Debian LTS: Security Advisory for openjdk-7 (DLA-1886-1)
2019-08-16T00:00:00
ID OPENVAS:1361412562310891886 Type openvas Reporter Copyright (C) 2019 Greenbone Networks GmbH Modified 2020-01-29T00:00:00
Description
The remote host is missing an update for the
# Copyright (C) 2019 Greenbone Networks GmbH
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (C) the respective author(s)
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.891886");
script_version("2020-01-29T08:22:52+0000");
script_cve_id("CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2816");
script_tag(name:"cvss_base", value:"5.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_tag(name:"last_modification", value:"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)");
script_tag(name:"creation_date", value:"2019-08-16 02:00:12 +0000 (Fri, 16 Aug 2019)");
script_name("Debian LTS: Security Advisory for openjdk-7 (DLA-1886-1)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2019 Greenbone Networks GmbH");
script_family("Debian Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages", re:"ssh/login/release=DEB8");
script_xref(name:"URL", value:"https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html");
script_xref(name:"URL", value:"https://security-tracker.debian.org/tracker/DLA-1886-1");
script_tag(name:"summary", value:"The remote host is missing an update for the 'openjdk-7'
package(s) announced via the DLA-1886-1 advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, information disclosure or the execution
of arbitrary code.");
script_tag(name:"affected", value:"'openjdk-7' package(s) on Debian Linux.");
script_tag(name:"solution", value:"For Debian 8 'Jessie', these problems have been fixed in version
7u231-2.6.19-1~deb8u1.
We recommend that you upgrade your openjdk-7 packages.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-deb.inc");
res = "";
report = "";
if(!isnull(res = isdpkgvuln(pkg:"icedtea-7-jre-jamvm", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"openjdk-7-dbg", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"openjdk-7-demo", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"openjdk-7-doc", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"openjdk-7-jdk", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"openjdk-7-jre", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"openjdk-7-jre-headless", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"openjdk-7-jre-lib", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"openjdk-7-jre-zero", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"openjdk-7-source", ver:"7u231-2.6.19-1~deb8u1", rls:"DEB8"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
exit(0);
{"id": "OPENVAS:1361412562310891886", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian LTS: Security Advisory for openjdk-7 (DLA-1886-1)", "description": "The remote host is missing an update for the ", "published": "2019-08-16T00:00:00", "modified": "2020-01-29T00:00:00", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891886", "reporter": "Copyright (C) 2019 Greenbone Networks GmbH", "references": ["https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html", "https://security-tracker.debian.org/tracker/DLA-1886-1"], "cvelist": ["CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769"], "lastseen": "2020-01-29T19:26:06", "viewCount": 68, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4486-1:B09C5", "DEBIAN:DLA-1886-1:800E7", "DEBIAN:DSA-4485-1:63763"]}, {"type": "nessus", "idList": ["SL_20190722_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL", "CENTOS_RHSA-2019-1815.NASL", "ALA_ALAS-2019-1268.NASL", "ORACLELINUX_ELSA-2019-1840.NASL", "PHOTONOS_PHSA-2019-1_0-0250_OPENJDK.NASL", "ORACLELINUX_ELSA-2019-1815.NASL", "CENTOS_RHSA-2019-1839.NASL", "PHOTONOS_PHSA-2019-2_0-0173_OPENJDK8.NASL", "ORACLELINUX_ELSA-2019-1816.NASL", "NEWSTART_CGSL_NS-SA-2019-0175_JAVA-1.7.0-OPENJDK.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1817", "ELSA-2019-1839", "ELSA-2019-1810", "ELSA-2019-1815", "ELSA-2019-1840", "ELSA-2019-1816", "ELSA-2019-1811"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704486", "OPENVAS:1361412562310883088", "OPENVAS:1361412562310852649", "OPENVAS:1361412562310815180", "OPENVAS:1361412562310883087", "OPENVAS:1361412562310704485", "OPENVAS:1361412562310844116", "OPENVAS:1361412562310883086", "OPENVAS:1361412562310883089", "OPENVAS:1361412562310883085"]}, {"type": "redhat", "idList": ["RHSA-2019:1810", "RHSA-2019:1839", "RHSA-2019:2494", "RHSA-2019:1815", "RHSA-2019:1840", "RHSA-2019:1811", "RHSA-2019:1817", "RHSA-2019:1816", "RHSA-2019:2495"]}, {"type": "centos", "idList": ["CESA-2019:1815", "CESA-2019:1811", "CESA-2019:1840", "CESA-2019:1810", "CESA-2019:1839"]}, {"type": "amazon", "idList": ["ALAS-2019-1268", "ALAS-2019-1269", "ALAS2-2019-1268", "ALAS2-2019-1269", "ALAS2-2019-1246"]}, {"type": "ubuntu", "idList": ["USN-4080-1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1916-1", "OPENSUSE-SU-2019:1912-1"]}, {"type": "kaspersky", "idList": ["KLA11520"]}], "modified": "2020-01-29T19:26:06", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2020-01-29T19:26:06", "rev": 2}, "vulnersScore": 7.6}, "pluginID": "1361412562310891886", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891886\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-16 02:00:12 +0000 (Fri, 16 Aug 2019)\");\n script_name(\"Debian LTS: Security Advisory for openjdk-7 (DLA-1886-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1886-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openjdk-7'\n package(s) announced via the DLA-1886-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in denial of\nservice, sandbox bypass, information disclosure or the execution\nof arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"'openjdk-7' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n7u231-2.6.19-1~deb8u1.\n\nWe recommend that you upgrade your openjdk-7 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"icedtea-7-jre-jamvm\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-dbg\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-demo\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-doc\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jdk\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jre\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jre-headless\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jre-lib\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jre-zero\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-source\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "naslFamily": "Debian Local Security Checks"}
{"cve": [{"lastseen": "2020-10-03T13:38:53", "description": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).", "edition": 11, "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-07-23T23:15:00", "title": "CVE-2019-2745", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2745"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jre:11.0.3", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.8.0", "cpe:/a:oracle:jdk:11.0.3"], "id": "CVE-2019-2745", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2745", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jre:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_212:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update212:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:38:53", "description": "Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", "edition": 12, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2019-07-23T23:15:00", "title": "CVE-2019-2816", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2816"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jdk:12.0.1", "cpe:/a:oracle:jre:11.0.3", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:12.0.1", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.8.0", "cpe:/a:oracle:jdk:11.0.3"], "id": "CVE-2019-2816", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2816", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.8.0:update211:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_212:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_211:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update212:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:38:53", "description": "Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).", "edition": 12, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2019-07-23T23:15:00", "title": "CVE-2019-2762", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2762"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jdk:12.0.1", "cpe:/a:oracle:jre:11.0.3", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:12.0.1", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.8.0", "cpe:/a:oracle:jdk:11.0.3"], "id": "CVE-2019-2762", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2762", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.8.0:update211:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_212:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_211:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update212:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:38:53", "description": "Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).", "edition": 13, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2019-07-23T23:15:00", "title": "CVE-2019-2769", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2769"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jdk:12.0.1", "cpe:/a:oracle:jre:11.0.3", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:12.0.1", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.8.0", "cpe:/a:oracle:jdk:11.0.3"], "id": "CVE-2019-2769", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2769", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.8.0:update211:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_212:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_211:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update212:*:*:*:*:*:*"]}], "debian": [{"lastseen": "2020-08-12T01:03:41", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769"], "description": "Package : openjdk-7\nVersion : 7u231-2.6.19-1~deb8u1\nCVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2816\n\nSeveral vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in denial of\nservice, sandbox bypass, information disclosure or the execution\nof arbitrary code.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n7u231-2.6.19-1~deb8u1.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 9, "modified": "2019-08-15T21:57:55", "published": "2019-08-15T21:57:55", "id": "DEBIAN:DLA-1886-1:800E7", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201908/msg00020.html", "title": "[SECURITY] [DLA 1886-1] openjdk-7 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-08-12T01:00:53", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4485-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 21, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-8\nCVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2786\n CVE-2019-2816 CVE-2019-2842\n\nSeveral vulnerabilities have been discovered in the OpenJDK Java runtime,\nresulting in information disclosure, denial of service or bypass of\nsandbox restrictions. In addition the implementation of elliptic curve\ncryptography was modernised.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 8u222-b10-1~deb9u1.\n\nWe recommend that you upgrade your openjdk-8 packages.\n\nFor the detailed security status of openjdk-8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openjdk-8\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2019-07-21T18:02:07", "published": "2019-07-21T18:02:07", "id": "DEBIAN:DSA-4485-1:63763", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00133.html", "title": "[SECURITY] [DSA 4485-1] openjdk-8 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-08-12T00:55:50", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4486-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 21, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-11\nCVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2786\n CVE-2019-2816 CVE-2019-2818 CVE-2019-2821\n\nSeveral vulnerabilities have been discovered in the OpenJDK Java runtime,\nresulting in information disclosure, denial of service or bypass of\nsandbox restrictions. In addition the implementation of elliptic curve\ncryptography was modernised.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 11.0.4+11-1~deb10u1.\n\nWe recommend that you upgrade your openjdk-11 packages.\n\nFor the detailed security status of openjdk-11 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openjdk-11\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 9, "modified": "2019-07-21T18:05:20", "published": "2019-07-21T18:05:20", "id": "DEBIAN:DSA-4486-1:B09C5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00134.html", "title": "[SECURITY] [DSA 4486-1] openjdk-11 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-01T01:08:05", "description": "An update of the openjdk package has been released.", "edition": 17, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-09-12T00:00:00", "title": "Photon OS 1.0: Openjdk PHSA-2019-1.0-0250", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openjdk", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2019-1_0-0250_OPENJDK.NASL", "href": "https://www.tenable.com/plugins/nessus/128710", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-1.0-0250. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128710);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/12/30\");\n\n script_cve_id(\n \"CVE-2019-2745\",\n \"CVE-2019-2762\",\n \"CVE-2019-2769\",\n \"CVE-2019-2816\",\n \"CVE-2019-2821\"\n );\n\n script_name(english:\"Photon OS 1.0: Openjdk PHSA-2019-1.0-0250\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openjdk package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-250.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-1.8.0.222-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-debuginfo-1.8.0.222-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-doc-1.8.0.222-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-sample-1.8.0.222-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-src-1.8.0.222-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T01:08:25", "description": "An update of the openjdk8 package has been released.", "edition": 17, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-09-12T00:00:00", "title": "Photon OS 2.0: Openjdk8 PHSA-2019-2.0-0173", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openjdk8", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2019-2_0-0173_OPENJDK8.NASL", "href": "https://www.tenable.com/plugins/nessus/128736", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-2.0-0173. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128736);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/30\");\n\n script_cve_id(\n \"CVE-2019-2745\",\n \"CVE-2019-2762\",\n \"CVE-2019-2769\",\n \"CVE-2019-2816\",\n \"CVE-2019-2821\"\n );\n\n script_name(english:\"Photon OS 2.0: Openjdk8 PHSA-2019-2.0-0173\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openjdk8 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-173.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openjdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-1.8.0.222-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-debuginfo-1.8.0.222-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-doc-1.8.0.222-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-sample-1.8.0.222-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-src-1.8.0.222-1.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openjdk8\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T04:46:28", "description": "From Red Hat Security Advisory 2019:1839 :\n\nAn update for java-1.7.0-openjdk is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 17, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-07-24T00:00:00", "title": "Oracle Linux 7 : java-1.7.0-openjdk (ELSA-2019-1839)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:java-1.7.0-openjdk-headless", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-accessibility", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2019-1839.NASL", "href": "https://www.tenable.com/plugins/nessus/126971", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2019:1839 and \n# Oracle Linux Security Advisory ELSA-2019-1839 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126971);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/01/06\");\n\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_xref(name:\"RHSA\", value:\"2019:1839\");\n\n script_name(english:\"Oracle Linux 7 : java-1.7.0-openjdk (ELSA-2019-1839)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2019:1839 :\n\nAn update for java-1.7.0-openjdk is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-July/008909.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.231-2.6.19.1.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.231-2.6.19.1.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.231-2.6.19.1.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.0.1.el7_6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T04:46:26", "description": "From Red Hat Security Advisory 2019:1811 :\n\nAn update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 17, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-07-23T00:00:00", "title": "Oracle Linux 6 : java-1.8.0-openjdk (ELSA-2019-1811)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-debug", "cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-debug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-debug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-debug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-debug", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-debug"], "id": "ORACLELINUX_ELSA-2019-1811.NASL", "href": "https://www.tenable.com/plugins/nessus/126937", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2019:1811 and \n# Oracle Linux Security Advisory ELSA-2019-1811 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126937);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/01/07\");\n\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_xref(name:\"RHSA\", value:\"2019:1811\");\n\n script_name(english:\"Oracle Linux 6 : java-1.8.0-openjdk (ELSA-2019-1811)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2019:1811 :\n\nAn update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-July/008906.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.8.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-javadoc-debug-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el6_10\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.el6_10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T05:18:45", "description": "An update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 17, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-07-23T00:00:00", "title": "RHEL 7 : java-1.8.0-openjdk (RHSA-2019:1815)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip-debug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-debug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src-debug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-debug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-debug", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-debug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility-debug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk"], "id": "REDHAT-RHSA-2019-1815.NASL", "href": "https://www.tenable.com/plugins/nessus/126941", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:1815. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126941);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2020/01/07\");\n\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_xref(name:\"RHSA\", value:\"2019:1815\");\n\n script_name(english:\"RHEL 7 : java-1.8.0-openjdk (RHSA-2019:1815)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:1815\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2745\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2769\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2786\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2842\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:1815\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-accessibility-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-accessibility-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-openjdk-javadoc-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.el7_6\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T05:18:45", "description": "An update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 18, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-07-23T00:00:00", "title": "RHEL 8 : java-1.8.0-openjdk (RHSA-2019:1816)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debugsource", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-slowdebug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-slowdebug-debuginfo", "cpe:/o:redhat:enterprise_linux:8.0", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-slowdebug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-debuginfo", "cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-slowdebug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk"], "id": "REDHAT-RHSA-2019-1816.NASL", "href": "https://www.tenable.com/plugins/nessus/126942", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:1816. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126942);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2020/01/30\");\n\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_xref(name:\"RHSA\", value:\"2019:1816\");\n\n script_name(english:\"RHEL 8 : java-1.8.0-openjdk (RHSA-2019:1816)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:1816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2745\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2769\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2786\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2842\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-slowdebug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 8.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:1816\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-debugsource-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-debugsource-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-demo-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-devel-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-headless-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", reference:\"java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el8_0\")) flag++;\n\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el8_0\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T04:46:27", "description": "From Red Hat Security Advisory 2019:1816 :\n\nAn update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 17, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-08-12T00:00:00", "title": "Oracle Linux 8 : java-1.8.0-openjdk (ELSA-2019-1816)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-accessibility", "p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo"], "id": "ORACLELINUX_ELSA-2019-1816.NASL", "href": "https://www.tenable.com/plugins/nessus/127601", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2019:1816 and \n# Oracle Linux Security Advisory ELSA-2019-1816 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127601);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/06\");\n\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_xref(name:\"RHSA\", value:\"2019:1816\");\n\n script_name(english:\"Oracle Linux 8 : java-1.8.0-openjdk (ELSA-2019-1816)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2019:1816 :\n\nAn update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-August/008985.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.8.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 8\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-1.8.0.222.b10-0.el8_0\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.el8_0\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el8_0\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el8_0\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el8_0\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.el8_0\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.el8_0\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el8_0\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T05:18:47", "description": "An update for java-1.7.0-openjdk is now available for Red Hat\nEnterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 17, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-07-24T00:00:00", "title": "RHEL 6 : java-1.7.0-openjdk (RHSA-2019:1840)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc"], "id": "REDHAT-RHSA-2019-1840.NASL", "href": "https://www.tenable.com/plugins/nessus/126973", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:1840. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126973);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2020/01/06\");\n\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_xref(name:\"RHSA\", value:\"2019:1840\");\n\n script_name(english:\"RHEL 6 : java-1.7.0-openjdk (RHSA-2019:1840)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.7.0-openjdk is now available for Red Hat\nEnterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC)\ncryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE,\n8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:1840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2745\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2769\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2786\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2842\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:1840\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.el6_10\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-01T01:20:22", "description": "Vulnerability in the Java SE, Java SE Embedded component of Oracle\nJava SE (subcomponent: Utilities). Supported versions that are\naffected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE\nEmbedded: 8u211. Easily exploitable vulnerability allows\nunauthenticated attacker with network access via multiple protocols to\ncompromise Java SE, Java SE Embedded. Successful attacks of this\nvulnerability can result in unauthorized ability to cause a partial\ndenial of service (partial DOS) of Java SE, Java SE Embedded. Note:\nThis vulnerability applies to Java deployments, typically in clients\nrunning sandboxed Java Web Start applications or sandboxed Java\napplets (in Java SE 8), that load and run untrusted code (e.g., code\nthat comes from the internet) and rely on the Java sandbox for\nsecurity. This vulnerability can also be exploited by using APIs in\nthe specified Component, e.g., through a web service which supplies\ndata to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS\nVector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2769)\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle\nJava SE (subcomponent: Networking). Supported versions that are\naffected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE\nEmbedded: 8u211. Difficult to exploit vulnerability allows\nunauthenticated attacker with network access via multiple protocols to\ncompromise Java SE, Java SE Embedded. Successful attacks of this\nvulnerability can result in unauthorized update, insert or delete\naccess to some of Java SE, Java SE Embedded accessible data as well as\nunauthorized read access to a subset of Java SE, Java SE Embedded\naccessible data. Note: This vulnerability applies to Java deployments,\ntypically in clients running sandboxed Java Web Start applications or\nsandboxed Java applets (in Java SE 8), that load and run untrusted\ncode (e.g., code that comes from the internet) and rely on the Java\nsandbox for security. This vulnerability can also be exploited by\nusing APIs in the specified Component, e.g., through a web service\nwhich supplies data to the APIs. CVSS 3.0 Base Score 4.8\n(Confidentiality and Integrity impacts). CVSS Vector:\n(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).(CVE-2019-2816)\n\nVulnerability in the Java SE component of Oracle Java SE\n(subcomponent: Security). Supported versions that are affected are\nJava SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability\nallows unauthenticated attacker with logon to the infrastructure where\nJava SE executes to compromise Java SE. Successful attacks of this\nvulnerability can result in unauthorized access to critical data or\ncomplete access to all Java SE accessible data. Note: This\nvulnerability applies to Java deployments, typically in clients\nrunning sandboxed Java Web Start applications or sandboxed Java\napplets (in Java SE 8), that load and run untrusted code (e.g., code\nthat comes from the internet) and rely on the Java sandbox for\nsecurity. This vulnerability can also be exploited by using APIs in\nthe specified Component, e.g., through a web service which supplies\ndata to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts).\nCVSS Vector:\n(CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2019-2745)\n\nVulnerability in the Java SE component of Oracle Java SE\n(subcomponent: JCE). The supported version that is affected is Java\nSE: 8u212. Difficult to exploit vulnerability allows unauthenticated\nattacker with network access via multiple protocols to compromise Java\nSE. Successful attacks of this vulnerability can result in\nunauthorized ability to cause a partial denial of service (partial\nDOS) of Java SE. Note: This vulnerability applies to Java deployments,\ntypically in clients running sandboxed Java Web Start applications or\nsandboxed Java applets (in Java SE 8), that load and run untrusted\ncode (e.g., code that comes from the internet) and rely on the Java\nsandbox for security. This vulnerability can also be exploited by\nusing APIs in the specified Component, e.g., through a web service\nwhich supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability\nimpacts). CVSS Vector:\n(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2842)\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle\nJava SE (subcomponent: Security). Supported versions that are affected\nare Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211.\nDifficult to exploit vulnerability allows unauthenticated attacker\nwith network access via multiple protocols to compromise Java SE, Java\nSE Embedded. Successful attacks require human interaction from a\nperson other than the attacker and while the vulnerability is in Java\nSE, Java SE Embedded, attacks may significantly impact additional\nproducts. Successful attacks of this vulnerability can result in\nunauthorized read access to a subset of Java SE, Java SE Embedded\naccessible data. Note: This vulnerability applies to Java deployments,\ntypically in clients running sandboxed Java Web Start applications or\nsandboxed Java applets (in Java SE 8), that load and run untrusted\ncode (e.g., code that comes from the internet) and rely on the Java\nsandbox for security. This vulnerability can also be exploited by\nusing APIs in the specified Component, e.g., through a web service\nwhich supplies data to the APIs. CVSS 3.0 Base Score 3.4\n(Confidentiality impacts). CVSS Vector:\n(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).(CVE-2019-2786)\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle\nJava SE (subcomponent: Utilities). Supported versions that are\naffected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE\nEmbedded: 8u211. Easily exploitable vulnerability allows\nunauthenticated attacker with network access via multiple protocols to\ncompromise Java SE, Java SE Embedded. Successful attacks of this\nvulnerability can result in unauthorized ability to cause a partial\ndenial of service (partial DOS) of Java SE, Java SE Embedded. Note:\nThis vulnerability applies to Java deployments, typically in clients\nrunning sandboxed Java Web Start applications or sandboxed Java\napplets (in Java SE 8), that load and run untrusted code (e.g., code\nthat comes from the internet) and rely on the Java sandbox for\nsecurity. This vulnerability can also be exploited by using APIs in\nthe specified Component, e.g., through a web service which supplies\ndata to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS\nVector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2762)", "edition": 16, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-08-28T00:00:00", "title": "Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2019-1268)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.7.0-openjdk", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2019-1268.NASL", "href": "https://www.tenable.com/plugins/nessus/128291", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1268.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128291);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_xref(name:\"ALAS\", value:\"2019-1268\");\n\n script_name(english:\"Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2019-1268)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Vulnerability in the Java SE, Java SE Embedded component of Oracle\nJava SE (subcomponent: Utilities). Supported versions that are\naffected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE\nEmbedded: 8u211. Easily exploitable vulnerability allows\nunauthenticated attacker with network access via multiple protocols to\ncompromise Java SE, Java SE Embedded. Successful attacks of this\nvulnerability can result in unauthorized ability to cause a partial\ndenial of service (partial DOS) of Java SE, Java SE Embedded. Note:\nThis vulnerability applies to Java deployments, typically in clients\nrunning sandboxed Java Web Start applications or sandboxed Java\napplets (in Java SE 8), that load and run untrusted code (e.g., code\nthat comes from the internet) and rely on the Java sandbox for\nsecurity. This vulnerability can also be exploited by using APIs in\nthe specified Component, e.g., through a web service which supplies\ndata to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS\nVector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2769)\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle\nJava SE (subcomponent: Networking). Supported versions that are\naffected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE\nEmbedded: 8u211. Difficult to exploit vulnerability allows\nunauthenticated attacker with network access via multiple protocols to\ncompromise Java SE, Java SE Embedded. Successful attacks of this\nvulnerability can result in unauthorized update, insert or delete\naccess to some of Java SE, Java SE Embedded accessible data as well as\nunauthorized read access to a subset of Java SE, Java SE Embedded\naccessible data. Note: This vulnerability applies to Java deployments,\ntypically in clients running sandboxed Java Web Start applications or\nsandboxed Java applets (in Java SE 8), that load and run untrusted\ncode (e.g., code that comes from the internet) and rely on the Java\nsandbox for security. This vulnerability can also be exploited by\nusing APIs in the specified Component, e.g., through a web service\nwhich supplies data to the APIs. CVSS 3.0 Base Score 4.8\n(Confidentiality and Integrity impacts). CVSS Vector:\n(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).(CVE-2019-2816)\n\nVulnerability in the Java SE component of Oracle Java SE\n(subcomponent: Security). Supported versions that are affected are\nJava SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability\nallows unauthenticated attacker with logon to the infrastructure where\nJava SE executes to compromise Java SE. Successful attacks of this\nvulnerability can result in unauthorized access to critical data or\ncomplete access to all Java SE accessible data. Note: This\nvulnerability applies to Java deployments, typically in clients\nrunning sandboxed Java Web Start applications or sandboxed Java\napplets (in Java SE 8), that load and run untrusted code (e.g., code\nthat comes from the internet) and rely on the Java sandbox for\nsecurity. This vulnerability can also be exploited by using APIs in\nthe specified Component, e.g., through a web service which supplies\ndata to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts).\nCVSS Vector:\n(CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2019-2745)\n\nVulnerability in the Java SE component of Oracle Java SE\n(subcomponent: JCE). The supported version that is affected is Java\nSE: 8u212. Difficult to exploit vulnerability allows unauthenticated\nattacker with network access via multiple protocols to compromise Java\nSE. Successful attacks of this vulnerability can result in\nunauthorized ability to cause a partial denial of service (partial\nDOS) of Java SE. Note: This vulnerability applies to Java deployments,\ntypically in clients running sandboxed Java Web Start applications or\nsandboxed Java applets (in Java SE 8), that load and run untrusted\ncode (e.g., code that comes from the internet) and rely on the Java\nsandbox for security. This vulnerability can also be exploited by\nusing APIs in the specified Component, e.g., through a web service\nwhich supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability\nimpacts). CVSS Vector:\n(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2842)\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle\nJava SE (subcomponent: Security). Supported versions that are affected\nare Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211.\nDifficult to exploit vulnerability allows unauthenticated attacker\nwith network access via multiple protocols to compromise Java SE, Java\nSE Embedded. Successful attacks require human interaction from a\nperson other than the attacker and while the vulnerability is in Java\nSE, Java SE Embedded, attacks may significantly impact additional\nproducts. Successful attacks of this vulnerability can result in\nunauthorized read access to a subset of Java SE, Java SE Embedded\naccessible data. Note: This vulnerability applies to Java deployments,\ntypically in clients running sandboxed Java Web Start applications or\nsandboxed Java applets (in Java SE 8), that load and run untrusted\ncode (e.g., code that comes from the internet) and rely on the Java\nsandbox for security. This vulnerability can also be exploited by\nusing APIs in the specified Component, e.g., through a web service\nwhich supplies data to the APIs. CVSS 3.0 Base Score 3.4\n(Confidentiality impacts). CVSS Vector:\n(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).(CVE-2019-2786)\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle\nJava SE (subcomponent: Utilities). Supported versions that are\naffected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE\nEmbedded: 8u211. Easily exploitable vulnerability allows\nunauthenticated attacker with network access via multiple protocols to\ncompromise Java SE, Java SE Embedded. Successful attacks of this\nvulnerability can result in unauthorized ability to cause a partial\ndenial of service (partial DOS) of Java SE, Java SE Embedded. Note:\nThis vulnerability applies to Java deployments, typically in clients\nrunning sandboxed Java Web Start applications or sandboxed Java\napplets (in Java SE 8), that load and run untrusted code (e.g., code\nthat comes from the internet) and rely on the Java sandbox for\nsecurity. This vulnerability can also be exploited by using APIs in\nthe specified Component, e.g., through a web service which supplies\ndata to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS\nVector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2019-2762)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2019-1268.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update java-1.7.0-openjdk' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.80.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-17T12:04:41", "description": "The remote NewStart CGSL host, running version MAIN 4.06, has java-1.7.0-openjdk packages installed that are affected by\nmultiple vulnerabilities:\n\n - Vulnerability in the Java SE component of Oracle Java SE\n (subcomponent: JCE). The supported version that is\n affected is Java SE: 8u212. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java\n SE. Successful attacks of this vulnerability can result\n in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 3.7\n (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2019-2842)\n\n - Vulnerability in the Java SE component of Oracle Java SE\n (subcomponent: Security). Supported versions that are\n affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult\n to exploit vulnerability allows unauthenticated attacker\n with logon to the infrastructure where Java SE executes\n to compromise Java SE. Successful attacks of this\n vulnerability can result in unauthorized access to\n critical data or complete access to all Java SE\n accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed\n Java Web Start applications or sandboxed Java applets\n (in Java SE 8), that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be\n exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the\n APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts).\n CVSS Vector:\n (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).\n (CVE-2019-2745)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Utilities). Supported\n versions that are affected are Java SE: 7u221, 8u212,\n 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily\n exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks\n of this vulnerability can result in unauthorized ability\n to cause a partial denial of service (partial DOS) of\n Java SE, Java SE Embedded. Note: This vulnerability\n applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 5.3\n (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2019-2762, CVE-2019-2769)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Networking). Supported\n versions that are affected are Java SE: 7u221, 8u212,\n 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data.\n Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets (in Java SE 8),\n that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a\n web service which supplies data to the APIs. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts).\n CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).\n (CVE-2019-2816)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Security). Supported\n versions that are affected are Java SE: 8u212, 11.0.3\n and 12.0.1; Java SE Embedded: 8u211. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks require\n human interaction from a person other than the attacker\n and while the vulnerability is in Java SE, Java SE\n Embedded, attacks may significantly impact additional\n products. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 3.4\n (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).\n (CVE-2019-2786)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 17, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-09-11T00:00:00", "title": "NewStart CGSL MAIN 4.06 : java-1.7.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0175)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "modified": "2019-09-11T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0175_JAVA-1.7.0-OPENJDK.NASL", "href": "https://www.tenable.com/plugins/nessus/128692", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0175. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128692);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\n \"CVE-2019-2745\",\n \"CVE-2019-2762\",\n \"CVE-2019-2769\",\n \"CVE-2019-2786\",\n \"CVE-2019-2816\",\n \"CVE-2019-2842\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 4.06 : java-1.7.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0175)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.06, has java-1.7.0-openjdk packages installed that are affected by\nmultiple vulnerabilities:\n\n - Vulnerability in the Java SE component of Oracle Java SE\n (subcomponent: JCE). The supported version that is\n affected is Java SE: 8u212. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java\n SE. Successful attacks of this vulnerability can result\n in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 3.7\n (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2019-2842)\n\n - Vulnerability in the Java SE component of Oracle Java SE\n (subcomponent: Security). Supported versions that are\n affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult\n to exploit vulnerability allows unauthenticated attacker\n with logon to the infrastructure where Java SE executes\n to compromise Java SE. Successful attacks of this\n vulnerability can result in unauthorized access to\n critical data or complete access to all Java SE\n accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed\n Java Web Start applications or sandboxed Java applets\n (in Java SE 8), that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be\n exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the\n APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts).\n CVSS Vector:\n (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).\n (CVE-2019-2745)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Utilities). Supported\n versions that are affected are Java SE: 7u221, 8u212,\n 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily\n exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks\n of this vulnerability can result in unauthorized ability\n to cause a partial denial of service (partial DOS) of\n Java SE, Java SE Embedded. Note: This vulnerability\n applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 5.3\n (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2019-2762, CVE-2019-2769)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Networking). Supported\n versions that are affected are Java SE: 7u221, 8u212,\n 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data.\n Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets (in Java SE 8),\n that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a\n web service which supplies data to the APIs. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts).\n CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).\n (CVE-2019-2816)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Security). Supported\n versions that are affected are Java SE: 8u212, 11.0.3\n and 12.0.1; Java SE Embedded: 8u211. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks require\n human interaction from a person other than the attacker\n and while the vulnerability is in Java SE, Java SE\n Embedded, attacks may significantly impact additional\n products. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 3.4\n (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).\n (CVE-2019-2786)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0175\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL java-1.7.0-openjdk packages. Note that updated packages may not be available yet. Please\ncontact ZTE for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL MAIN 4.06\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.06');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL MAIN 4.06\": [\n \"java-1.7.0-openjdk-1.7.0.231-2.6.19.1.el6_10\",\n \"java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.el6_10\",\n \"java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.el6_10\",\n \"java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.el6_10\",\n \"java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.el6_10\",\n \"java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.el6_10\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "amazon": [{"lastseen": "2020-11-10T12:36:20", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2769 __](<https://access.redhat.com/security/cve/CVE-2019-2769>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).([CVE-2019-2816 __](<https://access.redhat.com/security/cve/CVE-2019-2816>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).([CVE-2019-2745 __](<https://access.redhat.com/security/cve/CVE-2019-2745>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2842 __](<https://access.redhat.com/security/cve/CVE-2019-2842>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).([CVE-2019-2786 __](<https://access.redhat.com/security/cve/CVE-2019-2786>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2762 __](<https://access.redhat.com/security/cve/CVE-2019-2762>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch \n java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2019-08-23T16:55:00", "published": "2019-08-23T16:55:00", "id": "ALAS-2019-1269", "href": "https://alas.aws.amazon.com/ALAS-2019-1269.html", "title": "Medium: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-10T12:35:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2769 __](<https://access.redhat.com/security/cve/CVE-2019-2769>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).([CVE-2019-2816 __](<https://access.redhat.com/security/cve/CVE-2019-2816>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).([CVE-2019-2745 __](<https://access.redhat.com/security/cve/CVE-2019-2745>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2842 __](<https://access.redhat.com/security/cve/CVE-2019-2842>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).([CVE-2019-2786 __](<https://access.redhat.com/security/cve/CVE-2019-2786>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2762 __](<https://access.redhat.com/security/cve/CVE-2019-2762>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.80.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.80.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.80.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.80.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.80.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2019-08-23T16:53:00", "published": "2019-08-23T16:53:00", "id": "ALAS-2019-1268", "href": "https://alas.aws.amazon.com/ALAS-2019-1268.html", "title": "Medium: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-10T12:34:57", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-27690", "CVE-2019-2769", "CVE-2019-2786"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2019-2762 __](<https://access.redhat.com/security/cve/CVE-2019-2762>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2019-2842 __](<https://access.redhat.com/security/cve/CVE-2019-2842>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). ([CVE-2019-2745 __](<https://access.redhat.com/security/cve/CVE-2019-2745>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2019-27690 __](<https://access.redhat.com/security/cve/CVE-2019-27690>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). ([CVE-2019-2816 __](<https://access.redhat.com/security/cve/CVE-2019-2816>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). ([CVE-2019-2786 __](<https://access.redhat.com/security/cve/CVE-2019-2786>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-headless-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-accessibility-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.amzn2.0.1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.amzn2.0.1.src \n \n x86_64: \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-headless-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-accessibility-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2019-08-23T03:14:00", "published": "2019-08-23T03:14:00", "id": "ALAS2-2019-1268", "href": "https://alas.aws.amazon.com/AL2/ALAS-2019-1268.html", "title": "Medium: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-10T12:37:34", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2602", "CVE-2019-2745", "CVE-2019-2698", "CVE-2019-2684", "CVE-2019-2769", "CVE-2019-2786"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). ([CVE-2019-2684 __](<https://access.redhat.com/security/cve/CVE-2019-2684>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2019-2769 __](<https://access.redhat.com/security/cve/CVE-2019-2769>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). ([CVE-2019-2816 __](<https://access.redhat.com/security/cve/CVE-2019-2816>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ([CVE-2019-2602 __](<https://access.redhat.com/security/cve/CVE-2019-2602>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2019-2762 __](<https://access.redhat.com/security/cve/CVE-2019-2762>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2019-2842 __](<https://access.redhat.com/security/cve/CVE-2019-2842>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). ([CVE-2019-2745 __](<https://access.redhat.com/security/cve/CVE-2019-2745>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). ([CVE-2019-2698 __](<https://access.redhat.com/security/cve/CVE-2019-2698>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). ([CVE-2019-2786 __](<https://access.redhat.com/security/cve/CVE-2019-2786>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n java-1.8.0-openjdk-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-debug-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-headless-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-devel-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-demo-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-src-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-accessibility-debug-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.amzn2.0.1.aarch64 \n \n i686: \n java-1.8.0-openjdk-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-debug-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-headless-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-devel-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-demo-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-src-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-accessibility-debug-1.8.0.222.b10-0.amzn2.0.1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.amzn2.0.1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.amzn2.0.1.noarch \n java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.amzn2.0.1.noarch \n java-1.8.0-openjdk-javadoc-debug-1.8.0.222.b10-0.amzn2.0.1.noarch \n java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.222.b10-0.amzn2.0.1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.222.b10-0.amzn2.0.1.src \n \n x86_64: \n java-1.8.0-openjdk-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-debug-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-devel-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-accessibility-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-accessibility-debug-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2019-08-23T03:17:00", "published": "2019-08-23T03:17:00", "id": "ALAS2-2019-1269", "href": "https://alas.aws.amazon.com/AL2/ALAS-2019-1269.html", "title": "Important: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-10T12:34:47", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2766", "CVE-2019-2786"], "description": "**Issue Overview:**\n\nOpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) ([CVE-2019-2786 __](<https://access.redhat.com/security/cve/CVE-2019-2786>))\n\nOpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) ([CVE-2019-2769 __](<https://access.redhat.com/security/cve/CVE-2019-2769>))\n\nlibpng: png_image_free in png.c in libpng has a use-after-free because png_image_free_function is called under png_safe_execute. ([CVE-2019-7317 __](<https://access.redhat.com/security/cve/CVE-2019-7317>))\n\nOpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) ([CVE-2019-2762 __](<https://access.redhat.com/security/cve/CVE-2019-2762>))\n\nOpenJDK: Insufficient permission checks for file:// URLs on Windows (Networking, 8213431) ([CVE-2019-2766 __](<https://access.redhat.com/security/cve/CVE-2019-2766>))\n\nOpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) ( \n[CVE-2019-2818 __](<https://access.redhat.com/security/cve/CVE-2019-2818>))\n\nOpenJDK: Missing URL format validation (Networking, 8221518) ([CVE-2019-2816 __](<https://access.redhat.com/security/cve/CVE-2019-2816>)) \n \nOpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) ([CVE-2019-2745 __](<https://access.redhat.com/security/cve/CVE-2019-2745>))\n\nOpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) ([CVE-2019-2821 __](<https://access.redhat.com/security/cve/CVE-2019-2821>))\n\n \n**Affected Packages:** \n\n\njava-11-amazon-corretto\n\n \n**Issue Correction:** \nRun _yum update java-11-amazon-corretto_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n java-11-amazon-corretto-11.0.4+11-1.amzn2.aarch64 \n java-11-amazon-corretto-headless-11.0.4+11-1.amzn2.aarch64 \n java-11-amazon-corretto-javadoc-11.0.4+11-1.amzn2.aarch64 \n \n src: \n java-11-amazon-corretto-11.0.4+11-1.amzn2.src \n \n x86_64: \n java-11-amazon-corretto-11.0.4+11-1.amzn2.x86_64 \n java-11-amazon-corretto-headless-11.0.4+11-1.amzn2.x86_64 \n java-11-amazon-corretto-javadoc-11.0.4+11-1.amzn2.x86_64 \n \n \n", "edition": 1, "modified": "2019-07-18T17:37:00", "published": "2019-07-18T17:37:00", "id": "ALAS2-2019-1246", "href": "https://alas.aws.amazon.com/AL2/ALAS-2019-1246.html", "title": "Medium: java-11-amazon-corretto", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "centos": [{"lastseen": "2020-12-08T03:38:04", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1815\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035411.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-accessibility\njava-1.8.0-openjdk-accessibility-debug\njava-1.8.0-openjdk-debug\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-demo-debug\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-devel-debug\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-headless-debug\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-javadoc-debug\njava-1.8.0-openjdk-javadoc-zip\njava-1.8.0-openjdk-javadoc-zip-debug\njava-1.8.0-openjdk-src\njava-1.8.0-openjdk-src-debug\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:29:31", "published": "2019-07-24T20:29:31", "id": "CESA-2019:1815", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035411.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-08T03:39:57", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1840\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035408.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:19:55", "published": "2019-07-24T20:19:55", "id": "CESA-2019:1840", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035408.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-08T03:37:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1811\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035407.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-debug\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-demo-debug\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-devel-debug\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-headless-debug\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-javadoc-debug\njava-1.8.0-openjdk-src\njava-1.8.0-openjdk-src-debug\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:18:47", "published": "2019-07-24T20:18:47", "id": "CESA-2019:1811", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035407.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-08T03:39:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1839\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035410.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-accessibility\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-headless\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:27:45", "published": "2019-07-24T20:27:45", "id": "CESA-2019:1839", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035410.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-08T03:40:21", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1810\n\n\nThe java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\n* OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035409.html\n\n**Affected packages:**\njava-11-openjdk\njava-11-openjdk-debug\njava-11-openjdk-demo\njava-11-openjdk-demo-debug\njava-11-openjdk-devel\njava-11-openjdk-devel-debug\njava-11-openjdk-headless\njava-11-openjdk-headless-debug\njava-11-openjdk-javadoc\njava-11-openjdk-javadoc-debug\njava-11-openjdk-javadoc-zip\njava-11-openjdk-javadoc-zip-debug\njava-11-openjdk-jmods\njava-11-openjdk-jmods-debug\njava-11-openjdk-src\njava-11-openjdk-src-debug\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:25:31", "published": "2019-07-24T20:25:31", "id": "CESA-2019:1810", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035409.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2019-08-01T11:46:07", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.8.0.222.b10-0]\n- Update to aarch64-shenandoah-jdk8u222-b10.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b09-0]\n- Update to aarch64-shenandoah-jdk8u222-b09.\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b08-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b08.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b07-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b07 and Shenandoah merge 2019-06-13.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b06-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b06.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b05-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b05.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b04-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b04.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Restore docs make target so docs are built again.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Remove zip-docs make target as RHEL 6.10 RPM does not have that patch.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Provide Javadoc debug subpackage for now, but populate it from the normal build.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Don't produce javadoc sub package for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.0.ea]\n- Include 'ea' designator in Release when appropriate.\n- Use --with-native-debug-symbols=internal which JDK-8036003 adds.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0]\n- Update to aarch64-shenandoah-jdk8u222-b03.\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b02-0]\n- Update to aarch64-shenandoah-jdk8u222-b02.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-0]\n- Update to aarch64-shenandoah-jdk8u222-b01.\n- Drop 8171000, 8197546 & PR3634 as applied upstream.\n- Adjust 8214206 fix for S390 as BinaryMagnitudeSeq moved to shenandoahNumberSeq.cpp\n- Resolves: rhbz#1724452", "edition": 3, "modified": "2019-07-22T00:00:00", "published": "2019-07-22T00:00:00", "id": "ELSA-2019-1811", "href": "http://linux.oracle.com/errata/ELSA-2019-1811.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-19T21:15:05", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.8.0.222.b10-0]\n- Update to aarch64-shenandoah-jdk8u222-b10.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b09-0]\n- Update to aarch64-shenandoah-jdk8u222-b09.\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b08-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b08.\n- Adjust PR3083/RH134640 to apply after JDK-8182999\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b07-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b07 and Shenandoah merge 2019-06-13.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b06-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b06.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b05-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b05.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b04-0.0.ea]\n- Update new format sources file.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b04-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b04.\n- Drop remaining JDK-8210425/RH1632174 patch now AArch64 part is upstream.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Update to aarch64-shenandoah-jdk8u222-b03.\n- Drop 8210425 patches applied upstream. Still need to add AArch64 version in aarch64/shenandoah-jdk8u.\n- Re-generate JDK-8141570 & JDK-8143245 patches due to 8210425 zeroshark.make changes.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b02-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b02.\n- Drop 8064786/PR3599 & 8210416/RH1632174 as applied upstream (8064786 silently in 8176100).\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-1]\n- Switch to EA mode\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-1]\n- Allow Recommends and Suggests on Fedora platforms too.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-0]\n- Make use of Recommends and Suggests dependent on RHEL 8+ environment.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-0]\n- Update to aarch64-shenandoah-jdk8u222-b01.\n- Refactor PR2888 after inclusion of 8129988 upstream. Now includes PR3575.\n- Drop 8171000 & 8197546 as applied upstream.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Fix value of built_doc_archive for javadoc debug package.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Provide Javadoc debug subpackages for now, but populate them from the normal build.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Include 'ea' designator in Release when appropriate.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Drop unused use_shenandoah_hotspot variable.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Update to aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30.\n- Update version logic to handle -shenandoah* tag suffix.\n- Drop PR3634 as applied upstream.\n- Adjust 8214206 fix for S390 as BinaryMagnitudeSeq moved to shenandoahNumberSeq.cpp\n- Update 8214206 to use log2_long rather than casting to intptr_t, which may be smaller than size_t.\n- Resolves: rhbz#1724452", "edition": 1, "modified": "2019-07-30T00:00:00", "published": "2019-07-30T00:00:00", "id": "ELSA-2019-1816", "href": "http://linux.oracle.com/errata/ELSA-2019-1816.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T11:46:26", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.8.0.222.b10-0]\n- Update to aarch64-shenandoah-jdk8u222-b10.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b09-0]\n- Update to aarch64-shenandoah-jdk8u222-b09.\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b08-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b08.\n- Adjust PR3083/RH134640 to apply after JDK-8182999\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b07-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b07 and Shenandoah merge 2019-06-13.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b06-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b06.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b05-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b05.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b04-0.1.ea]\n- Update to aarch64-shenandoah-jdk8u222-b04.\n- Drop remaining JDK-8210425/RH1632174 patch now AArch64 part is upstream.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Use normal_suffix for Javadoc zip filename to copy, as there is is no debug version.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Provide Javadoc debug subpackages for now, but populate them from the normal build.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.0.ea]\n- Include 'ea' designator in Release when appropriate.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0]\n- Update to aarch64-shenandoah-jdk8u222-b03.\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Drop 8210425 patches applied upstream. Still need to add AArch64 version in aarch64/shenandoah-jdk8u.\n- Re-generate JDK-8141570 & JDK-8143245 patches due to 8210425 zeroshark.make changes.\n- Drop unused use_shenandoah_hotspot variable.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b02-0]\n- Update to aarch64-shenandoah-jdk8u222-b02.\n- Drop 8064786/PR3599 & 8210416/RH1632174 as applied upstream (8064786 silently in 8176100).\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-0]\n- Update to aarch64-shenandoah-jdk8u222-b01.\n- Refactor PR2888 after inclusion of 8129988 upstream. Now includes PR3575.\n- Drop 8171000, 8197546 & PR3634 as applied upstream.\n- Adjust 8214206 fix for S390 as BinaryMagnitudeSeq moved to shenandoahNumberSeq.cpp\n- Resolves: rhbz#1724452", "edition": 4, "modified": "2019-07-23T00:00:00", "published": "2019-07-23T00:00:00", "id": "ELSA-2019-1815", "href": "http://linux.oracle.com/errata/ELSA-2019-1815.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T11:44:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.7.0.231-2.6.19.1.0.1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.231-2.6.19.1]\n- Add missing hyphen in tapset filename.\n- Resolves: rhbz#1724452\n[1:1.7.0.231-2.6.19.0]\n- Update tapset name in patch.\n- Resolves: rhbz#1724452\n[1:1.7.0.231-2.6.19.0]\n- Bump to 2.6.19 (including tapsets) and OpenJDK 7u231-b01.\n- Fix fsg.sh to fail if patching fails.\n- Resolves: rhbz#1724452", "edition": 3, "modified": "2019-07-24T00:00:00", "published": "2019-07-24T00:00:00", "id": "ELSA-2019-1840", "href": "http://linux.oracle.com/errata/ELSA-2019-1840.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T11:46:20", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.7.0.231-2.6.19.1.0.1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.231-2.6.19.1]\n- Add missing hyphen in tapset filename.\n- Resolves: rhbz#1724452\n[1:1.7.0.231-2.6.19.0]\n- Update tapset filename matching pattern.\n- Resolves: rhbz#1724452\n[1:1.7.0.231-2.6.19.0]\n- Bump to 2.6.19 (including tapsets) and OpenJDK 7u231-b01.\n- Fix fsg.sh to fail if patching fails.\n- Resolves: rhbz#1724452", "edition": 5, "modified": "2019-07-24T00:00:00", "published": "2019-07-24T00:00:00", "id": "ELSA-2019-1839", "href": "http://linux.oracle.com/errata/ELSA-2019-1839.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T11:47:31", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:11.0.4.11-0.0.1]\n- link atomic for ix86 build\n[1:11.0.4.11-0]\n- Update to shenandoah-jdk-11.0.4+11 (GA)\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:11.0.4.10-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+10 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.9-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+9 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.8-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+8 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.7-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+7 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.0.ea]\n- Provide Javadoc debug subpackages for now, but populate them from the normal build.\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+6 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.5-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+5 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.4-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+4 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.3-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+3 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.0.ea]\n- Use RHEL 7 format for jspawnhelper addition.\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+2 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.1.ea]\n- Package jspawnhelper (see JDK-8220360).\n- Resolves: rhbz#1724452\n[1:11.0.3.7-2]\n- Include 'ea' designator in Release when appropriate.\n- Resolves: rhbz#1724452\n[1:11.0.3.7-2]\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Resolves: rhbz#1724452\n[1:11.0.3.7-1]\n- Don't build the test images needlessly.\n- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452", "edition": 4, "modified": "2019-07-23T00:00:00", "published": "2019-07-23T00:00:00", "id": "ELSA-2019-1810", "href": "http://linux.oracle.com/errata/ELSA-2019-1810.html", "title": "java-11-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-19T21:14:09", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:11.0.4.11-0]\n- Update to shenandoah-jdk-11.0.4+11 (GA)\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:11.0.4.10-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+10 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.9-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+9 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.8-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+8 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.7-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+7 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.1.ea]\n- Debug packages should be called 'slowdebug' on RHEL 8\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.0.ea]\n- Provide Javadoc debug subpackages for now, but populate them from the normal build.\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+6 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.5-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+5 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.4-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+4 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.3-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+3 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+2 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.0.ea]\n- Package jspawnhelper (see JDK-8220360).\n- Resolves: rhbz#1724452\n[1:11.0.3.7-4]\n- Include 'ea' designator in Release when appropriate.\n- Resolves: rhbz#1724452\n[1:11.0.3.7-4]\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Resolves: rhbz#1724452\n[1:11.0.3.7-3]\n- Don't build the test images needlessly.\n- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452", "edition": 1, "modified": "2019-07-30T00:00:00", "published": "2019-07-30T00:00:00", "id": "ELSA-2019-1817", "href": "http://linux.oracle.com/errata/ELSA-2019-1817.html", "title": "java-11-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "openvas": [{"lastseen": "2019-08-01T13:53:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-24T00:00:00", "id": "OPENVAS:1361412562310704485", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704485", "type": "openvas", "title": "Debian Security Advisory DSA 4485-1 (openjdk-8 - security update)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704485\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-24 02:00:53 +0000 (Wed, 24 Jul 2019)\");\n script_name(\"Debian Security Advisory DSA 4485-1 (openjdk-8 - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4485.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4485-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openjdk-8'\n package(s) announced via the DSA-4485-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been discovered in the OpenJDK Java runtime,\nresulting in information disclosure, denial of service or bypass of\nsandbox restrictions. In addition the implementation of elliptic curve\ncryptography was modernised.\");\n\n script_tag(name:\"affected\", value:\"'openjdk-8' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 8u222-b10-1~deb9u1.\n\nWe recommend that you upgrade your openjdk-8 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-dbg\", ver:\"8u222-b10-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-demo\", ver:\"8u222-b10-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-doc\", ver:\"8u222-b10-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jdk\", ver:\"8u222-b10-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jdk-headless\", ver:\"8u222-b10-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre\", ver:\"8u222-b10-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre-headless\", ver:\"8u222-b10-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre-zero\", ver:\"8u222-b10-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-source\", ver:\"8u222-b10-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T13:51:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-25T00:00:00", "id": "OPENVAS:1361412562310883089", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883089", "type": "openvas", "title": "CentOS Update for java CESA-2019:1840 centos6 ", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883089\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-25 02:01:20 +0000 (Thu, 25 Jul 2019)\");\n script_name(\"CentOS Update for java CESA-2019:1840 centos6 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n\n script_xref(name:\"CESA\", value:\"2019:1840\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-July/023370.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2019:1840 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography\n(Security, 8208698) (CVE-2019-2745)\n\n * OpenJDK: Insufficient checks of suppressed exceptions in deserialization\n(Utilities, 8212328) (CVE-2019-2762)\n\n * OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n * OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511)\n(CVE-2019-2842)\n\n * OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 6.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS6\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T13:51:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-25T00:00:00", "id": "OPENVAS:1361412562310883085", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883085", "type": "openvas", "title": "CentOS Update for java CESA-2019:1811 centos6 ", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883085\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-25 02:00:55 +0000 (Thu, 25 Jul 2019)\");\n script_name(\"CentOS Update for java CESA-2019:1811 centos6 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n\n script_xref(name:\"CESA\", value:\"2019:1811\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-July/023369.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2019:1811 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography\n(Security, 8208698) (CVE-2019-2745)\n\n * OpenJDK: Insufficient checks of suppressed exceptions in deserialization\n(Utilities, 8212328) (CVE-2019-2762)\n\n * OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n * OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511)\n(CVE-2019-2842)\n\n * OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 6.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS6\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-debug\", rpm:\"java-1.8.0-openjdk-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo\", rpm:\"java-1.8.0-openjdk-demo~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo-debug\", rpm:\"java-1.8.0-openjdk-demo-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel-debug\", rpm:\"java-1.8.0-openjdk-devel-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless-debug\", rpm:\"java-1.8.0-openjdk-headless-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc\", rpm:\"java-1.8.0-openjdk-javadoc~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-debug\", rpm:\"java-1.8.0-openjdk-javadoc-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src\", rpm:\"java-1.8.0-openjdk-src~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src-debug\", rpm:\"java-1.8.0-openjdk-src-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T13:51:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-25T00:00:00", "id": "OPENVAS:1361412562310883088", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883088", "type": "openvas", "title": "CentOS Update for java CESA-2019:1839 centos7 ", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883088\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-25 02:01:15 +0000 (Thu, 25 Jul 2019)\");\n script_name(\"CentOS Update for java CESA-2019:1839 centos7 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2019:1839\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-July/023372.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2019:1839 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography\n(Security, 8208698) (CVE-2019-2745)\n\n * OpenJDK: Insufficient checks of suppressed exceptions in deserialization\n(Utilities, 8212328) (CVE-2019-2762)\n\n * OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n * OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511)\n(CVE-2019-2842)\n\n * OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS7\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.231~2.6.19.1.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-accessibility\", rpm:\"java-1.7.0-openjdk-accessibility~1.7.0.231~2.6.19.1.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.231~2.6.19.1.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.231~2.6.19.1.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-headless\", rpm:\"java-1.7.0-openjdk-headless~1.7.0.231~2.6.19.1.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.231~2.6.19.1.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.231~2.6.19.1.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T13:51:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-25T00:00:00", "id": "OPENVAS:1361412562310883086", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883086", "type": "openvas", "title": "CentOS Update for java CESA-2019:1815 centos7 ", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883086\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-25 02:01:00 +0000 (Thu, 25 Jul 2019)\");\n script_name(\"CentOS Update for java CESA-2019:1815 centos7 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2019:1815\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-July/023373.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2019:1815 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography\n(Security, 8208698) (CVE-2019-2745)\n\n * OpenJDK: Insufficient checks of suppressed exceptions in deserialization\n(Utilities, 8212328) (CVE-2019-2762)\n\n * OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n * OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511)\n(CVE-2019-2842)\n\n * OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS7\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-accessibility\", rpm:\"java-1.8.0-openjdk-accessibility~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-accessibility-debug\", rpm:\"java-1.8.0-openjdk-accessibility-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-debug\", rpm:\"java-1.8.0-openjdk-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo\", rpm:\"java-1.8.0-openjdk-demo~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo-debug\", rpm:\"java-1.8.0-openjdk-demo-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel-debug\", rpm:\"java-1.8.0-openjdk-devel-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless-debug\", rpm:\"java-1.8.0-openjdk-headless-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc\", rpm:\"java-1.8.0-openjdk-javadoc~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-debug\", rpm:\"java-1.8.0-openjdk-javadoc-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-zip\", rpm:\"java-1.8.0-openjdk-javadoc-zip~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-zip-debug\", rpm:\"java-1.8.0-openjdk-javadoc-zip-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src\", rpm:\"java-1.8.0-openjdk-src~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src-debug\", rpm:\"java-1.8.0-openjdk-src-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-09T12:39:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-08T00:00:00", "published": "2019-08-01T00:00:00", "id": "OPENVAS:1361412562310844116", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844116", "type": "openvas", "title": "Ubuntu Update for openjdk-8 USN-4080-1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844116\");\n script_version(\"2019-08-08T09:10:13+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\",\n \"CVE-2019-2816\", \"CVE-2019-2842\", \"CVE-2019-7317\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-08 09:10:13 +0000 (Thu, 08 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-01 02:01:11 +0000 (Thu, 01 Aug 2019)\");\n script_name(\"Ubuntu Update for openjdk-8 USN-4080-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"4080-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-4080-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openjdk-8'\n package(s) announced via the USN-4080-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Keegan Ryan discovered that the ECC implementation in OpenJDK was not\nsufficiently resilient to side-channel attacks. An attacker could possibly\nuse this to expose sensitive information. (CVE-2019-2745)\n\nIt was discovered that OpenJDK did not sufficiently validate serial streams\nbefore deserializing suppressed exceptions in some situations. An attacker\ncould use this to specially craft an object that, when deserialized, would\ncause a denial of service. (CVE-2019-2762)\n\nIt was discovered that in some situations OpenJDK did not properly bound\nthe amount of memory allocated during object deserialization. An attacker\ncould use this to specially craft an object that, when deserialized, would\ncause a denial of service (excessive memory consumption). (CVE-2019-2769)\n\nIt was discovered that OpenJDK did not properly restrict privileges in\ncertain situations. An attacker could use this to specially construct an\nuntrusted Java application or applet that could escape sandbox\nrestrictions. (CVE-2019-2786)\n\nJonathan Birch discovered that the Networking component of OpenJDK did not\nproperly validate URLs in some situations. An attacker could use this to\nbypass restrictions on characters in URLs. (CVE-2019-2816)\n\nNati Nimni discovered that the Java Cryptography Extension component in\nOpenJDK did not properly perform array bounds checking in some situations.\nAn attacker could use this to cause a denial of service. (CVE-2019-2842)\n\nIt was discovered that OpenJDK incorrectly handled certain memory\noperations. If a user or automated system were tricked into opening a\nspecially crafted PNG file, a remote attacker could use this issue to\ncause OpenJDK to crash, resulting in a denial of service, or possibly\nexecute arbitrary code. (CVE-2019-7317)\");\n\n script_tag(name:\"affected\", value:\"'openjdk-8' package(s) on Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jdk\", ver:\"8u222-b10-1ubuntu1~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jdk-headless\", ver:\"8u222-b10-1ubuntu1~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre\", ver:\"8u222-b10-1ubuntu1~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre-headless\", ver:\"8u222-b10-1ubuntu1~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre-jamvm\", ver:\"8u222-b10-1ubuntu1~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"openjdk-8-jre-zero\", ver:\"8u222-b10-1ubuntu1~16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T13:52:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-25T00:00:00", "id": "OPENVAS:1361412562310883087", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883087", "type": "openvas", "title": "CentOS Update for java-11-openjdk CESA-2019:1810 centos7 ", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883087\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2818\", \"CVE-2019-2821\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-25 02:01:07 +0000 (Thu, 25 Jul 2019)\");\n script_name(\"CentOS Update for java-11-openjdk CESA-2019:1810 centos7 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2019:1810\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-July/023371.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-11-openjdk'\n package(s) announced via the CESA-2019:1810 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-11-openjdk packages provide the OpenJDK 11 Java Runtime\nEnvironment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography\n(Security, 8208698) (CVE-2019-2745)\n\n * OpenJDK: Insufficient checks of suppressed exceptions in deserialization\n(Utilities, 8212328) (CVE-2019-2762)\n\n * OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n * OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n * OpenJDK: Incorrect handling of certificate status messages during TLS\nhandshake (JSSE, 8222678) (CVE-2019-2821)\n\n * OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\n * OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security,\n8221344) (CVE-2019-2818)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java-11-openjdk' package(s) on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS7\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk\", rpm:\"java-11-openjdk~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-debug\", rpm:\"java-11-openjdk-debug~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-demo\", rpm:\"java-11-openjdk-demo~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-demo-debug\", rpm:\"java-11-openjdk-demo-debug~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-devel\", rpm:\"java-11-openjdk-devel~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-devel-debug\", rpm:\"java-11-openjdk-devel-debug~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-headless\", rpm:\"java-11-openjdk-headless~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-headless-debug\", rpm:\"java-11-openjdk-headless-debug~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-javadoc\", rpm:\"java-11-openjdk-javadoc~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-javadoc-debug\", rpm:\"java-11-openjdk-javadoc-debug~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-javadoc-zip\", rpm:\"java-11-openjdk-javadoc-zip~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-javadoc-zip-debug\", rpm:\"java-11-openjdk-javadoc-zip-debug~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-jmods\", rpm:\"java-11-openjdk-jmods~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-jmods-debug\", rpm:\"java-11-openjdk-jmods-debug~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-src\", rpm:\"java-11-openjdk-src~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-11-openjdk-src-debug\", rpm:\"java-11-openjdk-src-debug~11.0.4.11~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T13:52:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-24T00:00:00", "id": "OPENVAS:1361412562310704486", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704486", "type": "openvas", "title": "Debian Security Advisory DSA 4486-1 (openjdk-11 - security update)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704486\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2818\", \"CVE-2019-2821\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-24 02:00:48 +0000 (Wed, 24 Jul 2019)\");\n script_name(\"Debian Security Advisory DSA 4486-1 (openjdk-11 - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB10\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4486.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4486-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openjdk-11'\n package(s) announced via the DSA-4486-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been discovered in the OpenJDK Java runtime,\nresulting in information disclosure, denial of service or bypass of\nsandbox restrictions. In addition the implementation of elliptic curve\ncryptography was modernised.\");\n\n script_tag(name:\"affected\", value:\"'openjdk-11' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (buster), these problems have been fixed in\nversion 11.0.4+11-1~deb10u1.\n\nWe recommend that you upgrade your openjdk-11 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-11-dbg\", ver:\"11.0.4+11-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-11-demo\", ver:\"11.0.4+11-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-11-doc\", ver:\"11.0.4+11-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-11-jdk\", ver:\"11.0.4+11-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-11-jdk-headless\", ver:\"11.0.4+11-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-11-jre\", ver:\"11.0.4+11-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-11-jre-headless\", ver:\"11.0.4+11-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-11-jre-zero\", ver:\"11.0.4+11-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-11-source\", ver:\"11.0.4+11-1~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-31T16:46:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2766", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-08-16T00:00:00", "id": "OPENVAS:1361412562310852649", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852649", "type": "openvas", "title": "openSUSE: Security Advisory for java-1_8_0-openjdk (openSUSE-SU-2019:1912-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852649\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2766\", \"CVE-2019-2769\",\n \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\", \"CVE-2019-7317\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-16 02:00:48 +0000 (Fri, 16 Aug 2019)\");\n script_name(\"openSUSE: Security Advisory for java-1_8_0-openjdk (openSUSE-SU-2019:1912-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1912-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1_8_0-openjdk'\n package(s) announced via the openSUSE-SU-2019:1912-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for java-1_8_0-openjdk to version 8u222 fixes the following\n issues:\n\n Security issues fixed:\n\n - CVE-2019-2745: Improved ECC Implementation (bsc#1141784).\n\n - CVE-2019-2762: Exceptional throw cases (bsc#1141782).\n\n - CVE-2019-2766: Improve file protocol handling (bsc#1141789).\n\n - CVE-2019-2769: Better copies of CopiesList (bsc#1141783).\n\n - CVE-2019-2786: More limited privilege usage (bsc#1141787).\n\n - CVE-2019-2816: Normalize normalization (bsc#1141785).\n\n - CVE-2019-2842: Extended AES support (bsc#1141786).\n\n - CVE-2019-7317: Improve PNG support (bsc#1141780).\n\n - Certificate validation improvements\n\n Non-security issue fixed:\n\n - Fixed an issue where the installation failed when the manpages are not\n present (bsc#1115375)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1912=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1912=1\");\n\n script_tag(name:\"affected\", value:\"'java-1_8_0-openjdk' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk\", rpm:\"java-1_8_0-openjdk~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-accessibility\", rpm:\"java-1_8_0-openjdk-accessibility~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-debuginfo\", rpm:\"java-1_8_0-openjdk-debuginfo~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-debugsource\", rpm:\"java-1_8_0-openjdk-debugsource~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-demo\", rpm:\"java-1_8_0-openjdk-demo~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-demo-debuginfo\", rpm:\"java-1_8_0-openjdk-demo-debuginfo~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-devel\", rpm:\"java-1_8_0-openjdk-devel~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-devel-debuginfo\", rpm:\"java-1_8_0-openjdk-devel-debuginfo~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-headless\", rpm:\"java-1_8_0-openjdk-headless~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-headless-debuginfo\", rpm:\"java-1_8_0-openjdk-headless-debuginfo~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-src\", rpm:\"java-1_8_0-openjdk-src~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_8_0-openjdk-javadoc\", rpm:\"java-1_8_0-openjdk-javadoc~1.8.0.222~lp150.2.19.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-15T16:23:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2769", "CVE-2019-2766"], "description": "The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.", "modified": "2020-05-12T00:00:00", "published": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310815177", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815177", "type": "openvas", "title": "Oracle Java SE Security Updates (jul2019-5072835) 03 - Windows", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815177\");\n script_version(\"2020-05-12T13:57:17+0000\");\n script_cve_id(\"CVE-2019-2769\", \"CVE-2019-2762\", \"CVE-2019-2766\", \"CVE-2019-7317\",\n \"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-12 13:57:17 +0000 (Tue, 12 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-07-17 13:09:55 +0530 (Wed, 17 Jul 2019)\");\n script_name(\"Oracle Java SE Security Updates (jul2019-5072835) 03 - Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to errors in\n 'AWT (libpng)', 'Utilities' and 'Networking' components.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to have an impact on confidentiality, integrity and availability.\");\n\n script_tag(name:\"affected\", value:\"Oracle Java SE version 7u221(1.7.0.221) and\n earlier, 8u212(1.8.0.212) and earlier, 11.0.2 and earlier, 12.0.1 and earlier\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Apply the appropriate patch from the vendor. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Sun/Java/JDK_or_JRE/Win/installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:oracle:jre\", \"cpe:/a:sun:jre\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"1.7.0\", test_version2:\"1.7.0.221\")||\n version_in_range(version:vers, test_version:\"1.8.0\", test_version2:\"1.8.0.212\")||\n version_in_range(version:vers, test_version:\"11.0\", test_version2:\"11.0.3\")||\n version_in_range(version:vers, test_version:\"12.0\", test_version2:\"12.0.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version: \"Apply the patch\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:46:58", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T16:09:05", "published": "2019-07-22T15:45:30", "id": "RHSA-2019:1815", "href": "https://access.redhat.com/errata/RHSA-2019:1815", "type": "redhat", "title": "(RHSA-2019:1815) Moderate: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:43", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T16:09:03", "published": "2019-07-22T15:45:26", "id": "RHSA-2019:1811", "href": "https://access.redhat.com/errata/RHSA-2019:1811", "type": "redhat", "title": "(RHSA-2019:1811) Moderate: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:06", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-23T21:31:44", "published": "2019-07-23T19:36:00", "id": "RHSA-2019:1839", "href": "https://access.redhat.com/errata/RHSA-2019:1839", "type": "redhat", "title": "(RHSA-2019:1839) Moderate: java-1.7.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:27", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T16:09:07", "published": "2019-07-22T15:45:35", "id": "RHSA-2019:1816", "href": "https://access.redhat.com/errata/RHSA-2019:1816", "type": "redhat", "title": "(RHSA-2019:1816) Moderate: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:44:56", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-23T19:58:30", "published": "2019-07-23T19:38:33", "id": "RHSA-2019:1840", "href": "https://access.redhat.com/errata/RHSA-2019:1840", "type": "redhat", "title": "(RHSA-2019:1840) Moderate: java-1.7.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:46:08", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2818", "CVE-2019-2821"], "description": "The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\n* OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T16:09:06", "published": "2019-07-22T15:45:14", "id": "RHSA-2019:1817", "href": "https://access.redhat.com/errata/RHSA-2019:1817", "type": "redhat", "title": "(RHSA-2019:1817) Moderate: java-11-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:44:43", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2818", "CVE-2019-2821"], "description": "The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\n* OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T16:09:04", "published": "2019-07-22T15:45:20", "id": "RHSA-2019:1810", "href": "https://access.redhat.com/errata/RHSA-2019:1810", "type": "redhat", "title": "(RHSA-2019:1810) Moderate: java-11-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-15T10:45:12", "bulletinFamily": "unix", "cvelist": ["CVE-2019-11775", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2816", "CVE-2019-7317"], "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP50.\n\nSecurity Fix(es):\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-08-15T12:59:13", "published": "2019-08-15T12:51:41", "id": "RHSA-2019:2495", "href": "https://access.redhat.com/errata/RHSA-2019:2495", "type": "redhat", "title": "(RHSA-2019:2495) Important: java-1.7.1-ibm security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2019-08-15T10:44:45", "bulletinFamily": "unix", "cvelist": ["CVE-2019-11775", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2816", "CVE-2019-7317"], "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP50.\n\nSecurity Fix(es):\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-08-15T13:00:01", "published": "2019-08-15T12:51:37", "id": "RHSA-2019:2494", "href": "https://access.redhat.com/errata/RHSA-2019:2494", "type": "redhat", "title": "(RHSA-2019:2494) Important: java-1.7.1-ibm security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}], "ubuntu": [{"lastseen": "2020-07-18T01:47:37", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "Keegan Ryan discovered that the ECC implementation in OpenJDK was not \nsufficiently resilient to side-channel attacks. An attacker could possibly \nuse this to expose sensitive information. (CVE-2019-2745)\n\nIt was discovered that OpenJDK did not sufficiently validate serial streams \nbefore deserializing suppressed exceptions in some situations. An attacker \ncould use this to specially craft an object that, when deserialized, would \ncause a denial of service. (CVE-2019-2762)\n\nIt was discovered that in some situations OpenJDK did not properly bound \nthe amount of memory allocated during object deserialization. An attacker \ncould use this to specially craft an object that, when deserialized, would \ncause a denial of service (excessive memory consumption). (CVE-2019-2769)\n\nIt was discovered that OpenJDK did not properly restrict privileges in \ncertain situations. An attacker could use this to specially construct an \nuntrusted Java application or applet that could escape sandbox \nrestrictions. (CVE-2019-2786)\n\nJonathan Birch discovered that the Networking component of OpenJDK did not \nproperly validate URLs in some situations. An attacker could use this to \nbypass restrictions on characters in URLs. (CVE-2019-2816)\n\nNati Nimni discovered that the Java Cryptography Extension component in \nOpenJDK did not properly perform array bounds checking in some situations. \nAn attacker could use this to cause a denial of service. (CVE-2019-2842)\n\nIt was discovered that OpenJDK incorrectly handled certain memory \noperations. If a user or automated system were tricked into opening a \nspecially crafted PNG file, a remote attacker could use this issue to \ncause OpenJDK to crash, resulting in a denial of service, or possibly \nexecute arbitrary code. (CVE-2019-7317)", "edition": 4, "modified": "2019-07-31T00:00:00", "published": "2019-07-31T00:00:00", "id": "USN-4080-1", "href": "https://ubuntu.com/security/notices/USN-4080-1", "title": "OpenJDK 8 vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "suse": [{"lastseen": "2019-08-15T16:32:17", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2766", "CVE-2019-2786"], "description": "This update for java-1_8_0-openjdk to version 8u222 fixes the following\n issues:\n\n Security issues fixed:\n\n - CVE-2019-2745: Improved ECC Implementation (bsc#1141784).\n - CVE-2019-2762: Exceptional throw cases (bsc#1141782).\n - CVE-2019-2766: Improve file protocol handling (bsc#1141789).\n - CVE-2019-2769: Better copies of CopiesList (bsc#1141783).\n - CVE-2019-2786: More limited privilege usage (bsc#1141787).\n - CVE-2019-2816: Normalize normalization (bsc#1141785).\n - CVE-2019-2842: Extended AES support (bsc#1141786).\n - CVE-2019-7317: Improve PNG support (bsc#1141780).\n - Certificate validation improvements\n\n Non-security issue fixed:\n\n - Fixed an issue where the installation failed when the manpages are not\n present (bsc#1115375)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-08-15T15:22:48", "published": "2019-08-15T15:22:48", "id": "OPENSUSE-SU-2019:1912-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html", "title": "Security update for java-1_8_0-openjdk (important)", "type": "suse", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-15T16:32:19", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2766", "CVE-2019-2786"], "description": "This update for java-11-openjdk to version jdk-11.0.4+11 fixes the\n following issues:\n\n Security issues fixed:\n\n - CVE-2019-2745: Improved ECC Implementation (bsc#1141784).\n - CVE-2019-2762: Exceptional throw cases (bsc#1141782).\n - CVE-2019-2766: Improve file protocol handling (bsc#1141789).\n - CVE-2019-2769: Better copies of CopiesList (bsc#1141783).\n - CVE-2019-2786: More limited privilege usage (bsc#1141787).\n - CVE-2019-7317: Improve PNG support options (bsc#1141780).\n - CVE-2019-2818: Better Poly1305 support (bsc#1141788).\n - CVE-2019-2816: Normalize normalization (bsc#1141785).\n - CVE-2019-2821: Improve TLS negotiation (bsc#1141781).\n - Certificate validation improvements\n\n Non-security issues fixed:\n\n - Do not fail installation when the manpages are not present (bsc#1115375)\n - Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if\n there is whitespace after the header or footer (bsc#1140461)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-08-15T15:15:56", "published": "2019-08-15T15:15:56", "id": "OPENSUSE-SU-2019:1916-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html", "title": "Security update for java-11-openjdk (important)", "type": "suse", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "kaspersky": [{"lastseen": "2020-09-02T11:43:49", "bulletinFamily": "info", "cvelist": ["CVE-2019-2842", "CVE-2019-2818", "CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2766", "CVE-2019-2786"], "description": "### *Detect date*:\n07/16/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nUnspecified vulnerability was found in Oracle Java. Malicious users can exploit this vulnerability to cause denial of service or to cause another unspecified impact.\n\n### *Affected products*:\nJava SE 7 version 7u221 and earlier \nJava SE 8 version 8u212 and earlier \nJava SE 11 version 11.0.3 and earlier \nJava SE 12 version 12.0.1 and earlier \nJava Embedded version 8u211 and earlier\n\n### *Solution*:\nUpdate to the latest version\n\n### *Original advisories*:\n[Oracle Critical Patch Update Advisory \u2013 July 2019](<https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixJAVA>) \n\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Oracle Java JRE 1.7.x](<https://threats.kaspersky.com/en/product/Oracle-Java-JRE-1.7.x/>)\n\n### *CVE-IDS*:\n[CVE-2019-7317](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317>)0.0Unknown \n[CVE-2019-2821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2821>)0.0Unknown \n[CVE-2019-2762](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762>)0.0Unknown \n[CVE-2019-2769](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2769>)0.0Unknown \n[CVE-2019-2745](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2745>)0.0Unknown \n[CVE-2019-2816](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2816>)0.0Unknown \n[CVE-2019-2842](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842>)0.0Unknown \n[CVE-2019-2786](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2786>)0.0Unknown \n[CVE-2019-2818](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2818>)0.0Unknown \n[CVE-2019-2766](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2766>)0.0Unknown", "edition": 1, "modified": "2020-05-22T00:00:00", "published": "2019-07-16T00:00:00", "id": "KLA11520", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11520", "title": "\r KLA11520Multiple vulnerabilities in Oracle Java ", "type": "kaspersky", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}]}
