production Release) 1.6.0 14 \n * Sun JRE (Solaris Production Release) 1.6.0 15 \n * Sun JRE (Solaris Production Release) 1.6.0 18 \n * Sun JRE (Solaris Production Release) 1.6.0 19 \n * Sun JRE (Solaris Production Release) 1.6.0 2 \n * Sun JRE (Solaris Production Release) 1.6.0 \n * Sun JRE (Solaris Production Release) 1.6.0_21 \n * Sun JRE (Solaris Production Release) 1.7 \n * Sun JRE (Windows Production Release) 1.6.0 17 \n * Sun JRE (Windows Production Release) 1.6.0 01 \n * Sun JRE (Windows Production Release) 1.6.0 02 \n * Sun JRE (Windows Production Release) 1.6.0 03 \n * Sun JRE (Windows Production Release) 1.6.0 04 \n * Sun JRE (Windows Production Release) 1.6.0 05 \n * Sun JRE (Windows Production Release) 1.6.0 06 \n * Sun JRE (Windows Production Release) 1.6.0 07 \n * Sun JRE (Windows Production Release) 1.6.0 10 \n * Sun JRE (Windows Production Release) 1.6.0 11 \n * Sun JRE (Windows Production Release) 1.6.0 12 \n * Sun JRE (Windows Production Release) 1.6.0 13 \n * Sun JRE (Windows Production Release) 1.6.0 14 \n * Sun JRE (Windows Production Release) 1.6.0 15 \n * Sun JRE (Windows Production Release) 1.6.0 18 \n * Sun JRE (Windows Production Release) 1.6.0 19 \n * Sun JRE (Windows Production Release) 1.6.0 2 \n * Sun JRE (Windows Production Release) 1.6.0 20 \n * Sun JRE (Windows Production Release) 1.6.0 \n * Sun JRE (Windows Production Release) 1.6.0_21 \n * Sun JRE (Windows Production Release) 1.7 \n * Ubuntu Ubuntu Linux 10.04 ARM \n * Ubuntu Ubuntu Linux 10.04 Amd64 \n * Ubuntu Ubuntu Linux 10.04 I386 \n * Ubuntu Ubuntu Linux 10.04 Powerpc \n * Ubuntu Ubuntu Linux 10.04 Sparc \n * Ubuntu Ubuntu Linux 10.10 ARM \n * Ubuntu Ubuntu Linux 10.10 amd64 \n * Ubuntu Ubuntu Linux 10.10 i386 \n * Ubuntu Ubuntu Linux 10.10 powerpc \n * Ubuntu Ubuntu Linux 11.04 ARM \n * Ubuntu Ubuntu Linux 11.04 amd64 \n * Ubuntu Ubuntu Linux 11.04 i386 \n * Ubuntu Ubuntu Linux 11.04 powerpc \n * Ubuntu Ubuntu Linux 11.10 amd64 \n * Ubuntu Ubuntu Linux 11.10 i386 \n * VMWare ESX 3.5 \n * VMWare ESX 4.0 \n * VMWare ESX 4.1 \n * VMWare Update Manager 5.0 \n * VMWare VirtualCenter 2.5 \n * VMWare vCenter 4.0 \n * VMWare vCenter 4.1 \n * VMWare vCenter 5.0 \n * Xerox FreeFlow Print Server (FFPS) 73.B3.61 \n * Xerox FreeFlow Print Server (FFPS) 73.C0.41 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references for more information. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "published": "2011-10-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/50218", "cvelist": ["CVE-2011-3544", "CVE-2013-1347"], "lastseen": "2018-03-12T06:25:14"}], "fireeye": [{"id": "FIREEYE:4F902DE9FF06143FF34DC80FDBD2AC85", "type": "fireeye", "title": "Internet Explorer 8 Exploit Found in Watering Hole Campaign Targeting Chinese Dissidents", "description": "On March 16th, we discovered a premeditated waterhole campaign that hosts exploits and malware on websites frequented by a specific target group. In this case the target includes Chinese dissidents. For the attacker, this approach is highly attractive since it is very difficult to discover the attacker\u2019s identity. Moreover, this attack is a form of social engineering, leveraging the fact that the target group visits specific websites. By exploiting these \u201cwatering holes\u201d the attacker benefits by investing little time in targeting.\n\nThis attack exploits a fresh vulnerability ([CVE-2013-1288](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1288>), [MS13-021](<http://technet.microsoft.com/en-us/security/bulletin/MS13-021>)) in Internet Explorer 8\u2014just four days after Microsoft released a patch. Why did attackers use a fresh vulnerability? Cost could be a factor. Zero-days tend to be expensive to either research or purchase on black markets.\n\nWe found this exploit being employed in attacks on two hacked Chinese news websites known to promote dissidence against the Chinese government. This is clearly a targeted attack on a very narrow portion of the Chinese populous. However, since cyber attackers are quick copycats, we expect this exploit to be replicated quickly. For this reason, anyone using IE 8 must install a patch immediately or upgrade their browser to new versions. Today, according to [W3Schools.com](<http://www.w3schools.com/browsers/browsers_explorer.asp>), IE is the third most popular browser with about 15% market share. In addition, IE 8 is used by half of all IE users.\n\nBased on the similarity in TTPs (Tools, Techniques, and Procedures), we believe the threat actor is the same as the one behind previous watering hole attacks targeting activists and people with certain political affiliations. In the past this campaign has used various hacked websites such as the Council on Foreign Relations or CFR, [Reporters Without Borders](<https://blog.avast.com:2013:01:22:reporters-without-borders-website-misused-in-wateringhole-attack:>), and a leading American university (that we cannot name).\n\nIn general, based on our observations, this watering hole attack is like many others we have observed: highly targeted and hard to trace\u2014indicative of a very sophisticated attacker. Why? The attack:\n\n * Used hacked websites to deliver the exploit to targeted groups of people. In this case it particularly targets certain group of Chinese speaking people.\n * Used hacked website to host exploit code and malware payload, and also second stage of payload, which makes it very hard to trace the origin of the attack.\n * Takes tremendous effort to compromise websites relevant to the target group. It would require knowledge of web application security.\n * Leverages the zero-day exploits and fresh exploits.\n * Was multi-stage, and the second stage of payload is encrypted and downloaded from a 404-like response page, and is injected dynamically. Once they shut down the operation, it\u2019s hard to trace the attacker\u2019s intention.\n\n[caption id=\"attachment_1348\" align=\"alignnone\" width=\"540\"] Figure 1[/caption]\n\n**Exploit technique**\n\n****The exploit code is hosted on a hacked religious website. This site hosts both IE ([CVE-2013-1288](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1288>)) and Java exploits ([CVE-2013-0422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422>), [CVE-2011-3544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544>)). On mining our database we found that the web server has a history of hosting malware. We will focus on the chain of execution for the exploit. The first part of the exploit checks the language of browser, and constructs two separate ROP chains for English and Chinese languages as shown in Figure 2. The second part of the exploit is obfuscated and it triggers the vulnerability. Upon successful exploitation it will download a file dd.exe from the same server and execute it.\n\n[caption id=\"attachment_1349\" align=\"alignnone\" width=\"540\"] Figure 2[/caption]\n\n**Malware Payload:**\n\nThe file dd.exe (651fad35d276e5dedc56dfe7f3b5f125) is the stage 1 payload and makes the request show in in Figure 3. The response to this request is a HTML page. In the case of Java exploit we found it serving 9ac8277b848496b28279f57cb959e2fb.\n\n[caption id=\"attachment_1352\" align=\"alignnone\" width=\"539\"] Figure 3[/caption]\n\nThe HTML page displays a page not found message repeatedly using a script on the page if opened in the browser.\n\n[caption id=\"attachment_1374\" align=\"alignnone\" width=\"554\"] Figure 4[/caption]\n\nInterestingly the html page returned also contains Base64 encoded data within a script tag, which is in fact the stage 2 payload. This Base64 encoded data is decrypted and written to %AppData%\\network.inf. The decoded file is read in another part of the code and is subject to further transformations. The first 68 bytes of this the decoded data contains the decryption routine shown in Figure 5. It uses a rolling byte XOR decryption scheme and applies it to the data starting at offset 69. The decrypted data is position independent code, which is injected into an instance of iexplorer.exe launched in suspended state.\n\n[caption id=\"attachment_1350\" align=\"alignnone\" width=\"649\"] Figure 5[/caption]\n\nThis injected second stage payload is a Backdoor PoisonIvy RAT also discovered in other similar watering hole campaigns. This code attempts to connect to a remote server in Hong Kong over port 443. It uses a dynamic DNS provider with the hostname dd.tc.ikwb.com, which translates to 58.64.179.189. The server is not responding at the time of analysis. We found other domains associated with this IP address on robtex.com as shown in Figure 6.\n\n[caption id=\"attachment_1356\" align=\"alignnone\" width=\"378\"] Figure 6[/caption]\n\n**Similarity to previous watering hole campaigns:**\n\nLet us examine the techniques and code used in the current campaign and correlate it with previous attacks. It sets a cookie and forwards to the appropriate exploit page based on the version of the browser as shown in the code snippet below. This same cookie was found being set in earlier campaigns as well.\n\n` `\n\n[caption id=\"attachment_1375\" align=\"alignnone\" width=\"554\"] Figure 7[/caption]\n\nWhen we examine the Java exploit chain of execution we noticed that the code is similar and it re-uses the same naming convention, namely \u201cAppletHigh.jar\u201d and \u201cAppletLow.jar\u201d as shown in the code snippet below. The classnames and vulnerabilities used are also the same.\n\n[caption id=\"attachment_1376\" align=\"alignnone\" width=\"558\"] Figure 8[/caption]\n\nThe exploit traffic for three different campaigns is shown in Table 1. It is evident right away that there are similarities in the URI scheme and the exploit naming convention for Java attacks for the U.S. university and Chinese news site attacks. They both use AppletHigh.jar and AppletLow.jar.\n\nAs also noted by Jindrich Kubec and Eric Romang on their blog, today.swf from CFR attack was replaced by logo1229.swf. Similarly, news.html was replaced by DOITYOUR02.html and robots.txt was replaced by DOITYOUR01.txt. This establishes the similarity between the U.S. university attacks and the CFR attack.\n\n\n\nIn summary, the previous watering hole campaigns have the following similarities with the current attack:\n\n * The websites used for watering hole and hosting payloads are always compromised sites.\n * It sets a cookie with 1 day expiration and the name 'Somethingbbbbb'.\n * It checks the browser and its version.\n * If the browser is Internet Explorer and IE8, it delivers exploit targeting IE8(CVE-2013-1288) otherwise it triggers a java exploit based on the java version installed.\n * It uses similar naming conventions for exploit files. For** **example, if** **the java version is 7 or above it serves CVE-2013-0422 through **AppletHigh.jar** and else it serves CVE-2011-3544 through **AppletLow.jar.**\n * The URI patterns are similar across campaigns.\n * Similar RAT payloads were used in previous campaigns.\n\nOur very own Darien Kindlund has done a [detailed study](<http://www.issa.org/resource/resmgr/journalpdfs/feature0213.pdf>) on such premeditated watering hole attacks and mitigation strategies, which is a good read.\n\nWe want to acknowledge Microsoft\u2019s [MAPP](<http://www.microsoft.com/security/msrc/collaboration/mapp.aspx>) program for sharing intelligence with partners and helping us protect our customers.\n", "published": "2013-03-20T17:26:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html", "cvelist": ["CVE-2011-3544", "CVE-2013-1288", "CVE-2013-0422"], "lastseen": "2017-12-14T08:34:59"}], "securelist": [{"id": "SECURELIST:FA58963C07F2F288FA3096096F60BCF3", "type": "securelist", "title": "Investigation Report for the September 2014 Equation malware detection incident in the US", "description": "\n\n## Background\n\nIn early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee's home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:\n\n 1. Was our software used outside of its intended functionality to pull classified information from a person's computer?\n 2. When did this incident occur?\n 3. Who was this person?\n 4. Was there actually classified information found on the system inadvertently?\n 5. If classified information was pulled back, what happened to said data after? Was it handled appropriately?\n 6. Why was the data pulled back in the first place? Is the evidence this information was passed on to \"Russian Hackers\" or Russian intelligence?\n 7. What types of files were gathered from the supposed system?\n 8. Do we have any indication the user was subsequently \"hacked\" by Russian hackers and data exfiltrated?\n 9. Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers' computers?\n 10. Assuming cyberspies were able to see the screens of our analysts, what could they find on it and how could that be interpreted?\n\nAnswering these questions with factual information would allow us to provide reasonable materials to the media, as well as show hard evidence on what exactly did or did not occur, which may serve as a food for thought to everyone else. To further support the objectivity of the internal investigation we ran our investigation using multiple analysts of non-Russian origin and working outside of Russia to avoid even potential accusations of influence.\n\n## The Wall Street Journal Article\n\nThe article published in October laid out some specifics that need to be documented and fact checked. Important bullet points from the article include:\n\n * The information \"stolen\" provides details on how the U.S. penetrates foreign computer networks and defends against cyberattacks.\n * A National Security Agency contractor removed the highly classified material and put it on his home computer.\n * The data ended up in the hands of so called \"Russian hackers\" after the files were detected using Kaspersky Lab software.\n * The incident occurred in 2015 but wasn't discovered until spring of last year [2016].\n * The Kaspersky Lab linked incident predates the arrest last year of another NSA contractor, Harold Martin.\n * \"Hackers\" homed in on the machine and stole a large amount of data after seeing what files were detected using Kaspersky data.\n\n## Beginning of Search\n\nHaving all of the data above, the first step in trying to answer these questions was to attempt to identify the supposed incident. Since events such as what is outlined above only occur very rarely, and we diligently keep the history of all operations, it should be possible to find them in our telemetry archive given the right search parameters.\n\nThe first assumption we made during the search is that whatever data was allegedly taken, most likely had to do with the so-called Equation Group, since this was the major research in active stage during the time of alleged incident as well as many existing links between Equation Group and NSA highlighted by the media and some security researchers. Our Equation signatures are clearly identifiable based on the malware family names, which contain words including \"Equestre\", \"Equation\", \"Grayfish\", \"Fanny\", \"DoubleFantasy\" given to different tools inside the intrusion set. Taking this into account, we began running searches in our databases dating back to June 2014 (6 months prior to the year the incident allegedly happened) for all alerts triggered containing wildcards such as \"HEUR:Trojan.Win32.Equestre.*\". Results showed quickly: we had a few test (silent) signatures in place that produced a LARGE amount of false positives. This is not something unusual in the process of creating quality signatures for a rare piece of malware. To alleviate this, we sorted results by count of unique hits and quickly were able to zoom in on some activity that happened in September 2014. It should be noted that this date is technically not within the year that the incident supposedly happened, but we wanted to be sure to cover all bases, as journalists and sources sometimes don't have all the details.\n\nBelow is a list of all hits in September for an \"Equestre\" signature, sorted by least amount to most. You can quickly identify the problem signature(s) mentioned above.\n\nDetection name (silent) | Count \n---|--- \nHEUR:Trojan.Win32.Equestre.u | 1 \nHEUR:Trojan.Win32.Equestre.gen.422674 | 3 \nHEUR:Trojan.Win32.Equestre.gen.422683 | 3 \nHEUR:Trojan.Win32.Equestre.gen.427692 | 3 \nHEUR:Trojan.Win32.Equestre.gen.427696 | 4 \nHEUR:Trojan.Win32.Equestre.gen.446160 | 6 \nHEUR:Trojan.Win32.Equestre.gen.446979 | 7 \nHEUR:Trojan.Win32.Equestre.g | 8 \nHEUR:Trojan.Win32.Equestre.ab | 9 \nHEUR:Trojan.Win32.Equestre.y | 9 \nHEUR:Trojan.Win32.Equestre.l | 9 \nHEUR:Trojan.Win32.Equestre.ad | 9 \nHEUR:Trojan.Win32.Equestre.t | 9 \nHEUR:Trojan.Win32.Equestre.e | 10 \nHEUR:Trojan.Win32.Equestre.v | 14 \nHEUR:Trojan.Win32.Equestre.gen.427697 | 18 \nHEUR:Trojan.Win32.Equestre.gen.424814 | 18 \nHEUR:Trojan.Win32.Equestre.s | 19 \nHEUR:Trojan.Win32.Equestre.x | 20 \nHEUR:Trojan.Win32.Equestre.i | 24 \nHEUR:Trojan.Win32.Equestre.p | 24 \nHEUR:Trojan.Win32.Equestre.q | 24 \nHEUR:Trojan.Win32.Equestre.gen.446142 | 34 \nHEUR:Trojan.Win32.Equestre.d | 39 \nHEUR:Trojan.Win32.Equestre.j | 40 \nHEUR:Trojan.Win32.Equestre.gen.427734 | 53 \nHEUR:Trojan.Win32.Equestre.gen.446149 | 66 \nHEUR:Trojan.Win32.Equestre.ag | 142 \nHEUR:Trojan.Win32.Equestre.b | 145 \nHEUR:Trojan.Win32.Equestre.h | 310 \nHEUR:Trojan.Win32.Equestre.gen.422682 | 737 \nHEUR:Trojan.Win32.Equestre.z | 1389 \nHEUR:Trojan.Win32.Equestre.af | 2733 \nHEUR:Trojan.Win32.Equestre.c | 3792 \nHEUR:Trojan.Win32.Equestre.m | 4061 \nHEUR:Trojan.Win32.Equestre.k | 6720 \nHEUR:Trojan.Win32.Equestre.exvf.1 | 6726 \nHEUR:Trojan.Win32.Equestre.w | 6742 \nHEUR:Trojan.Win32.Equestre.f | 9494 \nHEUR:Trojan.Win32.Equestre.gen.446131 | 26329 \nHEUR:Trojan.Win32.Equestre.aa | 87527 \nHEUR:Trojan.Win32.Equestre.gen.447002 | 547349 \nHEUR:Trojan.Win32.Equestre.gen.447013 | 1472919 \n \nTaking this list of alerts, we started at the top and worked our way down, investigating each hit as we went trying to see if there were any indications it may be related to the incident. Most hits were what you would think: victims of Equation or false positives. Eventually we arrived at a signature that fired a large number of times in a short time span on one system, specifically the signature \"HEUR:Trojan.Win32.Equestre.m\" and a 7zip archive (referred below as \"[undisclosed].7z\"). Given limited understanding of Equation at the time of research it could have told our analysts that an archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on. After analyzing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development. Below is a list of Equation specific signatures that fired on this system over a period of approximately three months:\n\nHEUR:Trojan.Win32.Equestre.e \nHEUR:Trojan.Win32.Equestre.exvf.1 \nHEUR:Trojan.Win32.Equestre.g \nHEUR:Trojan.Win32.Equestre.gen.424814 \nHEUR:Trojan.Win32.Equestre.gen.427693 \nHEUR:Trojan.Win32.Equestre.gen.427696 \nHEUR:Trojan.Win32.Equestre.gen.427697 \nHEUR:Trojan.Win32.Equestre.gen.427734 \nHEUR:Trojan.Win32.Equestre.gen.446142 \nHEUR:Trojan.Win32.Equestre.gen.446993 \nHEUR:Trojan.Win32.Equestre.gen.465795 \nHEUR:Trojan.Win32.Equestre.i \nHEUR:Trojan.Win32.Equestre.j \nHEUR:Trojan.Win32.Equestre.m \nHEUR:Trojan.Win32.Equestre.p \nHEUR:Trojan.Win32.Equestre.q \nHEUR:Trojan.Win32.Equestre.x \nHEUR:Trojan.Win32.GrayFish.e \nHEUR:Trojan.Win32.GrayFish.f\n\nIn total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users' privacy. This was a hard decision, but should we make an exception once, even for the sake of protecting our own company's reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.\n\nThe file paths observed from these detections indicated that a developer of Equation had plugged in one or more removable drives, AV signatures fired on some of executables as well as archives containing them, and any files detected (including archives they were contained within) were automatically pulled back. At this point in time, we felt confident we had found the source of the story fed to Wall Street Journal and others. Since this type of event clearly does not happen often, we believe some dates were mixed up or not clear from the original source of the leak to the media.\n\nOur next task was to try and answer what may have happened to the data that was pulled back. Clearly an archive does not contain only those files that triggered, and more than likely contained a possible treasure trove of data pertaining to the intrusion set. It was soon discovered that the actual archive files themselves appear to have been removed from our storage of samples, while the individual files that triggered the alerts remained.\n\nUpon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named \"[undisclosed].7z\" was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don't need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not consumed even to produce detection signatures based on descriptions.\n\nThis concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage. Also, it is very apparent that no documents were actively \"detected on\" during this process. In other words, the only files that fired on specific Equation signatures were binaries, contained within an archive or outside of it. The documents were inadvertently pulled back because they were contained within the larger archive file that alerted on many Equation signatures. According to security software industry standards, requesting a copy of an archive containing malware is a legitimate request, which often helps security companies locate data containers used by malware droppers (i.e. they can be self-extracting archives or even infected ISO files).\n\n## An Interesting Twist\n\nDuring the investigation, we also discovered a very interesting twist to the story that has not been discussed publicly to our knowledge. Since we were attempting to be as thorough as possible, we analyzed EVERY alert ever triggered for the specific system in question and came to a very interesting conclusion. It appears the system was actually compromised by a malicious actor on October 4, 2014 at 23:38 local time, specifically by a piece of malware hidden inside a malicious MS Office ISO, specifically the \"setup.exe\" file (md5: a82c0575f214bdc7c8ef5a06116cd2a4 - for [detection coverage, see this VirusTotal link](<https://www.virustotal.com/#/file/6bcd591540dce8e0cef7b2dc6a378a10d79f94c3217bca5f05db3c24c2036340/detection>)) .\n\nLooking at the sequence of events and detections on this system, we quickly noticed that the user in question ran the above file with a folder name of \"Office-2013-PPVL-x64-en-US-Oct2013.iso\". What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as \"kms.exe\" (a name of a popular pirated software activation tool), and \"kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions\". Kaspersky Lab products detected the malware with the verdict **Backdoor.Win32.Mokes.hvl**.\n\nAt a later time after installation of the supposed MS Office 2013, the antivirus began blocking connections out on a regular basis to the URL \"http://xvidmovies[.]in/dir/index.php\". Looking into this domain, we can quickly find other malicious files that beacon to the same URL. It's important to note that the reason we know the system was beaconing to this URL is because we were actively blocking it as it was a known bad site. This does however indicate the user actively downloaded / installed malware on the same system around the same time frame as our detections on the Equation files.\n\nTo install and run this malware, the user must have disabled Kaspersky Lab products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the malware was run. **Executing the malware would not have been possible with the antivirus enabled**.\n\nAdditionally, there also may have been other malware from different downloads that we were unaware of during this time frame. Below is a complete list of the 121 non-Equation specific alerts seen on this system over the two month time span:\n\nBackdoor.OSX.Getshell.k \nBackdoor.Win32.Mokes.hvl \nBackdoor.Win32.Shiz.gpmv \nBackdoor.Win32.Swrort.dbq \nDangerousObject.Multi.Chupitio.a \nExploit.Java.Agent.f \nExploit.Java.CVE-2009-3869.a \nExploit.Java.CVE-2010-0094.bb \nExploit.Java.CVE-2010-0094.e \nExploit.Java.CVE-2010-0094.q \nExploit.Java.CVE-2010-0840.gm \nExploit.Java.CVE-2010-0842.d \nExploit.Java.CVE-2010-3563.a \nExploit.Java.CVE-2011-3544.ac \nExploit.Java.CVE-2012-0507.al \nExploit.Java.CVE-2012-0507.je \nExploit.Java.CVE-2012-1723.ad \nExploit.Java.CVE-2012-4681.l \nExploit.JS.Aurora.a \nExploit.MSVisio.CVE-2011-3400.a \nExploit.Multi.CVE-2012-0754.a \nExploit.OSX.Smid.b \nExploit.SWF.CVE-2010-1297.c \nExploit.SWF.CVE-2011-0609.c \nExploit.SWF.CVE-2011-0611.ae \nExploit.SWF.CVE-2011-0611.cd \nExploit.Win32.CVE-2010-0188.a \nExploit.Win32.CVE-2010-0480.a \nExploit.Win32.CVE-2010-3653.a \nExploit.Win32.CVE-2010-3654.a \nHackTool.Win32.Agent.vhs \nHackTool.Win32.PWDump.a \nHackTool.Win32.WinCred.e \nHackTool.Win32.WinCred.i \nHackTool.Win64.Agent.b \nHackTool.Win64.WinCred.a \nHackTool.Win64.WinCred.c \nHEUR:Exploit.FreeBSD.CVE-2013-2171.a \nHEUR:Exploit.Java.CVE-2012-1723.gen \nHEUR:Exploit.Java.CVE-2013-0422.gen \nHEUR:Exploit.Java.CVE-2013-0431.gen \nHEUR:Exploit.Java.CVE-2013-2423.gen \nHEUR:Exploit.Java.Generic \nHEUR:Exploit.Script.Generic \nHEUR:HackTool.AndroidOS.Revtcp.a \nHEUR:Trojan-Downloader.Script.Generic \nHEUR:Trojan-FakeAV.Win32.Onescan.gen \nHEUR:Trojan.Java.Generic \nHEUR:Trojan.Script.Generic \nHEUR:Trojan.Win32.Generic \nHoax.Win32.ArchSMS.cbzph \nKHSE:Exploit.PDF.Generic.a \nnot-a-virus:AdWare.JS.MultiPlug.z \nnot-a-virus:AdWare.NSIS.Agent.bx \nnot-a-virus:AdWare.Win32.Agent.allm \nnot-a-virus:AdWare.Win32.AirAdInstaller.cdgd \nnot-a-virus:AdWare.Win32.AirAdInstaller.emlr \nnot-a-virus:AdWare.Win32.Amonetize.fay \nnot-a-virus:AdWare.Win32.DomaIQ.cjw \nnot-a-virus:AdWare.Win32.Fiseria.t \nnot-a-virus:AdWare.Win32.iBryte.jda \nnot-a-virus:AdWare.Win32.Inffinity.yas \nnot-a-virus:AdWare.Win32.MultiPlug.nbjr \nnot-a-virus:AdWare.Win32.Shopper.adw \nnot-a-virus:Downloader.NSIS.Agent.am \nnot-a-virus:Downloader.NSIS.Agent.an \nnot-a-virus:Downloader.NSIS.Agent.as \nnot-a-virus:Downloader.NSIS.Agent.go \nnot-a-virus:Downloader.NSIS.Agent.lf \nnot-a-virus:Downloader.NSIS.OutBrowse.a \nnot-a-virus:Downloader.Win32.Agent.bxib \nnot-a-virus:Monitor.Win32.Hooker.br \nnot-a-virus:Monitor.Win32.KeyLogger.xh \nnot-a-virus:PSWTool.Win32.Cain.bp \nnot-a-virus:PSWTool.Win32.Cain.bq \nnot-a-virus:PSWTool.Win32.CredDump.a \nnot-a-virus:PSWTool.Win32.FirePass.ia \nnot-a-virus:PSWTool.Win32.NetPass.amv \nnot-a-virus:PSWTool.Win32.PWDump.3 \nnot-a-virus:PSWTool.Win32.PWDump.4 \nnot-a-virus:PSWTool.Win32.PWDump.5 \nnot-a-virus:PSWTool.Win32.PWDump.ar \nnot-a-virus:PSWTool.Win32.PWDump.at \nnot-a-virus:PSWTool.Win32.PWDump.bey \nnot-a-virus:PSWTool.Win32.PWDump.bkr \nnot-a-virus:PSWTool.Win32.PWDump.bve \nnot-a-virus:PSWTool.Win32.PWDump.f \nnot-a-virus:PSWTool.Win32.PWDump.sa \nnot-a-virus:PSWTool.Win32.PWDump.yx \nnot-a-virus:RiskTool.Win32.WinCred.gen \nnot-a-virus:RiskTool.Win64.WinCred.a \nnot-a-virus:WebToolbar.JS.Condonit.a \nnot-a-virus:WebToolbar.Win32.Agent.avl \nnot-a-virus:WebToolbar.Win32.Cossder.updv \nnot-a-virus:WebToolbar.Win32.Cossder.uubg \nnot-a-virus:WebToolbar.Win32.MyWebSearch.sv \nPDM:Trojan.Win32.Badur.a \nTrojan-Banker.Win32.Agent.kan \nTrojan-Downloader.Win32.Genome.jlcv \nTrojan-Dropper.Win32.Injector.jqmj \nTrojan-Dropper.Win32.Injector.ktep \nTrojan-FakeAV.Win64.Agent.j \nTrojan-Ransom.Win32.ZedoPoo.phd \nTrojan.Java.Agent.at \nTrojan.Win32.Adond.lbgp \nTrojan.Win32.Buzus.umzt \nTrojan.Win32.Buzus.uuzf \nTrojan.Win32.Diple.fygv \nTrojan.Win32.Genome.amqoa \nTrojan.Win32.Genome.amtor \nTrojan.Win32.Genome.kpzv \nTrojan.Win32.Genome.ngd \nTrojan.Win32.Inject.euxi \nTrojan.Win32.Starter.ceg \nTrojan.Win32.Swisyn.aaig \nUDS:DangerousObject.Multi.Generic \nUFO:(blocked) \nVirTool.Win32.Rootkit \nVirTool.Win32.Topo.12 \nVirus.Win32.Suspic.gen \nWMUF:(blocked)\n\n## Conclusions\n\nAt this point, we had the answers to the questions we felt could be answered. To summarize, we will address each one below:\n\n**Q1** - Was our software used outside of its intended functionality to pull classified information from a person's computer?\n\n**A1** - The software performed as expected and notified our analysts of alerts on signatures written to detect on Equation group malware that was actively under investigation. In no way was the software used outside of this scope to either pull back additional files that did not fire on a malware signature or were not part of the archive that fired on these signatures.\n\n**Q2** - When did this incident occur?\n\n**A2** - In our professional opinion, the incident spanned between September 11, 2014 and November 17, 2014.\n\n**Q3** - Who was this person?\n\n**A3** - Because our software anonymizes certain aspects of users' information, we are unable to pinpoint specifically who the user was. Even if we could, disclosing such information is against our policies and ethical standards. What we can determine is that the user was originating from an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD and surrounding area.\n\n**Q4** - Was there actually classified information found on the system inadvertently?\n\n**A4** - What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation specific malware signatures. Besides malware, the archive also contained what appeared to be source code for Equation malware and four Word documents bearing classification markings.\n\n**Q5** - If classified information was pulled back, what happened to said data after? Was it handled appropriately?\n\n**A5** - After discovering the suspected Equation malware source code and classified documents, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e. \u2013 statistics and some metadata). We cannot assess whether the data was \"handled appropriately\" (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so.\n\n**Q6 \u2013 **Why was the data pulled back in the first place? Is the evidence this information was passed on to \"Russian Hackers\" or Russian intelligence?\n\n**A6 - **The information was pulled back because the archive fired on multiple Equation malware signatures. We also found no indication the information ever left our corporate networks. Transfer of a malware file is done with appropriate encryption level relying on RSA+AES with an acceptable key length, which should exclude attempts to intercept such data anywhere on the network between our security software and the analyst receiving the file.\n\n**Q7** - What types of files were gathered from the supposed system?\n\n**A7** - Based on statistics, the files that were submitted to Kaspersky Lab were mostly malware samples and suspected malicious files, either stand-alone, or inside a 7zip archive. The only files stored to date still in our sample collection from this incident are malicious binaries.\n\n**Q8** - Do we have any indication the user was subsequently \"hacked\" by Russian actors and data exfiltrated?\n\n**A8** - Based on the detections and alerts found in the investigation, the system was most likely compromised during this time frame by unknown threat actors. We asses this from the fact that the user installed a backdoored MS Office 2013 illegal activation tool, detected by our products as Backdoor.Win32.Mokes.hvl. To run this malware, the user must have disabled the AV protection, since running it with the antivirus enabled would not have been possible. This malicious software is a Trojan (later identified as \"Smoke Bot\" or \"Smoke Loader\") allegedly created by a Russian hacker in 2011 and made available on [Russian underground forums](<http://xaker.name/threads/22008/>) for purchase. During the period of September 2014-November 2014, the command and control servers of this malware were registered to presumably a Chinese entity going by the name \"Zhou Lou\", from Hunan, using the e-mail address \"zhoulu823@gmail.com\". We are still working on this and further details on this malware might be made available later as a separate research paper.\n\nOf course, the possibility exists that there may have been other malware on the system which our engines did not detect at the time of research. Given that system owner's potential clearance level, the user could have been a prime target of nation states. Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands. What we are certain about is that any non-malware data that we received based on passive consent of the user was deleted from our storage.\n\n**Q9** - Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers' computers?\n\n**A9** - Kaspersky Lab security software, like all other similar solutions from our competitors, has privileged access to computer systems to be able to resist serious malware infections and return control of the infected system back to the user. This level of access allows our software to see any file on the systems that we protect. With great access comes great responsibility and that is why a procedure to create a signature that would request a file from a user's computer has to be carefully handled. Kaspersky malware analysts have rights to create signatures. Once created, these signatures are reviewed and committed by another group within Kaspersky Lab to ensure proper checks and balances. If there were an external attempt to create a signature, that creation would be visible not only in internal databases and historical records, but also via external monitoring of all our released signatures by third parties. Considering that our signatures are regularly reversed by other researchers, competitors, and offensive research companies, if any morally questionable signatures ever existed it would have already been discovered. Our internal analysis and searching revealed no such signatures as well.\n\nIn relation to Equation research specifically, our checks verified that during 2014-2016, none of the researchers working on Equation possessed the rights to commit signatures directly without having an experienced signature developer verifying those. If there was a doubtful intention in signatures during the hunt for Equation samples, this would have been questioned and reported by a lead signature developer.\n\n**Q10** - Assuming cyberspies were able to see screens of our analysts, what could they find on it and how could that be interpreted?\n\n**A10** - We have done a thorough search for keywords and classification markings in our signature databases. The result was negative: we never created any signatures on known classification markings. However, during this sweep we discovered something interesting in relation to TeamSpy research that we published earlier (for more details we recommend to check the original research at https://securelist.com/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/35520/). TeamSpy malware was designed to automatically collect certain files that fell into the interest of the attackers. They defined a list of file extensions, such as office documents (*.doc, *.rtf, *.xls, *.mdb), pdf files (*.pdf) and more. In addition, they used wildcard string pattern based on keywords in the file names, such as *pass*, *secret*, *saidumlo* (meaning \"secret\" in Georgian) and others. These patterns were hardcoded into the malware that we discovered earlier, and could be used to detect similar malware samples. We did discover a signature created by a malware analyst in 2015 that was looking for the following patterns:\n\n * *saidumlo*\n * *secret*.*\n * *.xls\n * *.pdf\n * *.pgp\n * *pass*.*\n\nThese strings had to be located in the body of the malware dump from a sandbox processed sample. In addition, the malware analyst included another indicator to avoid false positives; A path where the malware dropper stored dropped files: ProgramData\\Adobe\\AdobeARM.\n\nOne could theorize about an intelligence operator monitoring a malware analyst's work in the process of entering these strings during the creation of a signature. We cannot say for sure, but it is a possibility that an attacker looking for anything that can expose our company from a negative side, observations like this may work as a trigger for a biased mind. Despite the intentions of the malware analyst, they could have been interpreted wrongly and used to create false allegations against us, supported by screenshots displaying these or similar strings.\n\nMany people including security researchers, governments, and even our direct competitors from the private sector have approached us to express support. It is appalling to see that accusations against our company continue to appear without any proof or factual information being presented. Rumors, anonymous sources, and lack of hard evidence spreads only fear, uncertainty and doubt. We hope that this report sheds some long-overdue light to the public and allows people to draw their own conclusions based on the facts presented above. We are also open and willing to do more, should that be required.\n\n[ **Appendix: Analysis of the Mokes/SmokeBot backdoor from the incident](<https://securelist.com/files/2017/11/Appendix_Mokes-SmokeBot_analysis.pdf>)", "published": "2017-11-16T10:00:34", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://securelist.com/investigation-report-for-the-september-2014-equation-malware-detection-incident-in-the-us/83210/", "cvelist": ["CVE-2009-3869", "CVE-2010-0094", "CVE-2010-0188", "CVE-2010-0480", "CVE-2010-0840", "CVE-2010-0842", "CVE-2010-1297", "CVE-2010-3563", "CVE-2010-3653", "CVE-2010-3654", "CVE-2011-0609", "CVE-2011-0611", "CVE-2011-3400", "CVE-2011-3544", "CVE-2012-0507", "CVE-2012-0754", "CVE-2012-1723", "CVE-2012-4681", "CVE-2013-0422", "CVE-2013-0431", "CVE-2013-2171", "CVE-2013-2423"], "lastseen": "2017-11-27T08:03:02"}]}}
