ID RHSA-2015:2508 Type redhat Reporter RedHat Modified 2017-09-08T11:58:37
Description
IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.
This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further information
about these flaws can be found on the IBM Java Security alerts page, listed
in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805,
CVE-2015-4806, CVE-2015-4835, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844,
CVE-2015-4860, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893,
CVE-2015-4902, CVE-2015-4903, CVE-2015-5006)
Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the
CVE-2015-4806 issue.
All users of java-1.6.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 6 SR16-FP15 release. All running
instances of IBM Java must be restarted for the update to take effect.
{"result": {"cve": [{"id": "CVE-2015-4734", "type": "cve", "title": "CVE-2015-4734", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.", "published": "2015-10-21T17:59:05", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4734", "cvelist": ["CVE-2015-4734"], "lastseen": "2017-04-18T15:57:18"}, {"id": "CVE-2015-4803", "type": "cve", "title": "CVE-2015-4803", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911.", "published": "2015-10-21T17:59:20", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4803", "cvelist": ["CVE-2015-4803"], "lastseen": "2017-04-18T15:57:19"}, {"id": "CVE-2015-4805", "type": "cve", "title": "CVE-2015-4805", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization.", "published": "2015-10-21T17:59:22", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4805", "cvelist": ["CVE-2015-4805"], "lastseen": "2017-04-18T15:57:19"}, {"id": "CVE-2015-4806", "type": "cve", "title": "CVE-2015-4806", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries.", "published": "2015-10-21T17:59:23", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4806", "cvelist": ["CVE-2015-4806"], "lastseen": "2017-04-18T15:57:19"}, {"id": "CVE-2015-4835", "type": "cve", "title": "CVE-2015-4835", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881.", "published": "2015-10-21T19:59:02", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4835", "cvelist": ["CVE-2015-4835"], "lastseen": "2017-04-18T15:57:20"}, {"id": "CVE-2015-4842", "type": "cve", "title": "CVE-2015-4842", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JAXP.", "published": "2015-10-21T19:59:10", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4842", "cvelist": ["CVE-2015-4842"], "lastseen": "2017-04-18T15:57:21"}, {"id": "CVE-2015-4843", "type": "cve", "title": "CVE-2015-4843", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.", "published": "2015-10-21T19:59:11", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4843", "cvelist": ["CVE-2015-4843"], "lastseen": "2017-04-18T15:57:21"}, {"id": "CVE-2015-4844", "type": "cve", "title": "CVE-2015-4844", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.", "published": "2015-10-21T19:59:12", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4844", "cvelist": ["CVE-2015-4844"], "lastseen": "2017-04-18T15:57:21"}, {"id": "CVE-2015-4860", "type": "cve", "title": "CVE-2015-4860", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883.", "published": "2015-10-21T19:59:25", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4860", "cvelist": ["CVE-2015-4860"], "lastseen": "2017-04-18T15:57:21"}, {"id": "CVE-2015-4872", "type": "cve", "title": "CVE-2015-4872", "description": "Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect integrity via unknown vectors related to Security.", "published": "2015-10-21T19:59:36", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4872", "cvelist": ["CVE-2015-4872"], "lastseen": "2017-04-18T15:57:21"}], "suse": [{"id": "OPENSUSE-SU-2015:1906-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "description": "java-1_7_0-openjdk was updated to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "published": "2015-11-04T17:12:29", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00010.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T11:50:21"}, {"id": "SUSE-SU-2015:1874-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "published": "2015-11-02T16:34:56", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00000.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T11:49:41"}, {"id": "OPENSUSE-SU-2015:1971-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "published": "2015-11-12T14:18:13", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00019.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T12:22:46"}, {"id": "SUSE-SU-2015:1875-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "published": "2015-11-02T16:35:18", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00001.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T11:49:41"}, {"id": "SUSE-SU-2015:1874-2", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "published": "2015-11-02T17:11:26", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00003.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T12:21:58"}, {"id": "OPENSUSE-SU-2015:1902-1", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "description": "java-1_7_0-openjdk was updated to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "published": "2015-11-04T16:14:26", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00008.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T12:36:29"}, {"id": "SUSE-SU-2015:2268-1", "type": "suse", "title": "Security update for java-1_8_0-ibm (important)", "description": "This update for java-1_8_0-ibm fixes the following issues:\n\n - Version update to 8.0-2.0 (bsc#955131): CVE-2015-4734 CVE-2015-4803\n CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840\n CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871\n CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902\n CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n\n - Add backcompat symlinks for sdkdir.\n - Provide %{name} instead of %{sdklnk} only in _jvmprivdir. (bsc#941939)\n\n", "published": "2015-12-14T17:10:33", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00014.html", "cvelist": ["CVE-2015-5006", "CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T11:59:17"}, {"id": "SUSE-SU-2015:1875-2", "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\n These security issues were fixed:\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Libraries (bsc#951376).\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JAXP (bsc#951376).\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and\n 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via unknown vectors related to 2D (bsc#951376).\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect integrity via unknown vectors related to Security\n (bsc#951376).\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4883 (bsc#951376).\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to 2D (bsc#951376).\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to RMI,\n a different vulnerability than CVE-2015-4860 (bsc#951376).\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4803 and CVE-2015-4893\n (bsc#951376).\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n availability via vectors related to CORBA (bsc#951376).\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to JGSS (bsc#951376).\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality and integrity via unknown vectors related to Libraries\n (bsc#951376).\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via unknown vectors related\n to Serialization (bsc#951376).\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote\n attackers to affect availability via vectors related to JAXP, a\n different vulnerability than CVE-2015-4893 and CVE-2015-4911\n (bsc#951376).\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality, integrity, and availability via vectors related to\n CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85,\n and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect\n confidentiality via vectors related to RMI (bsc#951376).\n\n", "published": "2015-11-02T17:11:48", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00004.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T12:19:41"}, {"id": "OPENSUSE-SU-2015:1905-1", "type": "suse", "title": "Security update for java-1_8_0-openjdk (important)", "description": "java-1_8_0-openjdk was updated to fix 24 security issues.\n\n These security issues were fixed:\n - CVE-2015-4734: A remote user can exploit a flaw in the Embedded JGSS\n component to partially access data\n - CVE-2015-4803: A remote user can exploit a flaw in the JRockit JAXP\n component to cause partial denial of service conditions\n - CVE-2015-4805: A remote user can exploit a flaw in the Embedded\n Serialization component to gain elevated privileges\n - CVE-2015-4806: A remote user can exploit a flaw in the Java SE Embedded\n Libraries component to partially access and partially modify data\n - CVE-2015-4835: A remote user can exploit a flaw in the Embedded CORBA\n component to gain elevated privileges\n - CVE-2015-4842: A remote user can exploit a flaw in the Embedded JAXP\n component to partially access data\n - CVE-2015-4843: A remote user can exploit a flaw in the Java SE Embedded\n Libraries component to gain elevated privileges\n - CVE-2015-4844: A remote user can exploit a flaw in the Embedded 2D\n component to gain elevated privileges\n - CVE-2015-4860: A remote user can exploit a flaw in the Embedded RMI\n component to gain elevated privileges\n - CVE-2015-4872: A remote user can exploit a flaw in the JRockit Security\n component to partially modify data [].\n - CVE-2015-4881: A remote user can exploit a flaw in the Embedded CORBA\n component to gain elevated privileges\n - CVE-2015-4882: A remote user can exploit a flaw in the Embedded CORBA\n component to cause partial denial of service conditions\n - CVE-2015-4883: A remote user can exploit a flaw in the Embedded RMI\n component to gain elevated privileges\n - CVE-2015-4893: A remote user can exploit a flaw in the JRockit JAXP\n component to cause partial denial of service conditions\n - CVE-2015-4902: A remote user can exploit a flaw in the Java SE\n Deployment component to partially modify data\n - CVE-2015-4903: A remote user can exploit a flaw in the Embedded RMI\n component to partially access data\n - CVE-2015-4911: A remote user can exploit a flaw in the JRockit JAXP\n component to cause partial denial of service conditions\n - CVE-2015-4810: A local user can exploit a flaw in the Java SE Deployment\n component to gain elevated privileges\n - CVE-2015-4840: A remote user can exploit a flaw in the Embedded 2D\n component to partially access data\n - CVE-2015-4868: A remote user can exploit a flaw in the Java SE Embedded\n Libraries component to gain elevated privileges\n - CVE-2015-4901: A remote user can exploit a flaw in the JavaFX component\n to gain elevated privileges\n - CVE-2015-4906: A remote user can exploit a flaw in the JavaFX component\n to partially access data\n - CVE-2015-4908: A remote user can exploit a flaw in the JavaFX component\n to partially access data\n - CVE-2015-4916: A remote user can exploit a flaw in the JavaFX component\n to partially access data\n\n", "published": "2015-11-04T17:12:12", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00009.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893", "CVE-2015-4916"], "lastseen": "2016-09-04T12:29:26"}, {"id": "SUSE-SU-2015:2182-1", "type": "suse", "title": "Security update for java-1_7_1-ibm (important)", "description": "The java-1_7_1-ibm package was updated to version 7.1-3.20 to fix several\n security and non security issues:\n\n - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734 CVE-2015-4803\n CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840\n CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871\n CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902\n CVE-2015-4903 CVE-2015-4911 CVE-2015-5006\n - Add backcompat symlinks for sdkdir\n - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in\n _jvmprivdir\n\n", "published": "2015-12-03T18:10:57", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00003.html", "cvelist": ["CVE-2015-5006", "CVE-2015-4860", "CVE-2015-4903", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-0458", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-0459", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-0478", "CVE-2015-4835", "CVE-2015-0204", "CVE-2015-0488", "CVE-2015-0480", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4840", "CVE-2015-4893", "CVE-2015-0491"], "lastseen": "2016-09-04T12:07:54"}], "ubuntu": [{"id": "USN-2784-1", "type": "ubuntu", "title": "OpenJDK 7 vulnerabilities", "description": "Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4881, CVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2015-4734, CVE-2015-4840, CVE-2015-4842, CVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911)", "published": "2015-10-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2784-1/", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2018-03-29T18:17:35"}, {"id": "USN-2827-1", "type": "ubuntu", "title": "OpenJDK 6 vulnerabilities", "description": "Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883)\n\nA vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2015-4806)\n\nA vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-4872)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2015-4734, CVE-2015-4842, CVE-2015-4903)\n\nMultiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)", "published": "2015-12-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2827-1/", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2018-03-29T18:18:59"}, {"id": "USN-3227-1", "type": "ubuntu", "title": "ICU vulnerabilities", "description": "It was discovered that ICU incorrectly handled certain memory operations when processing data. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program.", "published": "2017-03-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3227-1/", "cvelist": ["CVE-2016-0494", "CVE-2014-9911", "CVE-2016-7415", "CVE-2016-6293", "CVE-2015-4844"], "lastseen": "2018-03-29T18:20:35"}], "openvas": [{"id": "OPENVAS:1361412562310703381", "type": "openvas", "title": "Debian Security Advisory DSA 3381-1 (openjdk-7 - security update)", "description": "Several vulnerabilities have been\ndiscovered in OpenJDK, an implementation of the Oracle Java platform, resulting\nin the execution of arbitrary code, breakouts of the Java sandbox, information\ndisclosure, or denial of service.", "published": "2015-10-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703381", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2018-04-06T11:25:04"}, {"id": "OPENVAS:1361412562310122718", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1921", "description": "Oracle Linux Local Security Checks ELSA-2015-1921", "published": "2015-10-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122718", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-07-24T12:52:16"}, {"id": "OPENVAS:1361412562310882302", "type": "openvas", "title": "CentOS Update for java CESA-2015:1920 centos6 ", "description": "Check the version of java", "published": "2015-10-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882302", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-07-25T10:53:17"}, {"id": "OPENVAS:1361412562310122717", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1919", "description": "Oracle Linux Local Security Checks ELSA-2015-1919", "published": "2015-10-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122717", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2018-03-12T11:56:30"}, {"id": "OPENVAS:1361412562310851126", "type": "openvas", "title": "SuSE Update for java-1_7_0-openjdk openSUSE-SU-2015:1906-1 (java-1_7_0-openjdk)", "description": "Check the version of java-1_7_0-openjdk", "published": "2015-11-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851126", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-12-12T11:15:33"}, {"id": "OPENVAS:1361412562310842507", "type": "openvas", "title": "Ubuntu Update for openjdk-7 USN-2784-1", "description": "Check the version of openjdk-7", "published": "2015-10-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842507", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-12-04T11:23:44"}, {"id": "OPENVAS:1361412562310122736", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-2086", "description": "Oracle Linux Local Security Checks ELSA-2015-2086", "published": "2015-11-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122736", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2017-07-24T12:52:58"}, {"id": "OPENVAS:1361412562310842548", "type": "openvas", "title": "Ubuntu Update for openjdk-6 USN-2827-1", "description": "Check the version of openjdk-6", "published": "2015-12-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842548", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2017-12-04T11:24:24"}, {"id": "OPENVAS:1361412562310131101", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2015-0412", "description": "Mageia Linux Local Security Checks mgasa-2015-0412", "published": "2015-10-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131101", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-07-24T12:53:54"}, {"id": "OPENVAS:1361412562310108399", "type": "openvas", "title": "Oracle Java SE JRE Multiple Unspecified Vulnerabilities-02 Oct 2015 (Linux)", "description": "The host is installed with Oracle Java SE\n JRE and is prone to multiple unspecified vulnerabilities.", "published": "2015-10-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108399", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2018-03-12T12:01:48"}], "centos": [{"id": "CESA-2015:2086", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:2086\n\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-November/021505.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-November/021506.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-November/021507.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-2086.html", "published": "2015-11-18T19:46:16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-November/021505.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2017-10-03T18:24:56"}, {"id": "CESA-2015:1921", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1921\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/021438.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1921.html", "published": "2015-10-21T23:24:30", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-October/021438.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-10-03T18:25:34"}, {"id": "CESA-2015:1920", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1920\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/021437.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/021439.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-accessibility\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-headless\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1920.html", "published": "2015-10-21T23:14:14", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-October/021437.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-10-03T18:25:31"}, {"id": "CESA-2015:1919", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1919\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking code\ncould fail to report a revoked certificate, causing the application to\naccept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/021436.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-October/021440.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-accessibility\njava-1.8.0-openjdk-debug\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-demo-debug\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-devel-debug\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-headless-debug\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-javadoc-debug\njava-1.8.0-openjdk-src\njava-1.8.0-openjdk-src-debug\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1919.html", "published": "2015-10-21T23:13:49", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-October/021436.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-10-03T18:25:01"}], "archlinux": [{"id": "ASA-201510-17", "type": "archlinux", "title": "jre7-openjdk-headless: multiple issues", "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n"user.dir" system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4871 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect confidentiality and integrity via unknown vectors\nrelated to Libraries.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.", "published": "2015-10-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000419.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-02T18:44:46"}, {"id": "ASA-201510-15", "type": "archlinux", "title": "jdk7-openjdk: multiple issues", "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n"user.dir" system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4871 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect confidentiality and integrity via unknown vectors\nrelated to Libraries.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.", "published": "2015-10-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000417.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-02T18:44:47"}, {"id": "ASA-201510-16", "type": "archlinux", "title": "jre7-openjdk: multiple issues", "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n"user.dir" system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4871 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect confidentiality and integrity via unknown vectors\nrelated to Libraries.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.", "published": "2015-10-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000418.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-02T18:44:44"}, {"id": "ASA-201510-20", "type": "archlinux", "title": "jre8-openjdk-headless: multiple issues", "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n"user.dir" system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4868 (security policy bypass)\n\nA flaw was found in the way the Libraries component of OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking code\ncould fail to report that a certificate was revoked, causing the\napplication to accept it as trusted.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4901 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality, integrity, and availability via unknown vectors related\nto JavaFX.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4906 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality via unknown vectors related to JavaFX.\n\n- CVE-2015-4908 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality via unknown vectors.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4916 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality via unknown vectors.", "published": "2015-10-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000422.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893", "CVE-2015-4916"], "lastseen": "2016-09-02T18:44:37"}, {"id": "ASA-201510-18", "type": "archlinux", "title": "jdk8-openjdk: multiple issues", "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n"user.dir" system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4868 (security policy bypass)\n\nA flaw was found in the way the Libraries component of OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking code\ncould fail to report that a certificate was revoked, causing the\napplication to accept it as trusted.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4901 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality, integrity, and availability via unknown vectors related\nto JavaFX.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4906 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality via unknown vectors related to JavaFX.\n\n- CVE-2015-4908 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality via unknown vectors.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4916 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality via unknown vectors.", "published": "2015-10-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000420.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893", "CVE-2015-4916"], "lastseen": "2016-09-02T18:44:49"}, {"id": "ASA-201510-19", "type": "archlinux", "title": "jre8-openjdk: multiple issues", "description": "- CVE-2015-4734 (information disclosure)\n\nIt was discovered that the JGSS component of OpenJDK did not properly\nhide Kerberos realm information from all error exceptions when running\nunder Security Manager. An untrusted Java application or applet could\nuse this flaw to obtain certain information about the Kerberos\nconfiguration on the host where they were executed, bypassing certain\nJava sandbox restrictions.\n\n- CVE-2015-4803 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not use\nefficient data structures to store data from parsed XML documents. A\nspecially-crafted XML input could cause a Java application using JAXP to\nuse an excessive amount of CPU time by e.g. triggering hash collisions.\n\n- CVE-2015-4805 (arbitrary code execution)\n\nIt was discovered that the ObjectStreamClass in the Serialization\ncomponent of OpenJDK failed to ensure that the object is fully\ninitialized before allowing calls of certain methods. An untrusted Java\napplication or applet could use this flaw to bypass Java sandbox\nrestrictions to execute code.\n\n- CVE-2015-4806 (improper input validation)\n\nA vulnerability has been discovered leading to HttpURLConnection header\nrestriction bypass, allowing remote attackers to affect confidentiality\nand integrity via unknown vectors related to Libraries.\n\n- CVE-2015-4810 (arbitrary code execution)\n\nAn unspecified vulnerability has been discovered that allows local users\nto affect confidentiality, integrity, and availability via unknown\nvectors related to Deployment.\n\n- CVE-2015-4835 (arbitrary code execution)\n\nIt was discovered that the StubGenerator class in the CORBA component of\nOpenJDK failed to generate code with all needed permission checks\nrelated to object (de-)serialization. An untursted Java application or\napplet could use this flaw to bypass Java sandbox restrictions and\nexecute arbitrary code.\n\n- CVE-2015-4840 (information disclosure)\n\nIt was discovered that the 2D component of OpenJDK could perform out of\nbounds access and possibly disclose portions of the Java Virtual Machine\nmemory when processing specially crafted color profiles. The issue was\ncaused by having bundled lcms2 code use fast floor() implementation. An\nuntrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions.\n\n- CVE-2015-4842 (information disclosure)\n\nAn information disclosure flaw was found in the JAXP component of\nOpenJDK. An untrusted Java application or applet could use this flaw to\nget information about user home directory location (the content of the\n"user.dir" system property), hence bypassing certain Java sandbox\nrestrictions.\n\n- CVE-2015-4843 (arbitrary code execution)\n\nMultiple integer overflow issues were found in the implementation of\nBuffers in the java.nio (Non-blocking I/O) packages in the Libraries\ncomponent of OpenJDK. These could lead to out of bounds buffer access\nand Java Virtual Machine memory corruption. An untursted Java\napplication or applet could use these flaws to run arbitrary code with\nthe Java Virtual Machine privileges or bypass Java sandbox restrictions.\n\n- CVE-2015-4844 (arbitrary code execution)\n\nIt was discovered that ICU Layout Engine was missing multiple boundary\nand error return checks. These could lead to buffer overflows and memory\ncorruption. A specially crafted font file could cause an application\nusing ICU to parse untrusted fonts to crash and, possibly, execute\narbitrary code.\n\n- CVE-2015-4860 (sandbox bypass)\n\nIt was discovered that the DGCImpl (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when processing untrusted\ninput. An untrusted Java application or applet could use this flaw to\nbypass Java sandbox restrictions.\n\n- CVE-2015-4868 (security policy bypass)\n\nA flaw was found in the way the Libraries component of OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking code\ncould fail to report that a certificate was revoked, causing the\napplication to accept it as trusted.\n\n- CVE-2015-4872 (security policy bypass)\n\nIt was discovered that the AlgorithmChecker class in the Security\ncomponent of OpenJDK failed to properly check if a certificate satisfies\nall defined constraints in certain cases. This could cause a Java\napplication to accept an X.509 certificate which does not meet\nrequirements of the policy defined in the java.security file.\n\n- CVE-2015-4881 (sandbox bypass)\n\nIt was discovered that the IIOPInputStream class in the CORBA component\nof OpenJDK failed to properly check object and field types during object\ndeserialization. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4882 (denial of service)\n\nA flaw was found in the way the IIOPInputStream class in the CORBA\ncomponent of OpenJDK performed deserialization of String objects. An\nuntrusted Java application or applet could use this flaw to crash the\nJava Virtual Machine.\n\n- CVE-2015-4883 (sandbox bypass)\n\nIt was discovered that the DGCClient (for RMI distributed\ngarbage-collection - DGC) class in the RMI component of OpenJDK failed\nto use restricted access control context when handling JRMP (Java Remote\nMethod Protocol) messages. An untrusted Java application or applet could\nuse this flaw to bypass Java sandbox restrictions.\n\n- CVE-2015-4893 (denial of service)\n\nIt was discovered that the JAXP component of OpenJDK did not enforce the\nmaximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.\nA specially crafted XML document could cause a Java application using\nJAXP to consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4901 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality, integrity, and availability via unknown vectors related\nto JavaFX.\n\n- CVE-2015-4902 (unknown)\n\nAn unspecified vulnerability has been discovered that allows remote\nattackers to affect integrity via unknown vectors related to Deployment.\n\n- CVE-2015-4903 (sandbox bypass)\n\nIt was discovered that the RemoteObjectInvocationHandler class in the\nRMI component of OpenJDK did not check if object proxy is an instance of\na proxy class and that it uses correct invocation handler. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions by gaining access to data that should by protected\nby the sandbox.\n\n- CVE-2015-4906 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality via unknown vectors related to JavaFX.\n\n- CVE-2015-4908 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality via unknown vectors.\n\n- CVE-2015-4911 (denial of service)\n\nIt was discovered that the StAX XML parser in the JAXP component of\nOpenJDK could do certain DTD processing even when DTD support was\ndisabled via the javax.xml.stream.supportDTD system property. A\nspecially crafted XML document could cause a Java application using JAXP\nto consume an excessive amount of memory and CPU time when parsed.\n\n- CVE-2015-4916 (unknown)\n\nA unspecified vulnerability allows remote attackers to affect\nconfidentiality via unknown vectors.", "published": "2015-10-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000421.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893", "CVE-2015-4916"], "lastseen": "2016-09-02T18:44:42"}], "amazon": [{"id": "ALAS-2015-605", "type": "amazon", "title": "Critical: java-1.7.0-openjdk", "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2015-4835 __](<https://access.redhat.com/security/cve/CVE-2015-4835>), [CVE-2015-4881 __](<https://access.redhat.com/security/cve/CVE-2015-4881>), [CVE-2015-4843 __](<https://access.redhat.com/security/cve/CVE-2015-4843>), [CVE-2015-4883 __](<https://access.redhat.com/security/cve/CVE-2015-4883>), [CVE-2015-4860 __](<https://access.redhat.com/security/cve/CVE-2015-4860>), [CVE-2015-4805 __](<https://access.redhat.com/security/cve/CVE-2015-4805>), [CVE-2015-4844 __](<https://access.redhat.com/security/cve/CVE-2015-4844>))\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. ([CVE-2015-4803 __](<https://access.redhat.com/security/cve/CVE-2015-4803>), [CVE-2015-4893 __](<https://access.redhat.com/security/cve/CVE-2015-4893>), [CVE-2015-4911 __](<https://access.redhat.com/security/cve/CVE-2015-4911>))\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. ([CVE-2015-4872 __](<https://access.redhat.com/security/cve/CVE-2015-4872>))\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-4806 __](<https://access.redhat.com/security/cve/CVE-2015-4806>), [CVE-2015-4840 __](<https://access.redhat.com/security/cve/CVE-2015-4840>), [CVE-2015-4882 __](<https://access.redhat.com/security/cve/CVE-2015-4882>), [CVE-2015-4842 __](<https://access.redhat.com/security/cve/CVE-2015-4842>), [CVE-2015-4734 __](<https://access.redhat.com/security/cve/CVE-2015-4734>), [CVE-2015-4903 __](<https://access.redhat.com/security/cve/CVE-2015-4903>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.63.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.x86_64 \n \n \n", "published": "2015-10-27T13:52:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-605.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-28T21:03:58"}, {"id": "ALAS-2015-606", "type": "amazon", "title": "Important: java-1.8.0-openjdk", "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2015-4835 __](<https://access.redhat.com/security/cve/CVE-2015-4835>), [CVE-2015-4881 __](<https://access.redhat.com/security/cve/CVE-2015-4881>), [CVE-2015-4843 __](<https://access.redhat.com/security/cve/CVE-2015-4843>), [CVE-2015-4883 __](<https://access.redhat.com/security/cve/CVE-2015-4883>), [CVE-2015-4860 __](<https://access.redhat.com/security/cve/CVE-2015-4860>), [CVE-2015-4805 __](<https://access.redhat.com/security/cve/CVE-2015-4805>), [CVE-2015-4844 __](<https://access.redhat.com/security/cve/CVE-2015-4844>))\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. ([CVE-2015-4803 __](<https://access.redhat.com/security/cve/CVE-2015-4803>), [CVE-2015-4893 __](<https://access.redhat.com/security/cve/CVE-2015-4893>), [CVE-2015-4911 __](<https://access.redhat.com/security/cve/CVE-2015-4911>))\n\nA flaw was found in the way the Libraries component in OpenJDK handled certificate revocation lists (CRL). In certain cases, CRL checking code could fail to report a revoked certificate, causing the application to accept it as trusted. ([CVE-2015-4868 __](<https://access.redhat.com/security/cve/CVE-2015-4868>))\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. ([CVE-2015-4872 __](<https://access.redhat.com/security/cve/CVE-2015-4872>))\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-4806 __](<https://access.redhat.com/security/cve/CVE-2015-4806>), [CVE-2015-4840 __](<https://access.redhat.com/security/cve/CVE-2015-4840>), [CVE-2015-4882 __](<https://access.redhat.com/security/cve/CVE-2015-4882>), [CVE-2015-4842 __](<https://access.redhat.com/security/cve/CVE-2015-4842>), [CVE-2015-4734 __](<https://access.redhat.com/security/cve/CVE-2015-4734>), [CVE-2015-4903 __](<https://access.redhat.com/security/cve/CVE-2015-4903>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.i686 \n java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.7.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.x86_64 \n java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.x86_64 \n \n \n", "published": "2015-10-27T16:39:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-606.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-28T21:03:58"}, {"id": "ALAS-2015-616", "type": "amazon", "title": "Important: java-1.6.0-openjdk", "description": "**Issue Overview:**\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. ([CVE-2015-4835 __](<https://access.redhat.com/security/cve/CVE-2015-4835>), [CVE-2015-4881 __](<https://access.redhat.com/security/cve/CVE-2015-4881>), [CVE-2015-4843 __](<https://access.redhat.com/security/cve/CVE-2015-4843>), [CVE-2015-4883 __](<https://access.redhat.com/security/cve/CVE-2015-4883>), [CVE-2015-4860 __](<https://access.redhat.com/security/cve/CVE-2015-4860>), [CVE-2015-4805 __](<https://access.redhat.com/security/cve/CVE-2015-4805>), [CVE-2015-4844 __](<https://access.redhat.com/security/cve/CVE-2015-4844>))\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. ([CVE-2015-4803 __](<https://access.redhat.com/security/cve/CVE-2015-4803>), [CVE-2015-4893 __](<https://access.redhat.com/security/cve/CVE-2015-4893>), [CVE-2015-4911 __](<https://access.redhat.com/security/cve/CVE-2015-4911>))\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. ([CVE-2015-4872 __](<https://access.redhat.com/security/cve/CVE-2015-4872>))\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. ([CVE-2015-4806 __](<https://access.redhat.com/security/cve/CVE-2015-4806>), [CVE-2015-4882 __](<https://access.redhat.com/security/cve/CVE-2015-4882>), [CVE-2015-4842 __](<https://access.redhat.com/security/cve/CVE-2015-4842>), [CVE-2015-4734 __](<https://access.redhat.com/security/cve/CVE-2015-4734>), [CVE-2015-4903 __](<https://access.redhat.com/security/cve/CVE-2015-4903>))\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.x86_64 \n \n \n", "published": "2015-12-14T10:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-616.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2016-09-28T21:03:59"}], "aix": [{"id": "JAVA_OCT2015_ADVISORY.ASC", "type": "aix", "title": "Multiple vulnerabilities in IBM Java SDK affect AIX", "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Thu Dec 10 08:51:54 CST 2015\n\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/java_oct2015_advisory.asc\nhttps://aix.software.ibm.com/aix/efixes/security/java_oct2015_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/java_oct2015_advisory.asc\n\n \nSecurity Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX\n CVE-2015-4844 CVE-2015-4843 CVE-2015-4805 CVE-2015-4860 CVE-2015-4883\n CVE-2015-4835 CVE-2015-4810 CVE-2015-4806 CVE-2015-4871 CVE-2015-4902\n CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4840 CVE-2015-4842\n CVE-2015-4882 CVE-2015-4903 CVE-2015-4803 CVE-2015-4734 CVE-2015-5006 \n\n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in IBM SDK Java Technology Edition,\n Versions 5, 6, 7, 7.1, 8 that are used by AIX. These issues were disclosed\n as part of the IBM Java SDK updates in October 2015.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2015-4844\n DESCRIPTION: An unspecified vulnerability related to the 2D component has\n complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107346 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4843\n DESCRIPTION: An unspecified vulnerability related to the Libraries\n component has complete confidentiality impact, complete integrity\n impact, and complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107342 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4805\n DESCRIPTION: An unspecified vulnerability related to the Serialization\n component has complete confidentiality impact, complete integrity\n impact, and complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107345 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4860\n DESCRIPTION: An unspecified vulnerability related to the RMI component has\n complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107344 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4883\n DESCRIPTION: An unspecified vulnerability related to the RMI component has\n complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107343 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4835\n DESCRIPTION: An unspecified vulnerability related to the CORBA component\n has complete confidentiality impact, complete integrity impact, and\n complete availability impact.\n CVSS Base Score: 10\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107340 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4810\n DESCRIPTION: An unspecified vulnerability related to the Deployment\n component has complete confidentiality impact, complete integrity\n impact, and complete availability impact.\n CVSS Base Score: 6.9\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107349 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)\n\n CVEID: CVE-2015-4806\n DESCRIPTION: An unspecified vulnerability related to the Libraries\n component has partial confidentiality impact, partial integrity impact,\n and no availability impact.\n CVSS Base Score: 6.4\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107350 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)\n\n CVEID: CVE-2015-4871\n DESCRIPTION: An unspecified vulnerability related to the Libraries\n component has partial confidentiality impact, partial integrity impact,\n and no availability impact.\n CVSS Base Score: 5.8\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107351 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)\n\n CVEID: CVE-2015-4902\n DESCRIPTION: An unspecified vulnerability related to the Deployment\n component has no confidentiality impact, partial integrity impact, and\n no availability impact.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107352 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n CVEID: CVE-2015-4872\n DESCRIPTION: An unspecified vulnerability related to the Security\n component has no confidentiality impact, partial integrity impact,\n and no availability impact.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n CVEID: CVE-2015-4911\n DESCRIPTION: An unspecified vulnerability related to the JAXP component\n could allow a remote attacker to cause a denial of service.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107360 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n CVEID: CVE-2015-4893\n DESCRIPTION: An unspecified vulnerability related to the JAXP component\n could allow a remote attacker to cause a denial of service.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107359 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n CVEID: CVE-2015-4840\n DESCRIPTION: An unspecified vulnerability related to the 2D component\n could allow a remote attacker to obtain sensitive information.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107353 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2015-4842\n DESCRIPTION: An unspecified vulnerability related to the JAXP component\n could allow a remote attacker to obtain sensitive information.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107355 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2015-4882\n DESCRIPTION: An unspecified vulnerability related to the CORBA component\n could allow a remote attacker to cause a denial of service.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107354 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n CVEID: CVE-2015-4903\n DESCRIPTION: An unspecified vulnerability related to the RMI component\n could allow a remote attacker to obtain sensitive information.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107357 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2015-4803\n DESCRIPTION: An unspecified vulnerability related to the JAXP component\n could allow a remote attacker to cause a denial of service.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107358 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n CVEID: CVE-2015-4734\n DESCRIPTION: An unspecified vulnerability related to the JGSS component\n could allow a remote attacker to obtain sensitive information.\n CVSS Base Score: 5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/107356 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2015-5006\n DESCRIPTION: IBM Java Security Components could allow an attacker with\n physical access to the system to obtain sensitive information from the\n Kerberos Credential Cache.\n CVSS Base Score: 4.6\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/106309 for the\n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n\n The following fileset levels (VRMF) are vulnerable, if the \n respective Java version is installed:\n For Java5: Less than 5.0.0.620\n For Java6: Less than 6.0.0.510\n For Java7: Less than 7.0.0.270\n For Java7.1: Less than 7.1.0.150\n For Java8: Less than 8.0.0.70\n\n Note: to find out whether the affected Java filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i java\n\n\n REMEDIATION:\n\n IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 \n Fix Pack 14 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix \n Pack 15 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=6.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix\n Pack 20 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+32-bit,+pSeries&function=all \n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3\n Fix Pack 20 and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+32-bit,+pSeries&function=all\n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=AIX+64-bit,+pSeries&function=all \n\n IBM SDK, Java Technology Edition, Version 8 Service Refresh 2\n and subsequent releases:\n 32-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+32-bit,+pSeries&function=all \n 64-bit: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+64-bit,+pSeries&function=all\n\n Note regarding CVE-2015-4911\n This was addressed by IBM in June 2008. As a reminder, users of Java 6\n and above should refer to the IBM XL XP-J documentation for the\n javax.xml.stream.supportDTD property for information to help avoid this\n vulnerability.\n\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v2 Guide:\n http://www.first.org/cvss/v2/guide \n On-line Calculator v2:\n http://nvd.nist.gov/CVSS-v2-Calculator \n Complete CVSS v3 Guide:\n http://www.first.org/cvss/user-guide \n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0 \n IBM Java SDK Security Bulletin: \n http://www-01.ibm.com/support/docview.wss?uid=swg21969225\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Thu Dec 10 08:51:54 CST 2015 \n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n \n\n", "published": "2015-12-10T08:51:54", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://aix.software.ibm.com/aix/efixes/security/java_oct2015_advisory.asc", "cvelist": ["CVE-2015-5006", "CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-10-24T17:48:11"}], "nessus": [{"id": "ORACLELINUX_ELSA-2015-2086.NASL", "type": "nessus", "title": "Oracle Linux 5 / 6 / 7 : java-1.6.0-openjdk (ELSA-2015-2086)", "description": "From Red Hat Security Advisory 2015:2086 :\n\nUpdated java-1.6.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2015-11-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86927", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2017-12-13T23:34:28"}, {"id": "REDHAT-RHSA-2015-1927.NASL", "type": "nessus", "title": "RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2015:1927)", "description": "Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-4911)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 91 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.", "published": "2015-10-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86561", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-12-13T23:35:26"}, {"id": "SL_20151118_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64", "description": "Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nAll running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2015-11-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86938", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2017-10-29T13:42:55"}, {"id": "REDHAT-RHSA-2015-1921.NASL", "type": "nessus", "title": "RHEL 5 : java-1.7.0-openjdk (RHSA-2015:1921)", "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2015-10-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86526", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-12-13T23:23:36"}, {"id": "ALA_ALAS-2015-616.NASL", "type": "nessus", "title": "Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2015-616)", "description": "Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835 , CVE-2015-4881 , CVE-2015-4843 , CVE-2015-4883 , CVE-2015-4860 , CVE-2015-4805 , CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803 , CVE-2015-4893 , CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806 , CVE-2015-4882 , CVE-2015-4842 , CVE-2015-4734 , CVE-2015-4903)", "published": "2015-12-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=87342", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2018-04-19T07:36:08"}, {"id": "SL_20151021_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : java-1.8.0-openjdk on SL6.x, SL7.x i386/x86_64", "description": "Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled certificate revocation lists (CRL). In certain cases, CRL checking code could fail to report a revoked certificate, causing the application to accept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nAll running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2015-10-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86529", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-10-29T13:42:53"}, {"id": "SUSE_SU-2015-1874-1.NASL", "type": "nessus", "title": "SUSE SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2015:1874-1)", "description": "java-1_7_0-openjdk was updated to version 7u91 to fix 17 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-4843: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bsc#951376).\n\n - CVE-2015-4842: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JAXP (bsc#951376).\n\n - CVE-2015-4840: Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via unknown vectors related to 2D (bsc#951376).\n\n - CVE-2015-4872: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect integrity via unknown vectors related to Security (bsc#951376).\n\n - CVE-2015-4860: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883 (bsc#951376).\n\n - CVE-2015-4844: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D (bsc#951376).\n\n - CVE-2015-4883: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4860 (bsc#951376).\n\n - CVE-2015-4893: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4911 (bsc#951376).\n\n - CVE-2015-4911: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893 (bsc#951376).\n\n - CVE-2015-4882: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect availability via vectors related to CORBA (bsc#951376).\n\n - CVE-2015-4881: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835 (bsc#951376).\n\n - CVE-2015-4734: Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to JGSS (bsc#951376).\n\n - CVE-2015-4806: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries (bsc#951376).\n\n - CVE-2015-4805: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization (bsc#951376).\n\n - CVE-2015-4803: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allowed remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911 (bsc#951376).\n\n - CVE-2015-4835: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881 (bsc#951376).\n\n - CVE-2015-4903: Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allowed remote attackers to affect confidentiality via vectors related to RMI (bsc#951376).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-11-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86705", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-12-13T23:31:56"}, {"id": "REDHAT-RHSA-2015-2506.NASL", "type": "nessus", "title": "RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:2506)", "description": "Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR3-FP20 release. All running instances of IBM Java must be restarted for the update to take effect.", "published": "2015-11-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=87047", "cvelist": ["CVE-2015-5006", "CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4844", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-12-13T23:34:11"}, {"id": "ORACLELINUX_ELSA-2015-1921.NASL", "type": "nessus", "title": "Oracle Linux 5 : java-1.7.0-openjdk (ELSA-2015-1921)", "description": "From Red Hat Security Advisory 2015:1921 :\n\nUpdated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.\n(CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.\n(CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2015-10-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86522", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-12-13T23:28:52"}, {"id": "REDHAT-RHSA-2015-2509.NASL", "type": "nessus", "title": "RHEL 7 : java-1.8.0-ibm (RHSA-2015:2509)", "description": "Updated java-1.8.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 7 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nIBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.\n\nAll users of java-1.8.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 8 SR2 release. All running instances of IBM Java must be restarted for the update to take effect.", "published": "2015-11-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=87050", "cvelist": ["CVE-2015-5006", "CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4844", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2017-12-13T23:33:35"}], "oraclelinux": [{"id": "ELSA-2015-1920", "type": "oraclelinux", "title": "java-1.7.0-openjdk security update", "description": "[1:1.7.0.91-2.6.2.2.0.1]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.91-2.6.2.2]\n- added and applied patch500 8072932or8074489.patch to fix tck failure\n- Resolves: rhbz#1271919\n[1:1.7.0.91-2.6.2.1]\n- Bump to 2.6.2 and u91b00.\n- Resolves: rhbz#1271919", "published": "2015-10-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1920.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T11:16:37"}, {"id": "ELSA-2015-1921", "type": "oraclelinux", "title": "java-1.7.0-openjdk security update", "description": "[1:1.7.0.91-2.6.2.1.0.1]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Oracle Linux'\n[1:1.7.0.91-2.6.2.1]\n- added and applied patch500 8072932or8074489.patch to fix tck failure\n- Resolves: rhbz#1271918\n[1:1.7.0.91-2.6.2.0]\n- Drop patch for PR2521/RH1242587 now resolved upstream.\n- Resolves: rhbz#1271918\n[1:1.7.0.91-2.6.2.0]\n- Bump to 2.6.2 and u91b00.\n- Resolves: rhbz#1271918", "published": "2015-10-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1921.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T11:16:44"}, {"id": "ELSA-2015-1919", "type": "oraclelinux", "title": "java-1.8.0-openjdk security update", "description": "[1:1.8.0.65-0.b17]\n- October 2015 security update to u65b17.\n- Add script for generating OpenJDK tarballs from a local Mercurial tree.\n- Update RH1191652 patch to build against current AArch64 tree.\n- Use appropriate source ID to avoid unpacking both tarballs on AArch64.\n- Fix library removal script so jpeg, giflib and png sources are removed.\n- Update system-lcms.patch to regenerated upstream (8042159) version.\n- Drop LCMS update from rhel6-built.patch\n- Resolves: rhbz#1257654\n[1:1.8.0.51-4.b16]\n- bumped release to do an build, so test whether 1251560 was really fixed\n- Resolves: rhbz#1254197\n[1:1.8.0.60-4.b27]\n- updated to u60 (1255352)\n- Resolves: rhbz#1257654", "published": "2015-10-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1919.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-04T11:16:50"}, {"id": "ELSA-2015-2086", "type": "oraclelinux", "title": "java-1.6.0-openjdk security update", "description": "[1:1.6.0.35-1.13.9.4.0.1.el5_11]\n- Add oracle-enterprise.patch\n[1:1.6.0.37-1.13.9.4]\n- Update with new IcedTea & b37 tarballs, including fix for appletviewer regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.3]\n- Update with new IcedTea & b37 tarballs, including more Kerberos fixes for TCK regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.2]\n- Update with new IcedTea & b37 tarballs, including Kerberos fixes for TCK regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.1]\n- Update with newer tarball, including 6763122 fix for TCK regression.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.1]\n- Drop java-1.6.0-openjdk-pstack.patch. 6310967, the upstream version, is applied in OpenJDK 6.\n- Resolves: rhbz#1271926\n[1:1.6.0.37-1.13.9.0]\n- Update to IcedTea 1.13.9\n- Resolves: rhbz#1271926", "published": "2015-11-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-2086.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2016-09-04T11:16:00"}], "debian": [{"id": "DSA-3381", "type": "debian", "title": "openjdk-7 -- security update", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure, or denial of service.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 7u85-2.6.1-6~deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed in version 7u85-2.6.1-5~deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 7u85-2.6.1-6.\n\nWe recommend that you upgrade your openjdk-7 packages.", "published": "2015-10-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3381", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893"], "lastseen": "2016-09-02T18:19:27"}, {"id": "DLA-346", "type": "debian", "title": "openjdk-6 -- LTS security update", "description": "Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform. These vulnerabilities relate to execution of arbitrary code, breakouts of the Java sandbox, information disclosure and denial of service.\n\nFor Debian 6 Squeeze, these problems have been fixed in openjdk-6 version 6b37-1.13.9-1~deb6u1.\n\nWe recommend you to upgrade your openjdk-6 packages.", "published": "2015-11-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/2015/dla-346", "cvelist": ["CVE-2015-4860", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4893"], "lastseen": "2016-09-02T12:56:32"}, {"id": "DSA-3725", "type": "debian", "title": "icu -- security update", "description": "Several vulnerabilities were discovered in the International Components for Unicode (ICU) library.\n\n * [CVE-2014-9911](<https://security-tracker.debian.org/tracker/CVE-2014-9911>)\n\nMichele Spagnuolo discovered a buffer overflow vulnerability which might allow remote attackers to cause a denial of service or possibly execute arbitrary code via crafted text.\n\n * [CVE-2015-2632](<https://security-tracker.debian.org/tracker/CVE-2015-2632>)\n\nAn integer overflow vulnerability might lead into a denial of service or disclosure of portion of application memory if an attacker has control on the input file.\n\n * [CVE-2015-4844](<https://security-tracker.debian.org/tracker/CVE-2015-4844>)\n\nBuffer overflow vulnerabilities might allow an attacker with control on the font file to perform a denial of service or, possibly, execute arbitrary code.\n\n * [CVE-2016-0494](<https://security-tracker.debian.org/tracker/CVE-2016-0494>)\n\nInteger signedness issues were introduced as part of the [CVE-2015-4844](<https://security-tracker.debian.org/tracker/CVE-2015-4844>) fix.\n\n * [CVE-2016-6293](<https://security-tracker.debian.org/tracker/CVE-2016-6293>)\n\nA buffer overflow might allow an attacker to perform a denial of service or disclosure of portion of application memory.\n\n * [CVE-2016-7415](<https://security-tracker.debian.org/tracker/CVE-2016-7415>)\n\nA stack-based buffer overflow might allow an attacker with control on the locale string to perform a denial of service and, possibly, execute arbitrary code.\n\nFor the stable distribution (jessie), these problems have been fixed in version 52.1-8+deb8u4.\n\nFor the unstable distribution (sid), these problems have been fixed in version 57.1-5.\n\nWe recommend that you upgrade your icu packages.", "published": "2016-11-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3725", "cvelist": ["CVE-2015-2632", "CVE-2016-0494", "CVE-2014-9911", "CVE-2016-7415", "CVE-2016-6293", "CVE-2015-4844"], "lastseen": "2016-11-28T01:22:55"}], "redhat": [{"id": "RHSA-2015:1927", "type": "redhat", "title": "(RHSA-2015:1927) Critical: java-1.7.0-oracle security update", "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810,\nCVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844,\nCVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882,\nCVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-4911)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 91 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "published": "2015-10-22T22:20:48", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1927", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911"], "lastseen": "2018-03-20T08:32:05"}, {"id": "RHSA-2015:1928", "type": "redhat", "title": "(RHSA-2015:1928) Important: java-1.6.0-sun security update", "description": "Oracle Java SE version 6 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835,\nCVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872,\nCVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902,\nCVE-2015-4903, CVE-2015-4911)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-sun are advised to upgrade to these updated\npackages, which provide Oracle Java 6 Update 105 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "published": "2015-10-22T22:21:17", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1928", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4911"], "lastseen": "2018-03-20T08:31:58"}, {"id": "RHSA-2015:2507", "type": "redhat", "title": "(RHSA-2015:2507) Critical: java-1.7.0-ibm security update", "description": "IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further information\nabout these flaws can be found on the IBM Java Security alerts page, listed\nin the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805,\nCVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842,\nCVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872,\nCVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903,\nCVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR9-FP20 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "published": "2015-11-23T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:2507", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-5006"], "lastseen": "2017-09-09T07:19:56"}, {"id": "RHSA-2015:2086", "type": "redhat", "title": "(RHSA-2015:2086) Important: java-1.6.0-openjdk security update", "description": "The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2015-11-18T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:2086", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4903", "CVE-2015-4911"], "lastseen": "2018-04-15T14:25:25"}, {"id": "RHSA-2015:2509", "type": "redhat", "title": "(RHSA-2015:2509) Critical: java-1.8.0-ibm security update", "description": "IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further information\nabout these flaws can be found on the IBM Java Security alerts page, listed\nin the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805,\nCVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842,\nCVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872,\nCVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903,\nCVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.8.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 8 SR2 release. All running instances\nof IBM Java must be restarted for the update to take effect.", "published": "2015-11-23T17:28:59", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:2509", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-5006"], "lastseen": "2018-03-20T18:40:28"}, {"id": "RHSA-2015:2506", "type": "redhat", "title": "(RHSA-2015:2506) Critical: java-1.7.1-ibm security update", "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment\nand the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Further information\nabout these flaws can be found on the IBM Java Security alerts page, listed\nin the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805,\nCVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842,\nCVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872,\nCVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903,\nCVE-2015-5006)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.1-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7R1 SR3-FP20 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "published": "2015-11-23T05:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:2506", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4871", "CVE-2015-4872", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-5006"], "lastseen": "2018-03-20T18:40:27"}, {"id": "RHSA-2015:1920", "type": "redhat", "title": "(RHSA-2015:1920) Critical: java-1.7.0-openjdk security update", "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2015-10-21T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1920", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4903", "CVE-2015-4911"], "lastseen": "2018-04-15T14:25:44"}, {"id": "RHSA-2015:1919", "type": "redhat", "title": "(RHSA-2015:1919) Important: java-1.8.0-openjdk security update", "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nA flaw was found in the way the Libraries component in OpenJDK handled\ncertificate revocation lists (CRL). In certain cases, CRL checking code\ncould fail to report a revoked certificate, causing the application to\naccept it as trusted. (CVE-2015-4868)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2015-10-21T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1919", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4903", "CVE-2015-4911"], "lastseen": "2018-04-15T16:21:15"}, {"id": "RHSA-2015:1921", "type": "redhat", "title": "(RHSA-2015:1921) Important: java-1.7.0-openjdk security update", "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nMultiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,\nand 2D components in OpenJDK. An untrusted Java application or applet could\nuse these flaws to completely bypass Java sandbox restrictions.\n(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,\nCVE-2015-4805, CVE-2015-4844)\n\nMultiple denial of service flaws were found in the JAXP component in\nOpenJDK. A specially crafted XML file could cause a Java application using\nJAXP to consume an excessive amount of CPU and memory when parsed.\n(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)\n\nIt was discovered that the Security component in OpenJDK failed to properly\ncheck if a certificate satisfied all defined constraints. In certain cases,\nthis could cause a Java application to accept an X.509 certificate which\ndoes not meet requirements of the defined policy. (CVE-2015-4872)\n\nMultiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI\ncomponents in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,\nCVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2015-10-21T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1921", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4903", "CVE-2015-4911"], "lastseen": "2017-09-09T07:20:39"}, {"id": "RHSA-2015:1926", "type": "redhat", "title": "(RHSA-2015:1926) Critical: java-1.8.0-oracle security update", "description": "Oracle Java SE version 8 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810,\nCVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844,\nCVE-2015-4860, CVE-2015-4868, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882,\nCVE-2015-4883, CVE-2015-4893, CVE-2015-4901, CVE-2015-4902, CVE-2015-4903,\nCVE-2015-4906, CVE-2015-4908, CVE-2015-4911, CVE-2015-4916)\n\nRed Hat would like to thank Andrea Palazzo of Truel IT for reporting the\nCVE-2015-4806 issue.\n\nAll users of java-1.8.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 8 Update 65 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "published": "2015-10-22T22:19:40", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1926", "cvelist": ["CVE-2015-4734", "CVE-2015-4803", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4835", "CVE-2015-4840", "CVE-2015-4842", "CVE-2015-4843", "CVE-2015-4844", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4872", "CVE-2015-4881", "CVE-2015-4882", "CVE-2015-4883", "CVE-2015-4893", "CVE-2015-4901", "CVE-2015-4902", "CVE-2015-4903", "CVE-2015-4906", "CVE-2015-4908", "CVE-2015-4911", "CVE-2015-4916"], "lastseen": "2018-03-20T08:31:57"}], "freebsd": [{"id": "A5934BA8-A376-11E5-85E9-14DAE9D210B8", "type": "freebsd", "title": "java -- multiple vulnerabilities", "description": "\nOracle reports:\n\nThis Critical Patch Update contains 25 new security fixes\n\t for Oracle Java SE. 24 of these vulnerabilities may be remotely\n\t exploitable without authentication, i.e., may be exploited over a\n\t network without the need for a username and password.\n\n", "published": "2015-10-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/a5934ba8-a376-11e5-85e9-14dae9d210b8.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893", "CVE-2015-4916"], "lastseen": "2016-09-26T17:24:12"}], "kaspersky": [{"id": "KLA10683", "type": "kaspersky", "title": "\r KLA10683Multiple vulnerabilities in Oracle Java SE\t\t\t ", "description": "### *CVSS*:\n10.0\n\n### *Detect date*:\n10/20/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerabilities were found in Oracle Java SE. By exploiting these vulnerabilities malicious users can cause denial of service or obtain sensitive information. These vulnerabilities can be exploited remotely via an unknown vectors.\n\n### *Affected products*:\nOracle Java SE 6u101, 7u85 and 8u60 \nOracle Java SE Embedded 8u51\n\n### *Solution*:\nUpdate to the latest version \n[Get Java](<http://www.oracle.com/technetwork/java/javase/downloads/index.html>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle Java JRE 1.8.x](<https://threats.kaspersky.com/en/product/Oracle-Java-JRE-1.8.x/>)\n\n### *CVE-IDS*:\n[CVE-2015-4803](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803>) \n[CVE-2015-4805](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805>) \n[CVE-2015-4806](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806>) \n[CVE-2015-4901](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4901>) \n[CVE-2015-4882](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882>) \n[CVE-2015-4868](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868>) \n[CVE-2015-4903](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903>) \n[CVE-2015-4902](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4902>) \n[CVE-2015-4893](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893>) \n[CVE-2015-4911](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911>) \n[CVE-2015-4906](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4906>) \n[CVE-2015-4871](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871>) \n[CVE-2015-4908](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4908>) \n[CVE-2015-4872](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872>) \n[CVE-2015-4835](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835>) \n[CVE-2015-4810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4810>) \n[CVE-2015-4881](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881>) \n[CVE-2015-4734](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734>) \n[CVE-2015-4883](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883>) \n[CVE-2015-4916](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4916>) \n[CVE-2015-4844](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844>) \n[CVE-2015-4860](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860>) \n[CVE-2015-4840](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840>) \n[CVE-2015-4842](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842>) \n[CVE-2015-4843](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843>)", "published": "2015-10-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10683", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893", "CVE-2015-4916"], "lastseen": "2018-03-30T14:11:17"}], "f5": [{"id": "SOL05200155", "type": "f5", "title": "SOL05200155 - Multiple Java vulnerabilities", "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "published": "2015-11-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/05/sol05200155.html", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893", "CVE-2015-4916"], "lastseen": "2016-11-09T00:09:53"}, {"id": "F5:K05200155", "type": "f5", "title": "Multiple Java vulnerabilities", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2015-11-26T18:23:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K05200155", "cvelist": ["CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4883", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4893", "CVE-2015-4916"], "lastseen": "2017-06-08T00:16:35"}, {"id": "SOL05534090", "type": "f5", "title": "SOL05534090 - Java vulnerability CVE-2015-4803", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2015-11-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/05/sol05534090.html", "cvelist": ["CVE-2015-4803", "CVE-2015-4911", "CVE-2015-4893"], "lastseen": "2016-11-09T00:09:48"}, {"id": "F5:K05534090", "type": "f5", "title": "Java vulnerability CVE-2015-4803", "description": "\nF5 Product Development has assigned INSTALLER-1945 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| Java\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2015-11-21T01:04:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K05534090", "cvelist": ["CVE-2015-4803", "CVE-2015-4911", "CVE-2015-4893"], "lastseen": "2017-06-08T00:16:30"}, {"id": "SOL14132811", "type": "f5", "title": "SOL14132811 - Java vulnerability CVE-2015-4893", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the** Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2015-11-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/14/sol14132811.html", "cvelist": ["CVE-2015-4803", "CVE-2015-4911", "CVE-2015-4893"], "lastseen": "2016-12-01T17:27:59"}, {"id": "F5:K14132811", "type": "f5", "title": "Java vulnerability CVE-2015-4893", "description": "\nF5 Product Development has assigned INSTALLER-1947 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| None\n\nIf you are running a version listed in the** Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2015-11-21T01:15:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K14132811", "cvelist": ["CVE-2015-4803", "CVE-2015-4911", "CVE-2015-4893"], "lastseen": "2017-06-08T00:16:23"}, {"id": "F5:K93203055", "type": "f5", "title": "Java vulnerability CVE-2015-4872", "description": "\nF5 Product Development has assigned INSTALLER-1946 (Traffix) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| Java\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2015-11-21T01:12:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://support.f5.com/csp/article/K93203055", "cvelist": ["CVE-2015-4872"], "lastseen": "2017-06-08T00:16:03"}, {"id": "SOL93203055", "type": "f5", "title": "SOL93203055 - Java vulnerability CVE-2015-4872", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2015-11-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/93/sol93203055.html", "cvelist": ["CVE-2015-4872"], "lastseen": "2016-09-02T18:43:59"}], "gentoo": [{"id": "GLSA-201603-14", "type": "gentoo", "title": "IcedTea: Multiple vulnerabilities", "description": "### Background\n\nIcedTea\u2019s aim is to provide OpenJDK in a form suitable for easy configuration, compilation and distribution with the primary goal of allowing inclusion in GNU/Linux distributions. \n\n### Description\n\nVarious OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot, Libraries, and JAXP, exist which allows remote attackers to affect the confidentiality, integrity, and availability of vulnerable systems. This includes the possibility of remote execution of arbitrary code, information disclosure, or Denial of Service. Many of the vulnerabilities can only be exploited through sandboxed Java Web Start applications and java applets. Please reference the CVEs listed for specific details. \n\n### Impact\n\nRemote attackers may remotely execute arbitrary code, compromise information, or cause Denial of Service. \n\n### Workaround\n\nThere is no known work around at this time.\n\n### Resolution\n\nIcedTea 7.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-7.2.6.4\"\n \n\nIcedTea bin 7.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-7.2.6.4\"\n \n\nIcedTea 6.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-6.1.13.9\"\n \n\nIcedTea bin 6.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-6.1.13.9\"", "published": "2016-03-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201603-14", "cvelist": ["CVE-2015-2601", "CVE-2015-4749", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-4732", "CVE-2015-4860", "CVE-2015-0395", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-2613", "CVE-2015-4883", "CVE-2015-0407", "CVE-2014-6585", "CVE-2016-0483", "CVE-2016-0448", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-0383", "CVE-2015-4871", "CVE-2015-4803", "CVE-2014-6587", "CVE-2015-2590", "CVE-2015-4805", "CVE-2015-4806", "CVE-2016-0466", "CVE-2015-2628", "CVE-2016-0494", "CVE-2016-0402", "CVE-2015-4733", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-4835", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-2621", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-4731", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4748", "CVE-2015-4893", "CVE-2015-4760"], "lastseen": "2016-09-06T19:46:55"}, {"id": "GLSA-201603-11", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "description": "### Background\n\nJava Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in today\u2019s demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that today\u2019s applications require. \n\n### Description\n\nMultiple vulnerabilities exist in both Oracle\u2019s JRE and JDK. Please review the referenced CVE\u2019s for additional information. \n\n### Impact\n\nRemote attackers could gain access to information, remotely execute arbitrary code, and cause Denial of Service. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JRE Users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jre-bin-1.8.0.72\"\n \n\nAll Oracle JDK Users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jdk-bin-1.8.0.72\"", "published": "2016-03-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201603-11", "cvelist": ["CVE-2015-4000", "CVE-2015-0484", "CVE-2015-2627", "CVE-2015-2601", "CVE-2015-4729", "CVE-2015-0492", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-2664", "CVE-2015-4732", "CVE-2015-4860", "CVE-2015-4868", "CVE-2015-4903", "CVE-2015-0477", "CVE-2015-4906", "CVE-2015-0469", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-7840", "CVE-2015-2613", "CVE-2015-4883", "CVE-2015-0458", "CVE-2015-4736", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-0459", "CVE-2015-4871", "CVE-2015-4803", "CVE-2015-4902", "CVE-2015-2590", "CVE-2015-4805", "CVE-2015-4806", "CVE-2015-2628", "CVE-2015-4810", "CVE-2015-4908", "CVE-2015-4733", "CVE-2015-0478", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-2637", "CVE-2015-2621", "CVE-2015-2638", "CVE-2015-0460", "CVE-2015-2619", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-4731", "CVE-2015-2659", "CVE-2015-0480", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4748", "CVE-2015-0486", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-0437", "CVE-2015-0491", "CVE-2015-4760"], "lastseen": "2016-09-06T19:46:05"}], "oracle": [{"id": "ORACLE:CPUOCT2015-2367953", "type": "oracle", "title": "Oracle Critical Patch Update - October 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 153 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-10-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-1792", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2014-7923", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-3236", "CVE-2015-4868", "CVE-2014-3572", "CVE-2015-0206", "CVE-1999-0377", "CVE-2015-1789", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2014-8150", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-2522", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2015-0288", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-0285", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-3153", "CVE-2015-0207", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2014-8275", "CVE-2015-4869", "CVE-2015-0208", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2014-3570", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2014-8147", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2014-3707", "CVE-2015-4912", "CVE-2015-0293", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-1788", "CVE-2015-2633", "CVE-2015-4807", "CVE-2014-8146", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-0209", "CVE-2015-3183", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-0204", "CVE-2014-7926", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-1790", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-0291", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4854", "CVE-2015-0287", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-0289", "CVE-2015-4916", "CVE-2015-4826", "CVE-2015-0292", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-0290", "CVE-2015-0205", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-1787", "CVE-2014-3569", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "lastseen": "2018-04-18T20:24:08"}], "cloudfoundry": [{"id": "CFOUNDRY:B642D1016F9847BDB1C562D31A013349", "type": "cloudfoundry", "title": "USN-3227-1: ICU vulnerabilities - Cloud Foundry", "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nIt was discovered that ICU incorrectly handled certain memory operations when processing data. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program.\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3151.x versions prior to 3151.14\n * 3233.x versions prior to 3233.16\n * 3263.x versions prior to 3263.22\n * 3312.x versions prior to 3312.22\n * 3363.x versions prior to 3363.14\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.108.0\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3151.x versions to 3151.14 or later\n * Upgrade 3233.x versions to 3233.16 or later\n * Upgrade 3263.x versions to 3263.22 or later\n * Upgrade 3312.x versions to 3312.22 or later\n * Upgrade 3363.x versions to 3363.14 or later\n * All other stemcells should be upgraded to the latest version.\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 versions 1.108.0 or later.\n\n# References\n\n * [USN-3227-1](<http://www.ubuntu.com/usn/usn-3227-1/>)\n * [CVE-2014-9911](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-9911>)\n * [CVE-2015-4844](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-4844>)\n * [CVE-2016-0494](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-0494>)\n * [CVE-2016-6293](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-6293>)\n * [CVE-2016-7415](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7415>)\n", "published": "2017-03-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.cloudfoundry.org/blog/usn-3227-1/", "cvelist": ["CVE-2016-0494", "CVE-2014-9911", "CVE-2016-7415", "CVE-2016-6293", "CVE-2015-4844"], "lastseen": "2018-01-12T14:52:56"}], "threatpost": [{"id": "MACS-NOT-RECEIVING-EFI-FIRMWARE-SECURITY-UPDATES-AS-EXPECTED/128191", "type": "threatpost", "title": "Macs Not Receiving EFI Firmware Security Updates as Expected", "description": "Since the [Thunderstrike bootkit](<https://threatpost.com/first-public-mac-os-x-firmware-bootkit-unleashed/110287/>) attacks targeting [Apple firmware](<https://threatpost.com/thunderstrike-2-os-x-firmware-attack-self-replicates-to-peripherals/114124/>) were disclosed in 2015, Apple has bundled subsequent EFI updates with its regular macOS security and software updates in an attempt to improve protection around its hardware.\n\nResearchers at Duo Security, however, have uncovered that many of those updates are incomplete, and fleets of Macs running in enterprises worldwide may be woefully out of date when it comes to firmware updates.\n\n### Related Posts\n\n#### [Critical Apple Login Bug Puts macOS High Sierra Systems at Risk](<https://threatpost.com/critical-apple-login-bug-puts-macos-high-sierra-systems-at-risk/129028/> \"Permalink to Critical Apple Login Bug Puts macOS High Sierra Systems at Risk\" )\n\nNovember 28, 2017 , 8:47 pm\n\n#### [Apple iPhone X Face ID Fooled by a Mask](<https://threatpost.com/apple-iphone-x-face-id-fooled-by-a-mask/128865/> \"Permalink to Apple iPhone X Face ID Fooled by a Mask\" )\n\nNovember 14, 2017 , 9:00 am\n\n#### [Eavesdropper Vulnerability Exposes Mobile Call, Text Data](<https://threatpost.com/eavesdropper-vulnerability-exposes-mobile-call-text-data/128838/> \"Permalink to Eavesdropper Vulnerability Exposes Mobile Call, Text Data\" )\n\nNovember 9, 2017 , 1:48 pm\n\nThis is bad news for businesses and should perk up the ears of advanced attackers who have increasingly gone after hardware level access and persistence on targeted machines.\n\nDuo director of research and development Rich Smith and R&D engineer Pepijn Bruienne are scheduled today to deliver a talk and a paper on this research at the Ekoparty conference in Argentina.\n\nEFI, or the extensible firmware interface, operates at a lower level than the operating system and hypervisors, providing extensive privileges to users\u2014and attackers. Attacks at this level often survive reboots and reimaging, giving APTs in particular, longstanding access to a computer.\n\nDuo said it analyzed data such as the build version and hardware model of more than 73,000 Macs, and compared that information to the respective EFI versions that should be running. On average, Duo said, 4.2 percent of machines in production environments did not match their expected EFI versions. The numbers were much worse for particular Mac models; the iMac 21.5 inch of late 2015, for example, was at a 43 percent discrepancy. Duo also said that 16 combinations of Mac hardware and OSes had never received a firmware update during the time when OS X 10.10 and 10.12.6 was available. More details on the data are available in the [research report](<https://duo.com/blog/the-apple-of-your-efi-mac-firmware-security-research>).\n\nApple, meanwhile, acknowledged Duo\u2019s findings and according to Smith and Bruienne, Apple engineers were open to their findings. Apple is working to improve the factors behind this situation; it\u2019s still not publicly known whether this is a process or visibility problem on Apple\u2019s end, or how the company intends to address this. It should be noted as well that this is not necessarily exclusive to Apple. Duo said in its report that the same issues are likely present on Windows/Intel systems.\n\n\u201cWe appreciate Duo\u2019s work on this industry-wide issue and noting Apple\u2019s leading approach to this challenge,\u201d Apple told Threatpost. \u201cApple continues to work diligently in the area of firmware security and we\u2019re always exploring ways to make our systems even more secure. In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.\u201d\n\nSmith and Bruienne said that users running on newer versions of macOS are closer to being in line with proper firmware update levels than older versions of the OS. Smith speculates now that High Sierra, or 10.13, is available, that Apple would support 10.11 and newer going forward, and for version 10.10 and older, security and EFI update support would end.\n\n\u201cAs we saw when we ripped open every security and OS update since 2015, Apple drops off which EFI firmware bundles it ships with them. The current OS always has the latest updates, minus-1 fewer and minus-2 even fewer,\u201d Bruienne said.\n\nSupporting this, Smith said OS version 10.12.6 shipped with 40 EFI bundles while the 10.11 security update had 31 and the security update for 10.10 which was released at the same time only had one EFI update bundle.\n\n\u201cThere\u2019s some math Apple is doing, or something that\u2019s going on,\u201d Bruienne said. \u201cWe\u2019re unclear as to why that drops off as far as what they support. We want to say that if you\u2019re not on the latest OS, you\u2019re at risk.\n\n\u201cEFI adoption isn\u2019t foolproof and watertight,\u201d Bruienne said. \u201cAnd because of these serious vulnerabilities, this is an issue, especially for larger organizations like Google or Facebook that might be targets for folks willing to go through the effort of an EFI attack to get persistence.\u201d\n\nThunderstrike and a variant that emerged later in 2015, along with two other attacks\u2014CVE-2015-4860 and CVE-2016-7585\u2014pose particular concerns for organizations in the crosshairs of EFI attacks. According to Duo, 47 and 31 Mac models respectively did not receive an EFI patch for Thunderstrike 1 or 2. As for CVE-2015-4860, 25 Mac models never received the EFI patch for the flaw, while 22 were in the same shape when it came to CVE-2016-7585.\n\n\u201cI was certainly under the impression at the start of this work that if you were still eligible to receive software updates, that you would receive firmware updates,\u201d Smith said. \u201cI would be under the assumption that would bring my whole system, firmware and all, up to the latest level. From a number of different perspectives\u2014Mac models, discrepancies between the different versions of the main OS\u2014that\u2019s provably not true.\u201d", "published": "2017-09-29T08:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/macs-not-receiving-efi-firmware-security-updates-as-expected/128191/", "cvelist": ["CVE-2015-4860", "CVE-2016-7585"], "lastseen": "2017-12-01T19:17:50"}]}}
