{"id": "OPENVAS:1361412562311220192263", "type": "openvas", "bulletinFamily": "scanner", "title": "Huawei EulerOS: Security Advisory for java-1.7.0-openjdk (EulerOS-SA-2019-2263)", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "published": "2020-01-23T00:00:00", "modified": "2020-02-18T00:00:00", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192263", "reporter": "Copyright (C) 2020 Greenbone Networks GmbH", "references": ["2019-2263", "https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2263"], "cvelist": ["CVE-2019-2816"], "lastseen": "2020-02-20T18:44:00", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-2263", "CVE-2019-2816"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220192460", "OPENVAS:1361412562311220192105", "OPENVAS:1361412562310815180", "OPENVAS:1361412562310815177", "OPENVAS:1361412562310891886", "OPENVAS:1361412562310704485", "OPENVAS:1361412562311220192245", "OPENVAS:1361412562310883085", "OPENVAS:1361412562310883089", "OPENVAS:1361412562311220192374"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2019-1815.NASL", "EULEROS_SA-2019-2105.NASL", "EULEROS_SA-2019-2263.NASL", "EULEROS_SA-2019-2374.NASL", "EULEROS_SA-2019-2245.NASL", "REDHAT-RHSA-2019-2494.NASL", "PHOTONOS_PHSA-2019-1_0-0250_OPENJDK.NASL", "REDHAT-RHSA-2019-2495.NASL", "EULEROS_SA-2019-2460.NASL", "PHOTONOS_PHSA-2019-2_0-0173_OPENJDK8.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4486-1:B09C5", "DEBIAN:DSA-4485-1:63763", "DEBIAN:DLA-1886-1:800E7"]}, {"type": "redhat", "idList": ["RHSA-2019:2590", "RHSA-2019:1811", "RHSA-2019:1815", "RHSA-2019:2592", "RHSA-2019:1839", "RHSA-2019:1816", "RHSA-2019:1840", "RHSA-2019:2737", "RHSA-2019:2494", "RHSA-2019:2495"]}, {"type": "centos", "idList": ["CESA-2019:1810", "CESA-2019:1840", "CESA-2019:1815", "CESA-2019:1839", "CESA-2019:1811"]}, {"type": "amazon", "idList": ["ALAS-2019-1269", "ALAS2-2019-1268", "ALAS-2019-1268"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1840", "ELSA-2019-1815", "ELSA-2019-1816", "ELSA-2019-1839", "ELSA-2019-1811", "ELSA-2019-1817", "ELSA-2019-1810"]}, {"type": "ubuntu", "idList": ["USN-4083-1", "USN-4080-1"]}], "modified": "2020-02-20T18:44:00", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2020-02-20T18:44:00", "rev": 2}, "vulnersScore": 6.7}, "pluginID": "1361412562311220192263", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2263\");\n script_version(\"2020-02-18T10:52:53+0000\");\n script_cve_id(\"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-02-18 10:52:53 +0000 (Tue, 18 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:43:15 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for java-1.7.0-openjdk (EulerOS-SA-2019-2263)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2263\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2263\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'java-1.7.0-openjdk' package(s) announced via the EulerOS-SA-2019-2263 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1, Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2816)\");\n\n script_tag(name:\"affected\", value:\"'java-1.7.0-openjdk' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.191~2.6.15.4.h7\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.191~2.6.15.4.h7\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-headless\", rpm:\"java-1.7.0-openjdk-headless~1.7.0.191~2.6.15.4.h7\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "naslFamily": "Huawei EulerOS Local Security Checks"}

{"cve": [{"lastseen": "2021-02-02T07:13:00", "description": "Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", "edition": 13, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2019-07-23T23:15:00", "title": "CVE-2019-2816", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2816"], "modified": "2020-09-08T13:00:00", "cpe": ["cpe:/a:oracle:jdk:12.0.1", "cpe:/a:oracle:jre:11.0.3", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:12.0.1", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.8.0", "cpe:/a:oracle:jdk:11.0.3"], "id": "CVE-2019-2816", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2816", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.8.0:update211:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update_221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_212:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_211:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update221:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update212:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-07T09:00:45", "description": "According to the version of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerability :\n\n - The java-1.8.0-openjdk packages provide the OpenJDK 8\n Java Runtime Environment and the OpenJDK 8 Java\n Software Development Kit.Security Fix(es):Vulnerability\n in the Java SE, Java SE Embedded component of Oracle\n Java SE (subcomponent: Networking). Supported versions\n that are affected are Java SE: 7u221, 8u212, 11.0.3 and\n 12.0.1 Java SE Embedded: 8u211. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data.\n Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets (in Java SE 8),\n that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a\n web service which supplies data to the\n APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 8, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-12-10T00:00:00", "title": "EulerOS 2.0 SP2 : java-1.8.0-openjdk (EulerOS-SA-2019-2374)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2816"], "modified": "2019-12-10T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:java-1.8.0-openjdk", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2374.NASL", "href": "https://www.tenable.com/plugins/nessus/131866", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131866);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-2816\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : java-1.8.0-openjdk (EulerOS-SA-2019-2374)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerability :\n\n - The java-1.8.0-openjdk packages provide the OpenJDK 8\n Java Runtime Environment and the OpenJDK 8 Java\n Software Development Kit.Security Fix(es):Vulnerability\n in the Java SE, Java SE Embedded component of Oracle\n Java SE (subcomponent: Networking). Supported versions\n that are affected are Java SE: 7u221, 8u212, 11.0.3 and\n 12.0.1 Java SE Embedded: 8u211. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data.\n Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets (in Java SE 8),\n that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a\n web service which supplies data to the\n APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2374\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?95d1d4f2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.8.0-openjdk package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"java-1.8.0-openjdk-1.8.0.191.b12-0.h5\",\n \"java-1.8.0-openjdk-devel-1.8.0.191.b12-0.h5\",\n \"java-1.8.0-openjdk-headless-1.8.0.191.b12-0.h5\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T09:00:05", "description": "According to the version of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerability :\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Networking).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g., through a web service\n which supplies data to the APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 11, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-11-08T00:00:00", "title": "EulerOS 2.0 SP3 : java-1.8.0-openjdk (EulerOS-SA-2019-2245)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2816"], "modified": "2019-11-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:java-1.8.0-openjdk", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2245.NASL", "href": "https://www.tenable.com/plugins/nessus/130707", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130707);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-2816\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : java-1.8.0-openjdk (EulerOS-SA-2019-2245)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerability :\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Networking).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g., through a web service\n which supplies data to the APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2245\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?88fc5aac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.8.0-openjdk package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"java-1.8.0-openjdk-1.8.0.191.b12-0.h3\",\n \"java-1.8.0-openjdk-devel-1.8.0.191.b12-0.h3\",\n \"java-1.8.0-openjdk-headless-1.8.0.191.b12-0.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T09:00:06", "description": "According to the version of the java-1.7.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerability :\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Networking).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g., through a web service\n which supplies data to the APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 11, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-11-08T00:00:00", "title": "EulerOS 2.0 SP3 : java-1.7.0-openjdk (EulerOS-SA-2019-2263)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2816"], "modified": "2019-11-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-devel", "p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-headless", "p-cpe:/a:huawei:euleros:java-1.7.0-openjdk", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2263.NASL", "href": "https://www.tenable.com/plugins/nessus/130725", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130725);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-2816\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : java-1.7.0-openjdk (EulerOS-SA-2019-2263)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the java-1.7.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerability :\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Networking).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g., through a web service\n which supplies data to the APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2263\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ee39d96d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.7.0-openjdk package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"java-1.7.0-openjdk-1.7.0.191-2.6.15.4.h7\",\n \"java-1.7.0-openjdk-devel-1.7.0.191-2.6.15.4.h7\",\n \"java-1.7.0-openjdk-headless-1.7.0.191-2.6.15.4.h7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T08:59:43", "description": "According to the version of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerability :\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Networking).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g., through a web service\n which supplies data to the APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 9, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-11-12T00:00:00", "title": "EulerOS 2.0 SP8 : java-1.8.0-openjdk (EulerOS-SA-2019-2105)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2816"], "modified": "2019-11-12T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:java-1.8.0-openjdk", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2105.NASL", "href": "https://www.tenable.com/plugins/nessus/130814", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130814);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-2816\"\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : java-1.8.0-openjdk (EulerOS-SA-2019-2105)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerability :\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Networking).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g., through a web service\n which supplies data to the APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2105\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0033191e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.8.0-openjdk package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"java-1.8.0-openjdk-1.8.0.181.b15-5.h8.eulerosv2r8\",\n \"java-1.8.0-openjdk-devel-1.8.0.181.b15-5.h8.eulerosv2r8\",\n \"java-1.8.0-openjdk-headless-1.8.0.181.b15-5.h8.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T09:01:08", "description": "According to the versions of the java-1.7.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - The java-1.7.0-openjdk packages provide the OpenJDK 7\n Java Runtime Environment and the OpenJDK 7 Java\n Software Development Kit.Security Fix(es):Vulnerability\n in the Java SE, Java SE Embedded, JRockit component of\n Oracle Java SE (subcomponent: JSSE). Supported versions\n that are affected are Java SE: 6u201, 7u191, 8u182 and\n 11 Java SE Embedded: 8u181 JRockit: R28.3.19. Difficult\n to exploit vulnerability allows unauthenticated\n attacker with network access via SSL/TLS to compromise\n Java SE, Java SE Embedded, JRockit. Successful attacks\n of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE,\n Java SE Embedded, JRockit accessible data as well as\n unauthorized read access to a subset of Java SE, Java\n SE Embedded, JRockit accessible data and unauthorized\n ability to cause a partial denial of service (partial\n DOS) of Java SE, Java SE Embedded, JRockit. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g. code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g. through a web service\n which supplies data to the\n APIs.(CVE-2018-3180)Vulnerability in the Java SE, Java\n SE Embedded, JRockit component of Oracle Java SE\n (subcomponent: Sound). Supported versions that are\n affected are Java SE: 6u201, 7u191 and 8u182 Java SE\n Embedded: 8u181 JRockit: R28.3.19. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded, JRockit. Successful attacks\n of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial\n DOS) of Java SE, Java SE Embedded, JRockit. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g. through a web service\n which supplies data to the\n APIs.(CVE-2018-3214)Vulnerability in the Java SE, Java\n SE Embedded component of Oracle Java SE (subcomponent:\n Networking). Supported versions that are affected are\n Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE\n Embedded: 8u211. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g., through a web service\n which supplies data to the APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 7, "cvss3": {"score": 5.6, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2019-12-04T00:00:00", "title": "EulerOS 2.0 SP2 : java-1.7.0-openjdk (EulerOS-SA-2019-2460)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3180", "CVE-2019-2816", "CVE-2018-3214"], "modified": "2019-12-04T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-devel", "p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-headless", "p-cpe:/a:huawei:euleros:java-1.7.0-openjdk", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2460.NASL", "href": "https://www.tenable.com/plugins/nessus/131614", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131614);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2018-3180\",\n \"CVE-2018-3214\",\n \"CVE-2019-2816\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : java-1.7.0-openjdk (EulerOS-SA-2019-2460)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the java-1.7.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - The java-1.7.0-openjdk packages provide the OpenJDK 7\n Java Runtime Environment and the OpenJDK 7 Java\n Software Development Kit.Security Fix(es):Vulnerability\n in the Java SE, Java SE Embedded, JRockit component of\n Oracle Java SE (subcomponent: JSSE). Supported versions\n that are affected are Java SE: 6u201, 7u191, 8u182 and\n 11 Java SE Embedded: 8u181 JRockit: R28.3.19. Difficult\n to exploit vulnerability allows unauthenticated\n attacker with network access via SSL/TLS to compromise\n Java SE, Java SE Embedded, JRockit. Successful attacks\n of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE,\n Java SE Embedded, JRockit accessible data as well as\n unauthorized read access to a subset of Java SE, Java\n SE Embedded, JRockit accessible data and unauthorized\n ability to cause a partial denial of service (partial\n DOS) of Java SE, Java SE Embedded, JRockit. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g. code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g. through a web service\n which supplies data to the\n APIs.(CVE-2018-3180)Vulnerability in the Java SE, Java\n SE Embedded, JRockit component of Oracle Java SE\n (subcomponent: Sound). Supported versions that are\n affected are Java SE: 6u201, 7u191 and 8u182 Java SE\n Embedded: 8u181 JRockit: R28.3.19. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded, JRockit. Successful attacks\n of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial\n DOS) of Java SE, Java SE Embedded, JRockit. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g. through a web service\n which supplies data to the\n APIs.(CVE-2018-3214)Vulnerability in the Java SE, Java\n SE Embedded component of Oracle Java SE (subcomponent:\n Networking). Supported versions that are affected are\n Java SE: 7u221, 8u212, 11.0.3 and 12.0.1 Java SE\n Embedded: 8u211. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications\n or sandboxed Java applets (in Java SE 8), that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability can also be exploited by using APIs\n in the specified Component, e.g., through a web service\n which supplies data to the APIs.(CVE-2019-2816)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2460\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e3c67a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.7.0-openjdk packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"java-1.7.0-openjdk-1.7.0.191-2.6.15.4.h6\",\n \"java-1.7.0-openjdk-devel-1.7.0.191-2.6.15.4.h6\",\n \"java-1.7.0-openjdk-headless-1.7.0.191-2.6.15.4.h6\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T01:09:34", "description": "An update of the openjdk package has been released.", "edition": 18, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-09-12T00:00:00", "title": "Photon OS 1.0: Openjdk PHSA-2019-1.0-0250", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openjdk", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2019-1_0-0250_OPENJDK.NASL", "href": "https://www.tenable.com/plugins/nessus/128710", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-1.0-0250. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128710);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/12/30\");\n\n script_cve_id(\n \"CVE-2019-2745\",\n \"CVE-2019-2762\",\n \"CVE-2019-2769\",\n \"CVE-2019-2816\",\n \"CVE-2019-2821\"\n );\n\n script_name(english:\"Photon OS 1.0: Openjdk PHSA-2019-1.0-0250\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openjdk package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-250.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-1.8.0.222-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-debuginfo-1.8.0.222-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-doc-1.8.0.222-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-sample-1.8.0.222-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-src-1.8.0.222-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-02-01T01:09:55", "description": "An update of the openjdk8 package has been released.", "edition": 18, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-09-12T00:00:00", "title": "Photon OS 2.0: Openjdk8 PHSA-2019-2.0-0173", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openjdk8", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2019-2_0-0173_OPENJDK8.NASL", "href": "https://www.tenable.com/plugins/nessus/128736", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-2.0-0173. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128736);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/30\");\n\n script_cve_id(\n \"CVE-2019-2745\",\n \"CVE-2019-2762\",\n \"CVE-2019-2769\",\n \"CVE-2019-2816\",\n \"CVE-2019-2821\"\n );\n\n script_name(english:\"Photon OS 2.0: Openjdk8 PHSA-2019-2.0-0173\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openjdk8 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-173.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openjdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-1.8.0.222-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-debuginfo-1.8.0.222-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-doc-1.8.0.222-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-sample-1.8.0.222-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-src-1.8.0.222-1.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openjdk8\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-02-01T05:47:25", "description": "An update for java-1.7.1-ibm is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP50.\n\nSecurity Fix(es) :\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by\nversioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 18, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-08-20T00:00:00", "title": "RHEL 6 : java-1.7.1-ibm (RHSA-2019:2494)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2769", "CVE-2019-11775"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src"], "id": "REDHAT-RHSA-2019-2494.NASL", "href": "https://www.tenable.com/plugins/nessus/127987", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:2494. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127987);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/01/02\");\n\n script_cve_id(\"CVE-2019-11775\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2816\", \"CVE-2019-7317\");\n script_xref(name:\"RHSA\", value:\"2019:2494\");\n\n script_name(english:\"RHEL 6 : java-1.7.1-ibm (RHSA-2019:2494)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.7.1-ibm is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP50.\n\nSecurity Fix(es) :\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by\nversioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:2494\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2769\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-7317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-11775\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:2494\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-plugin-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-plugin-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.1-ibm-src-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-src-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-src-1.7.1.4.50-1jpp.1.el6_10\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.1-ibm / java-1.7.1-ibm-demo / java-1.7.1-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-02-01T05:47:25", "description": "An update for java-1.7.1-ibm is now available for Red Hat Enterprise\nLinux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP50.\n\nSecurity Fix(es) :\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by\nversioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 18, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-08-20T00:00:00", "title": "RHEL 7 : java-1.7.1-ibm (RHSA-2019:2495)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2769", "CVE-2019-11775"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src"], "id": "REDHAT-RHSA-2019-2495.NASL", "href": "https://www.tenable.com/plugins/nessus/127988", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:2495. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127988);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/01/02\");\n\n script_cve_id(\"CVE-2019-11775\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2816\", \"CVE-2019-7317\");\n script_xref(name:\"RHSA\", value:\"2019:2495\");\n\n script_name(english:\"RHEL 7 : java-1.7.1-ibm (RHSA-2019:2495)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.7.1-ibm is now available for Red Hat Enterprise\nLinux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP50.\n\nSecurity Fix(es) :\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by\nversioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in\ndeserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:2495\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2769\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-2816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-7317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-11775\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.1-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:2495\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-demo-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-devel-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-jdbc-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-plugin-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.7.1-ibm-src-1.7.1.4.50-1jpp.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.7.1-ibm-src-1.7.1.4.50-1jpp.1.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.1-ibm / java-1.7.1-ibm-demo / java-1.7.1-ibm-devel / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-17T12:04:44", "description": "The remote NewStart CGSL host, running version MAIN 4.06, has java-1.8.0-openjdk packages installed that are affected by\nmultiple vulnerabilities:\n\n - Vulnerability in the Java SE component of Oracle Java SE\n (subcomponent: JCE). The supported version that is\n affected is Java SE: 8u212. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java\n SE. Successful attacks of this vulnerability can result\n in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 3.7\n (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2019-2842)\n\n - Vulnerability in the Java SE component of Oracle Java SE\n (subcomponent: Security). Supported versions that are\n affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult\n to exploit vulnerability allows unauthenticated attacker\n with logon to the infrastructure where Java SE executes\n to compromise Java SE. Successful attacks of this\n vulnerability can result in unauthorized access to\n critical data or complete access to all Java SE\n accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed\n Java Web Start applications or sandboxed Java applets\n (in Java SE 8), that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be\n exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the\n APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts).\n CVSS Vector:\n (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).\n (CVE-2019-2745)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Utilities). Supported\n versions that are affected are Java SE: 7u221, 8u212,\n 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily\n exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks\n of this vulnerability can result in unauthorized ability\n to cause a partial denial of service (partial DOS) of\n Java SE, Java SE Embedded. Note: This vulnerability\n applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 5.3\n (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2019-2762, CVE-2019-2769)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Networking). Supported\n versions that are affected are Java SE: 7u221, 8u212,\n 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data.\n Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets (in Java SE 8),\n that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a\n web service which supplies data to the APIs. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts).\n CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).\n (CVE-2019-2816)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Security). Supported\n versions that are affected are Java SE: 8u212, 11.0.3\n and 12.0.1; Java SE Embedded: 8u211. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks require\n human interaction from a person other than the attacker\n and while the vulnerability is in Java SE, Java SE\n Embedded, attacks may significantly impact additional\n products. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 3.4\n (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).\n (CVE-2019-2786)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 17, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2019-09-11T00:00:00", "title": "NewStart CGSL MAIN 4.06 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0178)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "modified": "2019-09-11T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0178_JAVA-1.8.0-OPENJDK.NASL", "href": "https://www.tenable.com/plugins/nessus/128697", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0178. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128697);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\n \"CVE-2019-2745\",\n \"CVE-2019-2762\",\n \"CVE-2019-2769\",\n \"CVE-2019-2786\",\n \"CVE-2019-2816\",\n \"CVE-2019-2842\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 4.06 : java-1.8.0-openjdk Multiple Vulnerabilities (NS-SA-2019-0178)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.06, has java-1.8.0-openjdk packages installed that are affected by\nmultiple vulnerabilities:\n\n - Vulnerability in the Java SE component of Oracle Java SE\n (subcomponent: JCE). The supported version that is\n affected is Java SE: 8u212. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java\n SE. Successful attacks of this vulnerability can result\n in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 3.7\n (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2019-2842)\n\n - Vulnerability in the Java SE component of Oracle Java SE\n (subcomponent: Security). Supported versions that are\n affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult\n to exploit vulnerability allows unauthenticated attacker\n with logon to the infrastructure where Java SE executes\n to compromise Java SE. Successful attacks of this\n vulnerability can result in unauthorized access to\n critical data or complete access to all Java SE\n accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed\n Java Web Start applications or sandboxed Java applets\n (in Java SE 8), that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be\n exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the\n APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts).\n CVSS Vector:\n (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).\n (CVE-2019-2745)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Utilities). Supported\n versions that are affected are Java SE: 7u221, 8u212,\n 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily\n exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks\n of this vulnerability can result in unauthorized ability\n to cause a partial denial of service (partial DOS) of\n Java SE, Java SE Embedded. Note: This vulnerability\n applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 5.3\n (Availability impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2019-2762, CVE-2019-2769)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Networking). Supported\n versions that are affected are Java SE: 7u221, 8u212,\n 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data.\n Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets (in Java SE 8),\n that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a\n web service which supplies data to the APIs. CVSS 3.0\n Base Score 4.8 (Confidentiality and Integrity impacts).\n CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).\n (CVE-2019-2816)\n\n - Vulnerability in the Java SE, Java SE Embedded component\n of Oracle Java SE (subcomponent: Security). Supported\n versions that are affected are Java SE: 8u212, 11.0.3\n and 12.0.1; Java SE Embedded: 8u211. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks require\n human interaction from a person other than the attacker\n and while the vulnerability is in Java SE, Java SE\n Embedded, attacks may significantly impact additional\n products. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data. Note: This\n vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or\n sandboxed Java applets (in Java SE 8), that load and run\n untrusted code (e.g., code that comes from the internet)\n and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the\n specified Component, e.g., through a web service which\n supplies data to the APIs. CVSS 3.0 Base Score 3.4\n (Confidentiality impacts). CVSS Vector:\n (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).\n (CVE-2019-2786)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0178\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL java-1.8.0-openjdk packages. Note that updated packages may not be available yet. Please\ncontact ZTE for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2816\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL MAIN 4.06\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.06');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL MAIN 4.06\": [\n \"java-1.8.0-openjdk-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-debug-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-demo-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-demo-debug-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-devel-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-devel-debug-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-headless-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-headless-debug-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-javadoc-debug-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-src-1.8.0.222.b10-0.el6_10\",\n \"java-1.8.0-openjdk-src-debug-1.8.0.222.b10-0.el6_10\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "openvas": [{"lastseen": "2020-02-26T16:44:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2816"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-18T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192374", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192374", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for java-1.8.0-openjdk (EulerOS-SA-2019-2374)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2374\");\n script_version(\"2020-02-18T10:52:53+0000\");\n script_cve_id(\"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-02-18 10:52:53 +0000 (Tue, 18 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:51:51 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for java-1.8.0-openjdk (EulerOS-SA-2019-2374)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2374\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2374\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'java-1.8.0-openjdk' package(s) announced via the EulerOS-SA-2019-2374 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1, Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2816)\");\n\n script_tag(name:\"affected\", value:\"'java-1.8.0-openjdk' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.191.b12~0.h5\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.191.b12~0.h5\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.191.b12~0.h5\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-02-20T18:49:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2816"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-18T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192245", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192245", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for java-1.8.0-openjdk (EulerOS-SA-2019-2245)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2245\");\n script_version(\"2020-02-18T10:52:53+0000\");\n script_cve_id(\"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-02-18 10:52:53 +0000 (Tue, 18 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:42:44 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for java-1.8.0-openjdk (EulerOS-SA-2019-2245)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2245\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2245\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'java-1.8.0-openjdk' package(s) announced via the EulerOS-SA-2019-2245 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1, Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2816)\");\n\n script_tag(name:\"affected\", value:\"'java-1.8.0-openjdk' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.191.b12~0.h3\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.191.b12~0.h3\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.191.b12~0.h3\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-02-20T18:47:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2816"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-18T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192105", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192105", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for java-1.8.0-openjdk (EulerOS-SA-2019-2105)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2105\");\n script_version(\"2020-02-18T10:52:53+0000\");\n script_cve_id(\"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-02-18 10:52:53 +0000 (Tue, 18 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:34:37 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for java-1.8.0-openjdk (EulerOS-SA-2019-2105)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP8\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2105\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2105\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'java-1.8.0-openjdk' package(s) announced via the EulerOS-SA-2019-2105 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1, Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.(CVE-2019-2816)\");\n\n script_tag(name:\"affected\", value:\"'java-1.8.0-openjdk' package(s) on Huawei EulerOS V2.0SP8.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP8\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.181.b15~5.h8.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.181.b15~5.h8.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.181.b15~5.h8.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-02-26T16:51:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3180", "CVE-2019-2816", "CVE-2018-3214"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-18T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192460", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192460", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for java-1.7.0-openjdk (EulerOS-SA-2019-2460)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2460\");\n script_version(\"2020-02-18T10:52:53+0000\");\n script_cve_id(\"CVE-2018-3180\", \"CVE-2018-3214\", \"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-18 10:52:53 +0000 (Tue, 18 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:59:24 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for java-1.7.0-openjdk (EulerOS-SA-2019-2460)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2460\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2460\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'java-1.7.0-openjdk' package(s) announced via the EulerOS-SA-2019-2460 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11, Java SE Embedded: 8u181, JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs.(CVE-2018-3180)\n\nVulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182, Java SE Embedded: 8u181, JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs.(CVE-2018-3214)\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1, Java S ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'java-1.7.0-openjdk' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.191~2.6.15.4.h6\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.191~2.6.15.4.h6\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-headless\", rpm:\"java-1.7.0-openjdk-headless~1.7.0.191~2.6.15.4.h6\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:26:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769"], "description": "The remote host is missing an update for the ", "modified": "2020-01-29T00:00:00", "published": "2019-08-16T00:00:00", "id": "OPENVAS:1361412562310891886", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891886", "type": "openvas", "title": "Debian LTS: Security Advisory for openjdk-7 (DLA-1886-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891886\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-16 02:00:12 +0000 (Fri, 16 Aug 2019)\");\n script_name(\"Debian LTS: Security Advisory for openjdk-7 (DLA-1886-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1886-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openjdk-7'\n package(s) announced via the DLA-1886-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in denial of\nservice, sandbox bypass, information disclosure or the execution\nof arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"'openjdk-7' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n7u231-2.6.19-1~deb8u1.\n\nWe recommend that you upgrade your openjdk-7 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"icedtea-7-jre-jamvm\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-dbg\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-demo\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-doc\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jdk\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jre\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jre-headless\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jre-lib\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-jre-zero\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openjdk-7-source\", ver:\"7u231-2.6.19-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-15T16:23:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2769", "CVE-2019-2766"], "description": "The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.", "modified": "2020-05-12T00:00:00", "published": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310815177", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815177", "type": "openvas", "title": "Oracle Java SE Security Updates (jul2019-5072835) 03 - Windows", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815177\");\n script_version(\"2020-05-12T13:57:17+0000\");\n script_cve_id(\"CVE-2019-2769\", \"CVE-2019-2762\", \"CVE-2019-2766\", \"CVE-2019-7317\",\n \"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-12 13:57:17 +0000 (Tue, 12 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-07-17 13:09:55 +0530 (Wed, 17 Jul 2019)\");\n script_name(\"Oracle Java SE Security Updates (jul2019-5072835) 03 - Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to errors in\n 'AWT (libpng)', 'Utilities' and 'Networking' components.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to have an impact on confidentiality, integrity and availability.\");\n\n script_tag(name:\"affected\", value:\"Oracle Java SE version 7u221(1.7.0.221) and\n earlier, 8u212(1.8.0.212) and earlier, 11.0.2 and earlier, 12.0.1 and earlier\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Apply the appropriate patch from the vendor. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Sun/Java/JDK_or_JRE/Win/installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:oracle:jre\", \"cpe:/a:sun:jre\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"1.7.0\", test_version2:\"1.7.0.221\")||\n version_in_range(version:vers, test_version:\"1.8.0\", test_version2:\"1.8.0.212\")||\n version_in_range(version:vers, test_version:\"11.0\", test_version2:\"11.0.3\")||\n version_in_range(version:vers, test_version:\"12.0\", test_version2:\"12.0.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version: \"Apply the patch\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-15T16:23:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2769", "CVE-2019-2766"], "description": "The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.", "modified": "2020-05-12T00:00:00", "published": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310815180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815180", "type": "openvas", "title": "Oracle Java SE Security Updates (jul2019-5072835) 03 - Linux", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815180\");\n script_version(\"2020-05-12T13:57:17+0000\");\n script_cve_id(\"CVE-2019-2769\", \"CVE-2019-2762\", \"CVE-2019-2766\", \"CVE-2019-7317\",\n \"CVE-2019-2816\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-12 13:57:17 +0000 (Tue, 12 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-07-17 13:09:55 +0530 (Wed, 17 Jul 2019)\");\n script_name(\"Oracle Java SE Security Updates (jul2019-5072835) 03 - Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to errors in\n 'AWT (libpng)', 'Utilities' and 'Networking' components.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to have an impact on confidentiality, integrity and availability.\");\n\n script_tag(name:\"affected\", value:\"Oracle Java SE version 7u221(1.7.0.221) and\n earlier, 8u212(1.8.0.212) and earlier, 11.0.2 and earlier, 12.0.1 and earlier\n on Linux.\");\n\n script_tag(name:\"solution\", value:\"Apply the appropriate patch from the vendor. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Oracle/Java/JDK_or_JRE/Linux/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:oracle:jre\", \"cpe:/a:sun:jre\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"1.7.0\", test_version2:\"1.7.0.221\")||\n version_in_range(version:vers, test_version:\"1.8.0\", test_version2:\"1.8.0.212\")||\n version_in_range(version:vers, test_version:\"11.0\", test_version2:\"11.0.3\")||\n version_in_range(version:vers, test_version:\"12.0\", test_version2:\"12.0.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version: \"Apply the patch\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T13:51:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-25T00:00:00", "id": "OPENVAS:1361412562310883086", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883086", "type": "openvas", "title": "CentOS Update for java CESA-2019:1815 centos7 ", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883086\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-25 02:01:00 +0000 (Thu, 25 Jul 2019)\");\n script_name(\"CentOS Update for java CESA-2019:1815 centos7 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2019:1815\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-July/023373.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2019:1815 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography\n(Security, 8208698) (CVE-2019-2745)\n\n * OpenJDK: Insufficient checks of suppressed exceptions in deserialization\n(Utilities, 8212328) (CVE-2019-2762)\n\n * OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n * OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511)\n(CVE-2019-2842)\n\n * OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS7\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-accessibility\", rpm:\"java-1.8.0-openjdk-accessibility~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-accessibility-debug\", rpm:\"java-1.8.0-openjdk-accessibility-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-debug\", rpm:\"java-1.8.0-openjdk-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo\", rpm:\"java-1.8.0-openjdk-demo~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo-debug\", rpm:\"java-1.8.0-openjdk-demo-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel-debug\", rpm:\"java-1.8.0-openjdk-devel-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless-debug\", rpm:\"java-1.8.0-openjdk-headless-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc\", rpm:\"java-1.8.0-openjdk-javadoc~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-debug\", rpm:\"java-1.8.0-openjdk-javadoc-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-zip\", rpm:\"java-1.8.0-openjdk-javadoc-zip~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-zip-debug\", rpm:\"java-1.8.0-openjdk-javadoc-zip-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src\", rpm:\"java-1.8.0-openjdk-src~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src-debug\", rpm:\"java-1.8.0-openjdk-src-debug~1.8.0.222.b10~0.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T13:51:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-25T00:00:00", "id": "OPENVAS:1361412562310883085", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883085", "type": "openvas", "title": "CentOS Update for java CESA-2019:1811 centos6 ", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883085\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-25 02:00:55 +0000 (Thu, 25 Jul 2019)\");\n script_name(\"CentOS Update for java CESA-2019:1811 centos6 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n\n script_xref(name:\"CESA\", value:\"2019:1811\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-July/023369.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2019:1811 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography\n(Security, 8208698) (CVE-2019-2745)\n\n * OpenJDK: Insufficient checks of suppressed exceptions in deserialization\n(Utilities, 8212328) (CVE-2019-2762)\n\n * OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n * OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511)\n(CVE-2019-2842)\n\n * OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 6.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS6\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk\", rpm:\"java-1.8.0-openjdk~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-debug\", rpm:\"java-1.8.0-openjdk-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo\", rpm:\"java-1.8.0-openjdk-demo~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-demo-debug\", rpm:\"java-1.8.0-openjdk-demo-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel\", rpm:\"java-1.8.0-openjdk-devel~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-devel-debug\", rpm:\"java-1.8.0-openjdk-devel-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless\", rpm:\"java-1.8.0-openjdk-headless~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-headless-debug\", rpm:\"java-1.8.0-openjdk-headless-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc\", rpm:\"java-1.8.0-openjdk-javadoc~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-javadoc-debug\", rpm:\"java-1.8.0-openjdk-javadoc-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src\", rpm:\"java-1.8.0-openjdk-src~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.8.0-openjdk-src-debug\", rpm:\"java-1.8.0-openjdk-src-debug~1.8.0.222.b10~0.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T13:51:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "The remote host is missing an update for the ", "modified": "2019-08-01T00:00:00", "published": "2019-07-25T00:00:00", "id": "OPENVAS:1361412562310883089", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883089", "type": "openvas", "title": "CentOS Update for java CESA-2019:1840 centos6 ", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883089\");\n script_version(\"2019-08-01T07:22:04+0000\");\n script_cve_id(\"CVE-2019-2745\", \"CVE-2019-2762\", \"CVE-2019-2769\", \"CVE-2019-2786\", \"CVE-2019-2816\", \"CVE-2019-2842\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-01 07:22:04 +0000 (Thu, 01 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-25 02:01:20 +0000 (Thu, 25 Jul 2019)\");\n script_name(\"CentOS Update for java CESA-2019:1840 centos6 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n\n script_xref(name:\"CESA\", value:\"2019:1840\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-July/023370.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the CESA-2019:1840 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n * OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography\n(Security, 8208698) (CVE-2019-2745)\n\n * OpenJDK: Insufficient checks of suppressed exceptions in deserialization\n(Utilities, 8212328) (CVE-2019-2762)\n\n * OpenJDK: Unbounded memory allocation during deserialization in\nCollections (Utilities, 8213432) (CVE-2019-2769)\n\n * OpenJDK: Missing URL format validation (Networking, 8221518)\n(CVE-2019-2816)\n\n * OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511)\n(CVE-2019-2842)\n\n * OpenJDK: Insufficient restriction of privileges in AccessController\n(Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'java' package(s) on CentOS 6.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS6\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.231~2.6.19.1.el6_10\", rls:\"CentOS6\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "debian": [{"lastseen": "2020-08-12T01:03:41", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769"], "description": "Package : openjdk-7\nVersion : 7u231-2.6.19-1~deb8u1\nCVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2816\n\nSeveral vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in denial of\nservice, sandbox bypass, information disclosure or the execution\nof arbitrary code.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n7u231-2.6.19-1~deb8u1.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 9, "modified": "2019-08-15T21:57:55", "published": "2019-08-15T21:57:55", "id": "DEBIAN:DLA-1886-1:800E7", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201908/msg00020.html", "title": "[SECURITY] [DLA 1886-1] openjdk-7 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-08-12T01:00:53", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4485-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 21, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-8\nCVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2786\n CVE-2019-2816 CVE-2019-2842\n\nSeveral vulnerabilities have been discovered in the OpenJDK Java runtime,\nresulting in information disclosure, denial of service or bypass of\nsandbox restrictions. In addition the implementation of elliptic curve\ncryptography was modernised.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 8u222-b10-1~deb9u1.\n\nWe recommend that you upgrade your openjdk-8 packages.\n\nFor the detailed security status of openjdk-8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openjdk-8\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2019-07-21T18:02:07", "published": "2019-07-21T18:02:07", "id": "DEBIAN:DSA-4485-1:63763", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00133.html", "title": "[SECURITY] [DSA 4485-1] openjdk-8 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-08-12T00:55:50", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4486-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 21, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-11\nCVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2786\n CVE-2019-2816 CVE-2019-2818 CVE-2019-2821\n\nSeveral vulnerabilities have been discovered in the OpenJDK Java runtime,\nresulting in information disclosure, denial of service or bypass of\nsandbox restrictions. In addition the implementation of elliptic curve\ncryptography was modernised.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 11.0.4+11-1~deb10u1.\n\nWe recommend that you upgrade your openjdk-11 packages.\n\nFor the detailed security status of openjdk-11 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openjdk-11\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 9, "modified": "2019-07-21T18:05:20", "published": "2019-07-21T18:05:20", "id": "DEBIAN:DSA-4486-1:B09C5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00134.html", "title": "[SECURITY] [DSA 4486-1] openjdk-11 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "redhat": [{"lastseen": "2019-08-15T10:45:12", "bulletinFamily": "unix", "cvelist": ["CVE-2019-11775", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2816", "CVE-2019-7317"], "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP50.\n\nSecurity Fix(es):\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-08-15T12:59:13", "published": "2019-08-15T12:51:41", "id": "RHSA-2019:2495", "href": "https://access.redhat.com/errata/RHSA-2019:2495", "type": "redhat", "title": "(RHSA-2019:2495) Important: java-1.7.1-ibm security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2019-08-15T10:44:45", "bulletinFamily": "unix", "cvelist": ["CVE-2019-11775", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2816", "CVE-2019-7317"], "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 7 to version 7R1 SR4-FP50.\n\nSecurity Fix(es):\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-08-15T13:00:01", "published": "2019-08-15T12:51:37", "id": "RHSA-2019:2494", "href": "https://access.redhat.com/errata/RHSA-2019:2494", "type": "redhat", "title": "(RHSA-2019:2494) Important: java-1.7.1-ibm security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2019-08-13T18:45:27", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T16:09:07", "published": "2019-07-22T15:45:35", "id": "RHSA-2019:1816", "href": "https://access.redhat.com/errata/RHSA-2019:1816", "type": "redhat", "title": "(RHSA-2019:1816) Moderate: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:43", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T16:09:03", "published": "2019-07-22T15:45:26", "id": "RHSA-2019:1811", "href": "https://access.redhat.com/errata/RHSA-2019:1811", "type": "redhat", "title": "(RHSA-2019:1811) Moderate: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:44:56", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-23T19:58:30", "published": "2019-07-23T19:38:33", "id": "RHSA-2019:1840", "href": "https://access.redhat.com/errata/RHSA-2019:1840", "type": "redhat", "title": "(RHSA-2019:1840) Moderate: java-1.7.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:06", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-23T21:31:44", "published": "2019-07-23T19:36:00", "id": "RHSA-2019:1839", "href": "https://access.redhat.com/errata/RHSA-2019:1839", "type": "redhat", "title": "(RHSA-2019:1839) Moderate: java-1.7.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:46:58", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2842"], "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T16:09:05", "published": "2019-07-22T15:45:30", "id": "RHSA-2019:1815", "href": "https://access.redhat.com/errata/RHSA-2019:1815", "type": "redhat", "title": "(RHSA-2019:1815) Moderate: java-1.8.0-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:44:43", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2745", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-2818", "CVE-2019-2821"], "description": "The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\n* OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T16:09:04", "published": "2019-07-22T15:45:20", "id": "RHSA-2019:1810", "href": "https://access.redhat.com/errata/RHSA-2019:1810", "type": "redhat", "title": "(RHSA-2019:1810) Moderate: java-11-openjdk security update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-09-02T08:48:15", "bulletinFamily": "unix", "cvelist": ["CVE-2019-11772", "CVE-2019-11775", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-7317"], "description": "IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR5-FP40.\n\nSecurity Fix(es):\n\n* IBM JDK: Out-of-bounds access in the String.getBytes method (CVE-2019-11772)\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-09-02T11:14:27", "published": "2019-09-02T11:04:32", "id": "RHSA-2019:2585", "href": "https://access.redhat.com/errata/RHSA-2019:2585", "type": "redhat", "title": "(RHSA-2019:2585) Important: java-1.8.0-ibm security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-02T08:46:38", "bulletinFamily": "unix", "cvelist": ["CVE-2019-11772", "CVE-2019-11775", "CVE-2019-2762", "CVE-2019-2769", "CVE-2019-2786", "CVE-2019-2816", "CVE-2019-7317"], "description": "IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR5-FP40.\n\nSecurity Fix(es):\n\n* IBM JDK: Out-of-bounds access in the String.getBytes method (CVE-2019-11772)\n\n* IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\n* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-09-02T11:41:23", "published": "2019-09-02T11:32:56", "id": "RHSA-2019:2590", "href": "https://access.redhat.com/errata/RHSA-2019:2590", "type": "redhat", "title": "(RHSA-2019:2590) Important: java-1.8.0-ibm security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-08-01T11:46:20", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.7.0.231-2.6.19.1.0.1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.231-2.6.19.1]\n- Add missing hyphen in tapset filename.\n- Resolves: rhbz#1724452\n[1:1.7.0.231-2.6.19.0]\n- Update tapset filename matching pattern.\n- Resolves: rhbz#1724452\n[1:1.7.0.231-2.6.19.0]\n- Bump to 2.6.19 (including tapsets) and OpenJDK 7u231-b01.\n- Fix fsg.sh to fail if patching fails.\n- Resolves: rhbz#1724452", "edition": 5, "modified": "2019-07-24T00:00:00", "published": "2019-07-24T00:00:00", "id": "ELSA-2019-1839", "href": "http://linux.oracle.com/errata/ELSA-2019-1839.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T11:44:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.7.0.231-2.6.19.1.0.1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.231-2.6.19.1]\n- Add missing hyphen in tapset filename.\n- Resolves: rhbz#1724452\n[1:1.7.0.231-2.6.19.0]\n- Update tapset name in patch.\n- Resolves: rhbz#1724452\n[1:1.7.0.231-2.6.19.0]\n- Bump to 2.6.19 (including tapsets) and OpenJDK 7u231-b01.\n- Fix fsg.sh to fail if patching fails.\n- Resolves: rhbz#1724452", "edition": 3, "modified": "2019-07-24T00:00:00", "published": "2019-07-24T00:00:00", "id": "ELSA-2019-1840", "href": "http://linux.oracle.com/errata/ELSA-2019-1840.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T11:46:07", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.8.0.222.b10-0]\n- Update to aarch64-shenandoah-jdk8u222-b10.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b09-0]\n- Update to aarch64-shenandoah-jdk8u222-b09.\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b08-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b08.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b07-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b07 and Shenandoah merge 2019-06-13.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b06-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b06.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b05-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b05.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b04-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b04.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Restore docs make target so docs are built again.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Remove zip-docs make target as RHEL 6.10 RPM does not have that patch.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Provide Javadoc debug subpackage for now, but populate it from the normal build.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Don't produce javadoc sub package for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.0.ea]\n- Include 'ea' designator in Release when appropriate.\n- Use --with-native-debug-symbols=internal which JDK-8036003 adds.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0]\n- Update to aarch64-shenandoah-jdk8u222-b03.\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b02-0]\n- Update to aarch64-shenandoah-jdk8u222-b02.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-0]\n- Update to aarch64-shenandoah-jdk8u222-b01.\n- Drop 8171000, 8197546 & PR3634 as applied upstream.\n- Adjust 8214206 fix for S390 as BinaryMagnitudeSeq moved to shenandoahNumberSeq.cpp\n- Resolves: rhbz#1724452", "edition": 3, "modified": "2019-07-22T00:00:00", "published": "2019-07-22T00:00:00", "id": "ELSA-2019-1811", "href": "http://linux.oracle.com/errata/ELSA-2019-1811.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T11:46:26", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.8.0.222.b10-0]\n- Update to aarch64-shenandoah-jdk8u222-b10.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b09-0]\n- Update to aarch64-shenandoah-jdk8u222-b09.\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b08-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b08.\n- Adjust PR3083/RH134640 to apply after JDK-8182999\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b07-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b07 and Shenandoah merge 2019-06-13.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b06-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b06.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b05-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b05.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b04-0.1.ea]\n- Update to aarch64-shenandoah-jdk8u222-b04.\n- Drop remaining JDK-8210425/RH1632174 patch now AArch64 part is upstream.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Use normal_suffix for Javadoc zip filename to copy, as there is is no debug version.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Provide Javadoc debug subpackages for now, but populate them from the normal build.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.0.ea]\n- Include 'ea' designator in Release when appropriate.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0]\n- Update to aarch64-shenandoah-jdk8u222-b03.\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Drop 8210425 patches applied upstream. Still need to add AArch64 version in aarch64/shenandoah-jdk8u.\n- Re-generate JDK-8141570 & JDK-8143245 patches due to 8210425 zeroshark.make changes.\n- Drop unused use_shenandoah_hotspot variable.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b02-0]\n- Update to aarch64-shenandoah-jdk8u222-b02.\n- Drop 8064786/PR3599 & 8210416/RH1632174 as applied upstream (8064786 silently in 8176100).\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-0]\n- Update to aarch64-shenandoah-jdk8u222-b01.\n- Refactor PR2888 after inclusion of 8129988 upstream. Now includes PR3575.\n- Drop 8171000, 8197546 & PR3634 as applied upstream.\n- Adjust 8214206 fix for S390 as BinaryMagnitudeSeq moved to shenandoahNumberSeq.cpp\n- Resolves: rhbz#1724452", "edition": 4, "modified": "2019-07-23T00:00:00", "published": "2019-07-23T00:00:00", "id": "ELSA-2019-1815", "href": "http://linux.oracle.com/errata/ELSA-2019-1815.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-19T21:15:05", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:1.8.0.222.b10-0]\n- Update to aarch64-shenandoah-jdk8u222-b10.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b09-0]\n- Update to aarch64-shenandoah-jdk8u222-b09.\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b08-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b08.\n- Adjust PR3083/RH134640 to apply after JDK-8182999\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b07-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b07 and Shenandoah merge 2019-06-13.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b06-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b06.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b05-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b05.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b04-0.0.ea]\n- Update new format sources file.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b04-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b04.\n- Drop remaining JDK-8210425/RH1632174 patch now AArch64 part is upstream.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b03-0.1.ea]\n- Update to aarch64-shenandoah-jdk8u222-b03.\n- Drop 8210425 patches applied upstream. Still need to add AArch64 version in aarch64/shenandoah-jdk8u.\n- Re-generate JDK-8141570 & JDK-8143245 patches due to 8210425 zeroshark.make changes.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b02-0.0.ea]\n- Update to aarch64-shenandoah-jdk8u222-b02.\n- Drop 8064786/PR3599 & 8210416/RH1632174 as applied upstream (8064786 silently in 8176100).\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-1]\n- Switch to EA mode\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-1]\n- Allow Recommends and Suggests on Fedora platforms too.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-0]\n- Make use of Recommends and Suggests dependent on RHEL 8+ environment.\n- Resolves: rhbz#1724452\n[1:1.8.0.222.b01-0]\n- Update to aarch64-shenandoah-jdk8u222-b01.\n- Refactor PR2888 after inclusion of 8129988 upstream. Now includes PR3575.\n- Drop 8171000 & 8197546 as applied upstream.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Fix value of built_doc_archive for javadoc debug package.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Provide Javadoc debug subpackages for now, but populate them from the normal build.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Include 'ea' designator in Release when appropriate.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Drop unused use_shenandoah_hotspot variable.\n- Resolves: rhbz#1724452\n[1:1.8.0.212.b04-2]\n- Update to aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30.\n- Update version logic to handle -shenandoah* tag suffix.\n- Drop PR3634 as applied upstream.\n- Adjust 8214206 fix for S390 as BinaryMagnitudeSeq moved to shenandoahNumberSeq.cpp\n- Update 8214206 to use log2_long rather than casting to intptr_t, which may be smaller than size_t.\n- Resolves: rhbz#1724452", "edition": 1, "modified": "2019-07-30T00:00:00", "published": "2019-07-30T00:00:00", "id": "ELSA-2019-1816", "href": "http://linux.oracle.com/errata/ELSA-2019-1816.html", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-19T21:14:09", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:11.0.4.11-0]\n- Update to shenandoah-jdk-11.0.4+11 (GA)\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:11.0.4.10-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+10 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.9-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+9 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.8-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+8 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.7-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+7 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.1.ea]\n- Debug packages should be called 'slowdebug' on RHEL 8\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.0.ea]\n- Provide Javadoc debug subpackages for now, but populate them from the normal build.\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+6 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.5-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+5 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.4-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+4 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.3-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+3 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+2 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.0.ea]\n- Package jspawnhelper (see JDK-8220360).\n- Resolves: rhbz#1724452\n[1:11.0.3.7-4]\n- Include 'ea' designator in Release when appropriate.\n- Resolves: rhbz#1724452\n[1:11.0.3.7-4]\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Resolves: rhbz#1724452\n[1:11.0.3.7-3]\n- Don't build the test images needlessly.\n- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452", "edition": 1, "modified": "2019-07-30T00:00:00", "published": "2019-07-30T00:00:00", "id": "ELSA-2019-1817", "href": "http://linux.oracle.com/errata/ELSA-2019-1817.html", "title": "java-11-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-01T11:47:31", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "[1:11.0.4.11-0.0.1]\n- link atomic for ix86 build\n[1:11.0.4.11-0]\n- Update to shenandoah-jdk-11.0.4+11 (GA)\n- Switch to GA mode for final release.\n- Resolves: rhbz#1724452\n[1:11.0.4.10-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+10 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.9-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+9 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.8-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+8 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.7-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+7 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.0.ea]\n- Provide Javadoc debug subpackages for now, but populate them from the normal build.\n- Resolves: rhbz#1724452\n[1:11.0.4.6-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+6 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.5-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+5 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.4-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+4 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.3-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+3 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.0.ea]\n- Use RHEL 7 format for jspawnhelper addition.\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.0.ea]\n- Update to shenandoah-jdk-11.0.4+2 (EA)\n- Resolves: rhbz#1724452\n[1:11.0.4.2-0.1.ea]\n- Package jspawnhelper (see JDK-8220360).\n- Resolves: rhbz#1724452\n[1:11.0.3.7-2]\n- Include 'ea' designator in Release when appropriate.\n- Resolves: rhbz#1724452\n[1:11.0.3.7-2]\n- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.\n- Resolves: rhbz#1724452\n[1:11.0.3.7-1]\n- Don't build the test images needlessly.\n- Don't produce javadoc/javadoc-zip sub packages for the debug variant build.\n- Don't perform a bootcycle build for the debug variant build.\n- Resolves: rhbz#1724452", "edition": 4, "modified": "2019-07-23T00:00:00", "published": "2019-07-23T00:00:00", "id": "ELSA-2019-1810", "href": "http://linux.oracle.com/errata/ELSA-2019-1810.html", "title": "java-11-openjdk security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "centos": [{"lastseen": "2020-12-08T03:39:57", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1840\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035408.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:19:55", "published": "2019-07-24T20:19:55", "id": "CESA-2019:1840", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035408.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-08T03:38:04", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1815\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035411.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-accessibility\njava-1.8.0-openjdk-accessibility-debug\njava-1.8.0-openjdk-debug\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-demo-debug\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-devel-debug\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-headless-debug\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-javadoc-debug\njava-1.8.0-openjdk-javadoc-zip\njava-1.8.0-openjdk-javadoc-zip-debug\njava-1.8.0-openjdk-src\njava-1.8.0-openjdk-src-debug\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:29:31", "published": "2019-07-24T20:29:31", "id": "CESA-2019:1815", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035411.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-08T03:37:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1811\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035407.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-debug\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-demo-debug\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-devel-debug\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-headless-debug\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-javadoc-debug\njava-1.8.0-openjdk-src\njava-1.8.0-openjdk-src-debug\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:18:47", "published": "2019-07-24T20:18:47", "id": "CESA-2019:1811", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035407.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-08T03:39:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1839\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) (CVE-2019-2842)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035410.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-accessibility\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-headless\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:27:45", "published": "2019-07-24T20:27:45", "id": "CESA-2019:1839", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035410.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-08T03:40:21", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "**CentOS Errata and Security Advisory** CESA-2019:1810\n\n\nThe java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)\n\n* OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)\n\n* OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)\n\n* OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)\n\n* OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821)\n\n* OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)\n\n* OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (CVE-2019-2818)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-July/035409.html\n\n**Affected packages:**\njava-11-openjdk\njava-11-openjdk-debug\njava-11-openjdk-demo\njava-11-openjdk-demo-debug\njava-11-openjdk-devel\njava-11-openjdk-devel-debug\njava-11-openjdk-headless\njava-11-openjdk-headless-debug\njava-11-openjdk-javadoc\njava-11-openjdk-javadoc-debug\njava-11-openjdk-javadoc-zip\njava-11-openjdk-javadoc-zip-debug\njava-11-openjdk-jmods\njava-11-openjdk-jmods-debug\njava-11-openjdk-src\njava-11-openjdk-src-debug\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-07-24T20:25:31", "published": "2019-07-24T20:25:31", "id": "CESA-2019:1810", "href": "http://lists.centos.org/pipermail/centos-announce/2019-July/035409.html", "title": "java security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "amazon": [{"lastseen": "2020-11-10T12:35:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2769 __](<https://access.redhat.com/security/cve/CVE-2019-2769>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).([CVE-2019-2816 __](<https://access.redhat.com/security/cve/CVE-2019-2816>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).([CVE-2019-2745 __](<https://access.redhat.com/security/cve/CVE-2019-2745>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2842 __](<https://access.redhat.com/security/cve/CVE-2019-2842>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).([CVE-2019-2786 __](<https://access.redhat.com/security/cve/CVE-2019-2786>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2762 __](<https://access.redhat.com/security/cve/CVE-2019-2762>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.80.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.80.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.80.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.80.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.80.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.80.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2019-08-23T16:53:00", "published": "2019-08-23T16:53:00", "id": "ALAS-2019-1268", "href": "https://alas.aws.amazon.com/ALAS-2019-1268.html", "title": "Medium: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-10T12:36:20", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2769 __](<https://access.redhat.com/security/cve/CVE-2019-2769>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).([CVE-2019-2816 __](<https://access.redhat.com/security/cve/CVE-2019-2816>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).([CVE-2019-2745 __](<https://access.redhat.com/security/cve/CVE-2019-2745>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2842 __](<https://access.redhat.com/security/cve/CVE-2019-2842>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).([CVE-2019-2786 __](<https://access.redhat.com/security/cve/CVE-2019-2786>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).([CVE-2019-2762 __](<https://access.redhat.com/security/cve/CVE-2019-2762>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686 \n java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch \n java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2019-08-23T16:55:00", "published": "2019-08-23T16:55:00", "id": "ALAS-2019-1269", "href": "https://alas.aws.amazon.com/ALAS-2019-1269.html", "title": "Medium: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-10T12:34:57", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-27690", "CVE-2019-2769", "CVE-2019-2786"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2019-2762 __](<https://access.redhat.com/security/cve/CVE-2019-2762>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2019-2842 __](<https://access.redhat.com/security/cve/CVE-2019-2842>))\n\nVulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). ([CVE-2019-2745 __](<https://access.redhat.com/security/cve/CVE-2019-2745>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2019-27690 __](<https://access.redhat.com/security/cve/CVE-2019-27690>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). ([CVE-2019-2816 __](<https://access.redhat.com/security/cve/CVE-2019-2816>))\n\nVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). ([CVE-2019-2786 __](<https://access.redhat.com/security/cve/CVE-2019-2786>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-headless-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-accessibility-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.amzn2.0.1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.amzn2.0.1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.amzn2.0.1.src \n \n x86_64: \n java-1.7.0-openjdk-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-headless-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-accessibility-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2019-08-23T03:14:00", "published": "2019-08-23T03:14:00", "id": "ALAS2-2019-1268", "href": "https://alas.aws.amazon.com/AL2/ALAS-2019-1268.html", "title": "Medium: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "ubuntu": [{"lastseen": "2020-07-18T01:47:37", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2842", "CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2745", "CVE-2019-2769", "CVE-2019-2786"], "description": "Keegan Ryan discovered that the ECC implementation in OpenJDK was not \nsufficiently resilient to side-channel attacks. An attacker could possibly \nuse this to expose sensitive information. (CVE-2019-2745)\n\nIt was discovered that OpenJDK did not sufficiently validate serial streams \nbefore deserializing suppressed exceptions in some situations. An attacker \ncould use this to specially craft an object that, when deserialized, would \ncause a denial of service. (CVE-2019-2762)\n\nIt was discovered that in some situations OpenJDK did not properly bound \nthe amount of memory allocated during object deserialization. An attacker \ncould use this to specially craft an object that, when deserialized, would \ncause a denial of service (excessive memory consumption). (CVE-2019-2769)\n\nIt was discovered that OpenJDK did not properly restrict privileges in \ncertain situations. An attacker could use this to specially construct an \nuntrusted Java application or applet that could escape sandbox \nrestrictions. (CVE-2019-2786)\n\nJonathan Birch discovered that the Networking component of OpenJDK did not \nproperly validate URLs in some situations. An attacker could use this to \nbypass restrictions on characters in URLs. (CVE-2019-2816)\n\nNati Nimni discovered that the Java Cryptography Extension component in \nOpenJDK did not properly perform array bounds checking in some situations. \nAn attacker could use this to cause a denial of service. (CVE-2019-2842)\n\nIt was discovered that OpenJDK incorrectly handled certain memory \noperations. If a user or automated system were tricked into opening a \nspecially crafted PNG file, a remote attacker could use this issue to \ncause OpenJDK to crash, resulting in a denial of service, or possibly \nexecute arbitrary code. (CVE-2019-7317)", "edition": 4, "modified": "2019-07-31T00:00:00", "published": "2019-07-31T00:00:00", "id": "USN-4080-1", "href": "https://ubuntu.com/security/notices/USN-4080-1", "title": "OpenJDK 8 vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-07-02T11:41:28", "bulletinFamily": "unix", "cvelist": ["CVE-2019-2818", "CVE-2019-2762", "CVE-2019-7317", "CVE-2019-2816", "CVE-2019-2821", "CVE-2019-2769", "CVE-2019-2786"], "description": "It was discovered that OpenJDK did not sufficiently validate serial streams \nbefore deserializing suppressed exceptions in some situations. An attacker \ncould use this to specially craft an object that, when deserialized, would \ncause a denial of service. (CVE-2019-2762)\n\nIt was discovered that in some situations OpenJDK did not properly bound \nthe amount of memory allocated during object deserialization. An attacker \ncould use this to specially craft an object that, when deserialized, would \ncause a denial of service (excessive memory consumption). (CVE-2019-2769)\n\nIt was discovered that OpenJDK did not properly restrict privileges in \ncertain situations. An attacker could use this to specially construct an \nuntrusted Java application or applet that could escape sandbox \nrestrictions. (CVE-2019-2786)\n\nJonathan Birch discovered that the Networking component of OpenJDK did not \nproperly validate URLs in some situations. An attacker could use this to \nbypass restrictions on characters in URLs. (CVE-2019-2816)\n\nIt was discovered that the ChaCha20Cipher implementation in OpenJDK did not \nuse constant time computations in some situations. An attacker could use \nthis to expose sensitive information. (CVE-2019-2818)\n\nIt was discovered that the Java Secure Socket Extension (JSSE) component in \nOpenJDK did not properly handle OCSP stapling messages during TLS handshake \nin some situations. An attacker could use this to expose sensitive \ninformation. (CVE-2019-2821)\n\nIt was discovered that OpenJDK incorrectly handled certain memory \noperations. If a user or automated system were tricked into opening a \nspecially crafted PNG file, a remote attacker could use this issue to \ncause OpenJDK to crash, resulting in a denial of service, or possibly \nexecute arbitrary code. (CVE-2019-7317)", "edition": 3, "modified": "2019-07-31T00:00:00", "published": "2019-07-31T00:00:00", "id": "USN-4083-1", "href": "https://ubuntu.com/security/notices/USN-4083-1", "title": "OpenJDK 11 vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}]}