{"id": "ZDI-18-1263", "bulletinFamily": "info", "title": "Oracle Java Usage Tracker usagetracker.properties Privilege Escalation Vulnerability", "description": "This vulnerability allows local attackers to escalate privileges on vulnerable installations of Oracle Java. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of a configuration file called usagetracker.properties. By modifying specific properties within this file, it is possible to create an arbitrary file with controlled data when the JVM is started. An attacker can leverage this vulnerability in certain situations to escalate privilege to the level of SYSTEM.", "published": "2018-10-17T00:00:00", "modified": "2018-06-22T00:00:00", "cvss": {"score": 3.3, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N"}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-1263/", "reporter": "Nelson William Gamazo Sanchez of Trend Micro Research", "references": ["https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"], "cvelist": ["CVE-2018-3211"], "type": "zdi", "lastseen": "2020-06-22T11:42:17", "edition": 1, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-3211"]}, {"type": "f5", "idList": ["F5:K04224795"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:0C7EE9C51794D1141BBC3F38860A4780"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814406", "OPENVAS:1361412562310814100"]}, {"type": "nessus", "idList": ["PHOTONOS_PHSA-2018-1_0-0192.NASL", "ORACLE_JAVA_CPU_OCT_2018.NASL", "ORACLE_JAVA_CPU_OCT_2018_UNIX.NASL", "PHOTONOS_PHSA-2018-2_0-0106_OPENJDK8.NASL", "PHOTONOS_PHSA-2020-1_0-0290_OPENJDK11.NASL", "GENTOO_GLSA-201908-10.NASL", "REDHAT-RHSA-2018-3003.NASL", "PHOTONOS_PHSA-2020-3_0-0084_OPENJDK11.NASL", "REDHAT-RHSA-2018-3002.NASL", "PHOTONOS_PHSA-2018-1_0-0192_OPENJDK.NASL"]}, {"type": "kaspersky", "idList": ["KLA11340"]}, {"type": "redhat", "idList": ["RHSA-2018:3003", "RHSA-2018:3002"]}, {"type": "gentoo", "idList": ["GLSA-201908-10"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2018-4428296"]}], "modified": "2020-06-22T11:42:17", "rev": 2}, "score": {"value": 4.3, "vector": "NONE", "modified": "2020-06-22T11:42:17", "rev": 2}, "vulnersScore": 4.3}}

{"cve": [{"lastseen": "2020-10-03T13:20:20", "description": "Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serviceability). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Java SE, Java SE Embedded executes to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). This vulnerability can only be exploited when Java Usage Tracker functionality is being used. CVSS 3.0 Base Score 6.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).", "edition": 6, "cvss3": {"exploitabilityScore": 1.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.6, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-10-17T01:31:00", "title": "CVE-2018-3211", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-3211"], "modified": "2020-09-08T12:29:00", "cpe": ["cpe:/a:oracle:jdk:11.0.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jre:11.0.0", "cpe:/a:oracle:jdk:1.8.0"], "id": "CVE-2018-3211", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3211", "cvss": {"score": 3.3, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.8.0:update181:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update_181:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:11.0.0:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:39:24", "bulletinFamily": "software", "cvelist": ["CVE-2018-3211"], "description": "\nF5 Product Development has assigned CPF-25010 and CPF-25011 (Traffix SDC) to this vulnerability.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 14.x | None | Not applicable | Not vulnerable | None | None \n13.x | None | Not applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 6.x | None | Not applicable | Not vulnerable | None | None \n5.x | None | Not applicable \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | Not applicable | Medium | [6.6](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N>) | Java SE (Serviceability) \n4.x | 4.4.0 | Not applicable \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-01-07T19:49:00", "published": "2019-01-07T19:49:00", "id": "F5:K04224795", "href": "https://support.f5.com/csp/article/K04224795", "title": "Java SE vulnerability CVE-2018-3211", "type": "f5", "cvss": {"score": 3.3, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N"}}], "trendmicroblog": [{"lastseen": "2018-10-25T20:30:38", "bulletinFamily": "blog", "cvelist": ["CVE-2018-3211"], "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Apex One enters as the evolution of Trend Micro\u2019s endpoint security solution for enterprise. Also, learn about Java Usage Tracker\u2019s new weakness and the conditions that enabled the exploit.\n\nRead on:\n\n**[Trend Micro Redefines Endpoint Security with Apex One](<https://blog.trendmicro.com/trend-micro-redefines-endpoint-security-with-apex-one/>)**\n\n_Apex One combines a breadth of threat detection &amp; response capability with investigative features, in a single agent._** **\n\n**[CVE-2018-3211: Java Usage Tracker Local Elevation of Privilege on Windows](<https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2018-3211-java-usage-tracker-local-elevation-of-privilege-on-windows/>)**\n\n_Trend Micro found design flaw/weakness in Java Usage Tracker that can enable hackers to create arbitrary files, inject attacker-specified parameters, and elevate local privileges. _\n\n**[The FDA is Embracing Ethical Hackers in its Push to Secure Medical Devices](<https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/10/17/the-cybersecurity-202-the-fda-is-embracing-ethical-hackers-in-its-push-to-secure-medical-devices/5bc6156b1b326b7c8a8d1a01/?utm_term=.a99bfe8e4cf5>)**\n\n_With medical device cyberattacks on the rise, the Food and Drug Administration is turning to ethical hackers to help regulators and manufacturers root out vulnerabilities._\n\n**[Post-Brexit Britain Could Be A Cybersecurity Nightmare With Or Without A Deal](<https://www.forbes.com/sites/daveywinder/2018/10/16/post-brexit-britain-could-be-a-cybersecurity-nightmare-with-or-without-a-deal/#ca9b8992a343>)**\n\n_Whether or not the UK leaves the EU with a Brexit deal, the impact upon cybersecurity and the skills shortage is likely to be considerable and immediate._\n\n**[Cybersecurity Faces a Worldwide Shortage of Almost 3 Million Staff](<https://betanews.com/2018/10/17/cybersecurity-worldwide-skills-shortage/>)**\n\n_New research reveals a worldwide cybersecurity skills gap of 2.9 million, with the Asia-Pacific region experiencing the highest shortage at 2.14 million. _\n\n**[Facebook Finds Hack Was Done by Spammers, Not Foreign State](<https://www.wsj.com/articles/facebook-tentatively-concludes-recent-hack-was-perpetrated-by-spammers-1539821869>)**\n\n_Facebook believes that the hackers who gained access to the private information of 30 million users were spammers looking to make money through deceptive advertising._\n\nDo you think many organizations will discontinue tackling endpoint threats with two separate tools? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: _[@JonLClay.](<https://twitter.com/jonlclay>)_\n\nThe post [This Week in Security News: Apex One\u2122 Release and Java Usage Tracker Flaws](<https://blog.trendmicro.com/this-week-in-security-news-apex-one-release-and-java-usage-tracker-flaws/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2018-10-19T15:48:46", "published": "2018-10-19T15:48:46", "id": "TRENDMICROBLOG:0C7EE9C51794D1141BBC3F38860A4780", "href": "https://blog.trendmicro.com/this-week-in-security-news-apex-one-release-and-java-usage-tracker-flaws/", "type": "trendmicroblog", "title": "This Week in Security News: Apex One\u2122 Release and Java Usage Tracker Flaws", "cvss": {"score": 3.3, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2020-05-15T17:02:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3183", "CVE-2018-3211"], "description": "The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.", "modified": "2020-05-12T00:00:00", "published": "2018-10-17T00:00:00", "id": "OPENVAS:1361412562310814406", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814406", "type": "openvas", "title": "Oracle Java SE Security Updates-04 (oct2018-4428296) Linux", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Java SE Security Updates-04 (oct2018-4428296) Linux\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814406\");\n script_version(\"2020-05-12T13:57:17+0000\");\n script_cve_id(\"CVE-2018-3183\", \"CVE-2018-3211\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-12 13:57:17 +0000 (Tue, 12 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-17 13:00:25 +0530 (Wed, 17 Oct 2018)\");\n script_name(\"Oracle Java SE Security Updates-04 (oct2018-4428296) Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Check if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to errors in 'Scripting'\n and 'Serviceability' components.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to gain elevated privileges and access and modify data.\");\n\n script_tag(name:\"affected\", value:\"Oracle Java SE version 1.8.0 to 1.8.0.182 and\n 11 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Apply the appropriate patch from the vendor. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Oracle/Java/JDK_or_JRE/Linux/detected\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:oracle:jre\", \"cpe:/a:sun:jre\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(vers =~ \"^(1\\.8|11)\") {\n if((version_in_range(version:vers, test_version:\"1.8.0\", test_version2:\"1.8.0.182\")) ||\n (version_is_equal(version:vers, test_version:\"11\"))) {\n report = report_fixed_ver(installed_version:vers, fixed_version: \"Apply the patch\", install_path:path);\n security_message(data:report);\n exit(0);\n }\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-15T17:02:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3183", "CVE-2018-3211"], "description": "The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.", "modified": "2020-05-12T00:00:00", "published": "2018-10-17T00:00:00", "id": "OPENVAS:1361412562310814100", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814100", "type": "openvas", "title": "Oracle Java SE Security Updates-04 (oct2018-4428296) Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Java SE Security Updates-04 (oct2018-4428296) Windows\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814100\");\n script_version(\"2020-05-12T13:57:17+0000\");\n script_cve_id(\"CVE-2018-3183\", \"CVE-2018-3211\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-12 13:57:17 +0000 (Tue, 12 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-17 11:39:28 +0530 (Wed, 17 Oct 2018)\");\n script_name(\"Oracle Java SE Security Updates-04 (oct2018-4428296) Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle Java SE\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Check if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to errors in 'Scripting'\n and 'Serviceability' components.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to gain elevated privileges and access and modify data.\");\n\n script_tag(name:\"affected\", value:\"Oracle Java SE version 1.8.0 to 1.8.0.182 and\n 11 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Apply the appropriate patch from the vendor. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Sun/Java/JDK_or_JRE/Win/installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:oracle:jre\", \"cpe:/a:sun:jre\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(vers =~ \"^(1\\.8|11)\") {\n if((version_in_range(version:vers, test_version:\"1.8.0\", test_version2:\"1.8.0.182\")) ||\n (version_is_equal(version:vers, test_version:\"11\"))) {\n report = report_fixed_ver(installed_version:vers, fixed_version: \"Apply the patch\", install_path:path);\n security_message(data:report);\n exit(0);\n }\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-02-08T12:49:44", "description": "An update of 'openjdk' packages of Photon OS has been released.", "edition": 2, "published": "2018-10-29T00:00:00", "title": "Photon OS 1.0: Openjdk PHSA-2018-1.0-0192 (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3183", "CVE-2018-3211", "CVE-2018-3209", "CVE-2018-3169", "CVE-2018-3149"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openjdk", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2018-1_0-0192.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=118494", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2/7/2019\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-1.0-0192. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118494);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/02/07 18:59:50\");\n\n script_cve_id(\n \"CVE-2018-3149\",\n \"CVE-2018-3169\",\n \"CVE-2018-3183\",\n \"CVE-2018-3209\",\n \"CVE-2018-3211\"\n );\n\n script_name(english:\"Photon OS 1.0: Openjdk PHSA-2018-1.0-0192 (deprecated)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of 'openjdk' packages of Photon OS has been released.\");\n # https://github.com/vmware/photon/wiki/Security-Updates-1.0-192\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?030a1f9e\");\n script_set_attribute(attribute:\"solution\", value:\"n/a.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-3183\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"openjdk-1.8.0.192-1.ph1\",\n \"openjdk-debuginfo-1.8.0.192-1.ph1\",\n \"openjdk-doc-1.8.0.192-1.ph1\",\n \"openjdk-sample-1.8.0.192-1.ph1\",\n \"openjdk-src-1.8.0.192-1.ph1\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-1.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openjdk\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-03-17T22:39:36", "description": "An update of the openjdk package has been released.", "edition": 8, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Openjdk PHSA-2018-1.0-0192", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3183", "CVE-2018-3180", "CVE-2018-3214", "CVE-2018-3211", "CVE-2018-3209", "CVE-2018-3169", "CVE-2018-3149"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openjdk", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2018-1_0-0192_OPENJDK.NASL", "href": "https://www.tenable.com/plugins/nessus/121892", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-1.0-0192. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121892);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\n \"CVE-2018-3149\",\n \"CVE-2018-3169\",\n \"CVE-2018-3180\",\n \"CVE-2018-3183\",\n \"CVE-2018-3209\",\n \"CVE-2018-3211\",\n \"CVE-2018-3214\"\n );\n\n script_name(english:\"Photon OS 1.0: Openjdk PHSA-2018-1.0-0192\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openjdk package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-192.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-3183\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-debuginfo-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-debuginfo-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-debuginfo-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-debuginfo-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-debuginfo-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-debuginfo-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-debuginfo-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-doc-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-doc-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-doc-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-doc-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-doc-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-doc-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-doc-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-sample-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-sample-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-sample-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-sample-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-sample-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-sample-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-sample-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-src-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-src-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-src-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-src-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-src-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-src-1.8.0.192-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openjdk-src-1.8.0.192-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openjdk\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T22:39:49", "description": "An update of the openjdk8 package has been released.", "edition": 8, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 2.0: Openjdk8 PHSA-2018-2.0-0106", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3183", "CVE-2018-3180", "CVE-2018-3214", "CVE-2018-3211", "CVE-2018-3209", "CVE-2018-3169", "CVE-2018-3149"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openjdk8", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2018-2_0-0106_OPENJDK8.NASL", "href": "https://www.tenable.com/plugins/nessus/122001", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-2.0-0106. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122001);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\n \"CVE-2018-3149\",\n \"CVE-2018-3169\",\n \"CVE-2018-3180\",\n \"CVE-2018-3183\",\n \"CVE-2018-3209\",\n \"CVE-2018-3211\",\n \"CVE-2018-3214\"\n );\n\n script_name(english:\"Photon OS 2.0: Openjdk8 PHSA-2018-2.0-0106\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openjdk8 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-106.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-3183\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/11/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openjdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-debuginfo-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-debuginfo-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-debuginfo-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-debuginfo-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-debuginfo-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-debuginfo-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-debuginfo-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-doc-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-doc-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-doc-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-doc-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-doc-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-doc-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-doc-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-sample-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-sample-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-sample-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-sample-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-sample-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-sample-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-sample-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-src-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-src-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-src-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-src-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-src-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-src-1.8.0.192-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"openjdk8-src-1.8.0.192-1.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openjdk8\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T05:14:14", "description": "An update for java-1.8.0-oracle is now available for Oracle Java for\nRed Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 8 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 191.\n\nSecurity Fix(es) :\n\n* OpenJDK: Improper field access checks (Hotspot, 8199226)\n(CVE-2018-3169)\n\n* OpenJDK: Unrestricted access to scripting engine (Scripting,\n8202936) (CVE-2018-3183)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX)\n(CVE-2018-3209)\n\n* OpenJDK: Incomplete enforcement of the trustURLCodebase restriction\n(JNDI, 8199177) (CVE-2018-3149)\n\n* OpenJDK: Incorrect handling of unsigned attributes in signed Jar\nmanifests (Security, 8194534) (CVE-2018-3136)\n\n* OpenJDK: Leak of sensitive header data via HTTP redirect\n(Networking, 8196902) (CVE-2018-3139)\n\n* OpenJDK: Missing endpoint identification algorithm check during TLS\nsession resumption (JSSE, 8202613) (CVE-2018-3180)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1\n(Serviceability) (CVE-2018-3211)\n\n* OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361)\n(CVE-2018-3214)\n\n* libpng: Integer overflow and resultant divide-by-zero in\npngrutil.c:png_check_chunk_length() allows for denial of service\n(CVE-2018-13785)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.", "edition": 20, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2018-10-25T00:00:00", "title": "RHEL 6 : java-1.8.0-oracle (RHSA-2018:3003)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3183", "CVE-2018-3180", "CVE-2018-3136", "CVE-2018-3214", "CVE-2018-3211", "CVE-2018-3209", "CVE-2018-13785", "CVE-2018-3139", "CVE-2018-3169", "CVE-2018-3149"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-src", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-javafx", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-devel", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2018-3003.NASL", "href": "https://www.tenable.com/plugins/nessus/118372", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3003. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118372);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/24 15:35:45\");\n\n script_cve_id(\"CVE-2018-13785\", \"CVE-2018-3136\", \"CVE-2018-3139\", \"CVE-2018-3149\", \"CVE-2018-3169\", \"CVE-2018-3180\", \"CVE-2018-3183\", \"CVE-2018-3209\", \"CVE-2018-3211\", \"CVE-2018-3214\");\n script_xref(name:\"RHSA\", value:\"2018:3003\");\n\n script_name(english:\"RHEL 6 : java-1.8.0-oracle (RHSA-2018:3003)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.8.0-oracle is now available for Oracle Java for\nRed Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 8 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 191.\n\nSecurity Fix(es) :\n\n* OpenJDK: Improper field access checks (Hotspot, 8199226)\n(CVE-2018-3169)\n\n* OpenJDK: Unrestricted access to scripting engine (Scripting,\n8202936) (CVE-2018-3183)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX)\n(CVE-2018-3209)\n\n* OpenJDK: Incomplete enforcement of the trustURLCodebase restriction\n(JNDI, 8199177) (CVE-2018-3149)\n\n* OpenJDK: Incorrect handling of unsigned attributes in signed Jar\nmanifests (Security, 8194534) (CVE-2018-3136)\n\n* OpenJDK: Leak of sensitive header data via HTTP redirect\n(Networking, 8196902) (CVE-2018-3139)\n\n* OpenJDK: Missing endpoint identification algorithm check during TLS\nsession resumption (JSSE, 8202613) (CVE-2018-3180)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1\n(Serviceability) (CVE-2018-3211)\n\n* OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361)\n(CVE-2018-3214)\n\n* libpng: Integer overflow and resultant divide-by-zero in\npngrutil.c:png_check_chunk_length() allows for denial of service\n(CVE-2018-13785)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3003\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3139\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3149\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3180\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3183\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3214\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-13785\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-javafx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3003\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-oracle / java-1.8.0-oracle-devel / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T05:14:14", "description": "An update for java-1.8.0-oracle is now available for Oracle Java for\nRed Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 8 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 191.\n\nSecurity Fix(es) :\n\n* OpenJDK: Improper field access checks (Hotspot, 8199226)\n(CVE-2018-3169)\n\n* OpenJDK: Unrestricted access to scripting engine (Scripting,\n8202936) (CVE-2018-3183)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX)\n(CVE-2018-3209)\n\n* OpenJDK: Incomplete enforcement of the trustURLCodebase restriction\n(JNDI, 8199177) (CVE-2018-3149)\n\n* OpenJDK: Incorrect handling of unsigned attributes in signed Jar\nmanifests (Security, 8194534) (CVE-2018-3136)\n\n* OpenJDK: Leak of sensitive header data via HTTP redirect\n(Networking, 8196902) (CVE-2018-3139)\n\n* OpenJDK: Missing endpoint identification algorithm check during TLS\nsession resumption (JSSE, 8202613) (CVE-2018-3180)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1\n(Serviceability) (CVE-2018-3211)\n\n* OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361)\n(CVE-2018-3214)\n\n* libpng: Integer overflow and resultant divide-by-zero in\npngrutil.c:png_check_chunk_length() allows for denial of service\n(CVE-2018-13785)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.", "edition": 20, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2018-10-25T00:00:00", "title": "RHEL 7 : java-1.8.0-oracle (RHSA-2018:3002)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3183", "CVE-2018-3180", "CVE-2018-3136", "CVE-2018-3214", "CVE-2018-3211", "CVE-2018-3209", "CVE-2018-13785", "CVE-2018-3139", "CVE-2018-3169", "CVE-2018-3149"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-src", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-javafx", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-devel"], "id": "REDHAT-RHSA-2018-3002.NASL", "href": "https://www.tenable.com/plugins/nessus/118371", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3002. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118371);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/24 15:35:45\");\n\n script_cve_id(\"CVE-2018-13785\", \"CVE-2018-3136\", \"CVE-2018-3139\", \"CVE-2018-3149\", \"CVE-2018-3169\", \"CVE-2018-3180\", \"CVE-2018-3183\", \"CVE-2018-3209\", \"CVE-2018-3211\", \"CVE-2018-3214\");\n script_xref(name:\"RHSA\", value:\"2018:3002\");\n\n script_name(english:\"RHEL 7 : java-1.8.0-oracle (RHSA-2018:3002)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.8.0-oracle is now available for Oracle Java for\nRed Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOracle Java SE version 8 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 191.\n\nSecurity Fix(es) :\n\n* OpenJDK: Improper field access checks (Hotspot, 8199226)\n(CVE-2018-3169)\n\n* OpenJDK: Unrestricted access to scripting engine (Scripting,\n8202936) (CVE-2018-3183)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX)\n(CVE-2018-3209)\n\n* OpenJDK: Incomplete enforcement of the trustURLCodebase restriction\n(JNDI, 8199177) (CVE-2018-3149)\n\n* OpenJDK: Incorrect handling of unsigned attributes in signed Jar\nmanifests (Security, 8194534) (CVE-2018-3136)\n\n* OpenJDK: Leak of sensitive header data via HTTP redirect\n(Networking, 8196902) (CVE-2018-3139)\n\n* OpenJDK: Missing endpoint identification algorithm check during TLS\nsession resumption (JSSE, 8202613) (CVE-2018-3180)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1\n(Serviceability) (CVE-2018-3211)\n\n* OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361)\n(CVE-2018-3214)\n\n* libpng: Integer overflow and resultant divide-by-zero in\npngrutil.c:png_check_chunk_length() allows for denial of service\n(CVE-2018-13785)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3139\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3149\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3180\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3183\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-3214\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-13785\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-javafx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-oracle-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3002\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-1.8.0.191-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-oracle / java-1.8.0-oracle-devel / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:34:45", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is prior to 11 Update 1, 8 Update 191,\n7 Update 201, or 6 Update 211. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An unspecified vulnerability in the Java SE Embedded\n component of Oracle Java SE in the Deployment (libpng)\n subcomponent could allow an unauthenticated, remote\n attacker with network access via HTTP to compromise\n Java SE. (CVE-2018-13785)\n \n - An unspecified vulnerability in the Java SE Embedded\n component of Oracle Java SE in the Hotspot subcomponent\n that could allow an unauthenticated, remote attacker\n with network access via multiple protocols to compromise\n Java SE (CVE-2018-3169)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the JavaFX subcomponent could allow an\n unauthenticated, remote attacker with network access via\n multiple protocols to compromise Java SE.\n (CVE-2018-3209)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, and JRockit component of Oracle Java SE in\n the JNDI subcomponent could allow an unauthenticated,\n remote attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded, and\n JRockit. (CVE-2018-3149)\n \n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n JSSE subcomponent could allow an unauthenticated,\n remote attacker with network access via SSL/TLS to\n compromise Java SE, Java SE Embedded, or JRockit.\n (CVE-2018-3180)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Networking\n subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE or Java SE Embedded. (CVE-2018-3139)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n Scripting subcomponent could allow an unauthenticated,\n remote attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded, or\n JRockit. (CVE-2018-3183)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Security\n subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. (CVE-2018-3136)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the\n Serviceability subcomponent could allow a low privileged\n attacker with logon to the infrastructure where Java SE,\n Java SE Embedded executes to compromise Java SE, Java SE\n Embedded. (CVE-2018-3211)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the Sound subcomponent could allow an\n unauthenticated, remote attacker with network access via\n multiple protocols to compromise Java SE.\n (CVE-2018-3157)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the Utility subcomponent could allow an\n unauthenticated, remote attacker with network access via\n multiple protocols to compromise Java SE.\n (CVE-2018-3150)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 25, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2018-10-19T00:00:00", "title": "Oracle Java SE Multiple Vulnerabilities (October 2018 CPU) (Unix)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3157", "CVE-2018-3183", "CVE-2018-3180", "CVE-2018-3136", "CVE-2018-3150", "CVE-2018-3214", "CVE-2018-3211", "CVE-2018-3209", "CVE-2018-13785", "CVE-2018-3139", "CVE-2018-3169", "CVE-2018-3149"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_OCT_2018_UNIX.NASL", "href": "https://www.tenable.com/plugins/nessus/118227", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(118227);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-3136\",\n \"CVE-2018-3139\",\n \"CVE-2018-3149\",\n \"CVE-2018-3150\",\n \"CVE-2018-3157\",\n \"CVE-2018-3169\",\n \"CVE-2018-3180\",\n \"CVE-2018-3183\",\n \"CVE-2018-3209\",\n \"CVE-2018-3211\",\n \"CVE-2018-3214\",\n \"CVE-2018-13785\"\n );\n script_bugtraq_id(\n 105587,\n 105590,\n 105591,\n 105595,\n 105597,\n 105599,\n 105601,\n 105602,\n 105608,\n 105615,\n 105617,\n 105622\n );\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (October 2018 CPU) (Unix)\");\n script_summary(english:\"Checks the version of the JRE.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Unix host contains a programming platform that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is prior to 11 Update 1, 8 Update 191,\n7 Update 201, or 6 Update 211. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An unspecified vulnerability in the Java SE Embedded\n component of Oracle Java SE in the Deployment (libpng)\n subcomponent could allow an unauthenticated, remote\n attacker with network access via HTTP to compromise\n Java SE. (CVE-2018-13785)\n \n - An unspecified vulnerability in the Java SE Embedded\n component of Oracle Java SE in the Hotspot subcomponent\n that could allow an unauthenticated, remote attacker\n with network access via multiple protocols to compromise\n Java SE (CVE-2018-3169)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the JavaFX subcomponent could allow an\n unauthenticated, remote attacker with network access via\n multiple protocols to compromise Java SE.\n (CVE-2018-3209)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, and JRockit component of Oracle Java SE in\n the JNDI subcomponent could allow an unauthenticated,\n remote attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded, and\n JRockit. (CVE-2018-3149)\n \n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n JSSE subcomponent could allow an unauthenticated,\n remote attacker with network access via SSL/TLS to\n compromise Java SE, Java SE Embedded, or JRockit.\n (CVE-2018-3180)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Networking\n subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE or Java SE Embedded. (CVE-2018-3139)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n Scripting subcomponent could allow an unauthenticated,\n remote attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded, or\n JRockit. (CVE-2018-3183)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Security\n subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. (CVE-2018-3136)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the\n Serviceability subcomponent could allow a low privileged\n attacker with logon to the infrastructure where Java SE,\n Java SE Embedded executes to compromise Java SE, Java SE\n Embedded. (CVE-2018-3211)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the Sound subcomponent could allow an\n unauthenticated, remote attacker with network access via\n multiple protocols to compromise Java SE.\n (CVE-2018-3157)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the Utility subcomponent could allow an\n unauthenticated, remote attacker with network access via\n multiple protocols to compromise Java SE.\n (CVE-2018-3150)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?705136d8\");\n # https://www.oracle.com/technetwork/java/javase/11-0-1-relnotes-5032023.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?278f2590\");\n # https://www.oracle.com/technetwork/java/javase/8u191-relnotes-5032181.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?adc8ef52\");\n # https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2fbcacca\");\n # https://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de812f33\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle JDK / JRE 11 Update 1, 8 Update 191 / 7 Update 201 /\n6 Update 211 or later. If necessary, remove any affected versions.\n\nNote that an Extended Support contract with Oracle is needed to obtain\nJDK / JRE 6 Update 95 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-3183\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed_unix.nasl\");\n script_require_keys(\"Host/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"Host/Java/JRE/Unmanaged/*\");\n\ninfo = \"\";\nvuln = 0;\nvuln2 = 0;\ninstalled_versions = \"\";\ngranular = \"\";\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"Host/Java/JRE/Unmanaged/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n installed_versions = installed_versions + \" & \" + ver;\n\n # Fixes : (JDK|JRE) 11 Update 1 / 8 Update 191 / 7 Update 201 / 6 Update 211\n if (\n ver =~ '^1\\\\.6\\\\.0_([0-9]|[0-9][0-9]|1[0-9][0-9]|20[0-9]|210)([^0-9]|$)' ||\n ver =~ '^1\\\\.7\\\\.0_([0-9]|[0-9][0-9]|1[0-9][0-9]|200)([^0-9]|$)' ||\n ver =~ '^1\\\\.8\\\\.0_([0-9]|[0-9][0-9]|1[0-8][0-9]|190)([^0-9]|$)' ||\n ver =~ '^1\\\\.11\\\\.0_(0[0]|0?[0])([^0-9]|$)'\n )\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.6.0_211 / 1.7.0_201 / 1.8.0_191 / 1.11.0_1\\n';\n }\n else if (ver =~ \"^[\\d\\.]+$\")\n {\n dirs = make_list(get_kb_list(install));\n foreach dir (dirs)\n granular += \"The Oracle Java version \"+ver+\" at \"+dir+\" is not granular enough to make a determination.\"+'\\n';\n }\n else\n {\n dirs = make_list(get_kb_list(install));\n vuln2 += max_index(dirs);\n }\n\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_warning(port:0, extra:report);\n }\n else security_warning(0);\n if (granular) exit(0, granular);\n}\nelse\n{\n if (granular) exit(0, granular);\n\n installed_versions = substr(installed_versions, 3);\n if (vuln2 > 1)\n exit(0, \"The Java \"+installed_versions+\" installations on the remote host are not affected.\");\n else\n audit(AUDIT_INST_VER_NOT_VULN, \"Java\", installed_versions);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:34:44", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is prior to 11 Update 1, 8 Update 191,\n7 Update 201, or 6 Update 211. It is, therefore, affected by\nmultiple vulnerabilities related to the following components :\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Deployment\n (libpng) subcomponent could allow an unauthenticated,\n remote attacker with network access via HTTP to\n compromise Java SE, Java SE Embedded. (CVE-2018-13785)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Hotspot\n subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. (CVE-2018-3169)\n\n - An unspecified vulnerability in the Java SE component\n of Oracle Java SE in the JavaFX subcomponent could allow\n an unauthenticated, remote attacker with network access\n via multiple protocols to compromise Java SE.\n (CVE-2018-3209)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n JNDI subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded, JRockit.\n (CVE-2018-3149)\n \n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n JSSE subcomponent could allow an unauthenticated,\n remote attacker with network access via SSL/TLS to\n compromise Java SE, Java SE Embedded, JRockit.\n (CVE-2018-3180)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the\n Networking subcomponent could allow an unauthenticated,\n remote attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded.\n (CVE-2018-3139)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n Scripting subcomponent could allow an unauthenticated,\n remote attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded,\n JRockit. (CVE-2018-3183)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Security\n subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. (CVE-2018-3136)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the\n Serviceability subcomponent could allow a low privileged\n attacker with logon to the infrastructure where Java SE,\n Java SE Embedded executes to compromise Java SE, Java SE\n Embedded. (CVE-2018-3211)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the Sound subcomponent could allow an\n unauthenticated, remote attacker with network access via\n multiple protocols to compromise Java SE.\n (CVE-2018-3157)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the Utility subcomponent could allow\n an unauthenticated, remote attacker with network access\n via multiple protocols to compromise Java SE.\n (CVE-2018-3150)\n\nPlease consult the CVRF details for the applicable CVEs for\nadditional information.\n\nNessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 24, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2018-10-19T00:00:00", "title": "Oracle Java SE Multiple Vulnerabilities (October 2018 CPU)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3157", "CVE-2018-3183", "CVE-2018-3180", "CVE-2018-3136", "CVE-2018-3150", "CVE-2018-3214", "CVE-2018-3211", "CVE-2018-3209", "CVE-2018-13785", "CVE-2018-3139", "CVE-2018-3169", "CVE-2018-3149"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA_CPU_OCT_2018.NASL", "href": "https://www.tenable.com/plugins/nessus/118228", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(118228);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/01\");\n\n script_cve_id(\n \"CVE-2018-3136\",\n \"CVE-2018-3139\",\n \"CVE-2018-3149\",\n \"CVE-2018-3150\",\n \"CVE-2018-3157\",\n \"CVE-2018-3169\",\n \"CVE-2018-3180\",\n \"CVE-2018-3183\",\n \"CVE-2018-3209\",\n \"CVE-2018-3211\",\n \"CVE-2018-3214\",\n \"CVE-2018-13785\"\n );\n script_bugtraq_id(\n 105587,\n 105590,\n 105591,\n 105595,\n 105597,\n 105599,\n 105601,\n 105602,\n 105608,\n 105615,\n 105617,\n 105622\n );\n\n script_name(english:\"Oracle Java SE Multiple Vulnerabilities (October 2018 CPU)\");\n script_summary(english:\"Checks the version of the JRE.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a programming platform that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is prior to 11 Update 1, 8 Update 191,\n7 Update 201, or 6 Update 211. It is, therefore, affected by\nmultiple vulnerabilities related to the following components :\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Deployment\n (libpng) subcomponent could allow an unauthenticated,\n remote attacker with network access via HTTP to\n compromise Java SE, Java SE Embedded. (CVE-2018-13785)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Hotspot\n subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. (CVE-2018-3169)\n\n - An unspecified vulnerability in the Java SE component\n of Oracle Java SE in the JavaFX subcomponent could allow\n an unauthenticated, remote attacker with network access\n via multiple protocols to compromise Java SE.\n (CVE-2018-3209)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n JNDI subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded, JRockit.\n (CVE-2018-3149)\n \n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n JSSE subcomponent could allow an unauthenticated,\n remote attacker with network access via SSL/TLS to\n compromise Java SE, Java SE Embedded, JRockit.\n (CVE-2018-3180)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the\n Networking subcomponent could allow an unauthenticated,\n remote attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded.\n (CVE-2018-3139)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component of Oracle Java SE in the\n Scripting subcomponent could allow an unauthenticated,\n remote attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded,\n JRockit. (CVE-2018-3183)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the Security\n subcomponent could allow an unauthenticated, remote\n attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. (CVE-2018-3136)\n\n - An unspecified vulnerability in the Java SE, Java SE\n Embedded component of Oracle Java SE in the\n Serviceability subcomponent could allow a low privileged\n attacker with logon to the infrastructure where Java SE,\n Java SE Embedded executes to compromise Java SE, Java SE\n Embedded. (CVE-2018-3211)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the Sound subcomponent could allow an\n unauthenticated, remote attacker with network access via\n multiple protocols to compromise Java SE.\n (CVE-2018-3157)\n\n - An unspecified vulnerability in the Java SE component of\n Oracle Java SE in the Utility subcomponent could allow\n an unauthenticated, remote attacker with network access\n via multiple protocols to compromise Java SE.\n (CVE-2018-3150)\n\nPlease consult the CVRF details for the applicable CVEs for\nadditional information.\n\nNessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?705136d8\");\n # https://www.oracle.com/technetwork/java/javase/11-0-1-relnotes-5032023.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?278f2590\");\n # https://www.oracle.com/technetwork/java/javase/8u191-relnotes-5032181.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?adc8ef52\");\n # https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2fbcacca\");\n # https://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de812f33\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle JDK / JRE 11 Update 1, 8 Update 191 / 7 Update 201 /\n6 Update 211 or later. If necessary, remove any affected versions.\n\nNote that an Extended Support contract with Oracle is needed to obtain\nJDK / JRE 6 Update 95 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-3183\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed.nasl\");\n script_require_keys(\"SMB/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"SMB/Java/JRE/*\");\n\ninfo = \"\";\nvuln = 0;\ninstalled_versions = \"\";\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"SMB/Java/JRE/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n installed_versions = installed_versions + \" & \" + ver;\n\n # Fixes : (JDK|JRE) 11 Update 1 / 8 Update 191 / 7 Update 201 / 6 Update 211\n if (\n ver =~ '^1\\\\.6\\\\.0_([0-9]|[0-9][0-9]|1[0-9][0-9]|20[0-9]|210)([^0-9]|$)' ||\n ver =~ '^1\\\\.7\\\\.0_([0-9]|[0-9][0-9]|1[0-9][0-9]|200)([^0-9]|$)' ||\n ver =~ '^1\\\\.8\\\\.0_([0-9]|[0-9][0-9]|1[0-8][0-9]|190)([^0-9]|$)' ||\n ver =~ '^1\\\\.11\\\\.0_(0[0]|0?[0])([^0-9]|$)'\n )\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.6.0_211 / 1.7.0_201 / 1.8.0_191 / 1.11.0_1\\n';\n }\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse\n{\n installed_versions = substr(installed_versions, 3);\n if (\" & \" >< installed_versions)\n exit(0, \"The Java \"+installed_versions+\" installations on the remote host are not affected.\");\n else\n audit(AUDIT_INST_VER_NOT_VULN, \"Java\", installed_versions);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-29T06:48:20", "description": "The remote host is affected by the vulnerability described in GLSA-201908-10\n(Oracle JDK/JRE: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Oracle&rsquo;s JDK and JRE\n software suites. Please review the CVE identifiers referenced below for\n details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 13, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2019-08-20T00:00:00", "title": "GLSA-201908-10 : Oracle JDK/JRE: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3157", "CVE-2018-3183", "CVE-2018-3180", "CVE-2018-3136", "CVE-2019-2697", "CVE-2018-3150", "CVE-2018-3214", "CVE-2018-3211", "CVE-2018-3209", "CVE-2019-2602", "CVE-2018-13785", "CVE-2018-3139", "CVE-2019-2698", "CVE-2019-2684", "CVE-2019-2699", "CVE-2018-3169", "CVE-2018-3149"], "modified": "2019-08-20T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:oracle-jre-bin", "p-cpe:/a:gentoo:linux:oracle-jdk-bin"], "id": "GENTOO_GLSA-201908-10.NASL", "href": "https://www.tenable.com/plugins/nessus/127959", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201908-10.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127959);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/28\");\n\n script_cve_id(\"CVE-2018-13785\", \"CVE-2018-3136\", \"CVE-2018-3139\", \"CVE-2018-3149\", \"CVE-2018-3150\", \"CVE-2018-3157\", \"CVE-2018-3169\", \"CVE-2018-3180\", \"CVE-2018-3183\", \"CVE-2018-3209\", \"CVE-2018-3211\", \"CVE-2018-3214\", \"CVE-2019-2602\", \"CVE-2019-2684\", \"CVE-2019-2697\", \"CVE-2019-2698\", \"CVE-2019-2699\");\n script_xref(name:\"GLSA\", value:\"201908-10\");\n\n script_name(english:\"GLSA-201908-10 : Oracle JDK/JRE: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-201908-10\n(Oracle JDK/JRE: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Oracle&rsquo;s JDK and JRE\n software suites. Please review the CVE identifiers referenced below for\n details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201908-10\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Oracle JDK bin users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=dev-java/oracle-jdk-bin-1.8.0.202:1.8'\n All Oracle JRE bin users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=dev-java/oracle-jre-bin-1.8.0.202:1.8'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:oracle-jdk-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:oracle-jre-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-java/oracle-jdk-bin\", unaffected:make_list(\"ge 1.8.0.202\"), vulnerable:make_list(\"lt 1.8.0.202\"))) flag++;\nif (qpkg_check(package:\"dev-java/oracle-jre-bin\", unaffected:make_list(\"ge 1.8.0.202\"), vulnerable:make_list(\"lt 1.8.0.202\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Oracle JDK/JRE\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-03T01:44:20", "description": "An update of the openjdk11 package has been released.", "edition": 2, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-04-29T00:00:00", "title": "Photon OS 1.0: Openjdk11 PHSA-2020-1.0-0290", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3157", "CVE-2019-2973", "CVE-2019-2992", "CVE-2018-3183", "CVE-2019-2818", "CVE-2019-2945", "CVE-2020-2830", "CVE-2020-2803", "CVE-2018-14048", "CVE-2018-3180", "CVE-2019-2762", "CVE-2020-2781", "CVE-2020-2755", "CVE-2020-2800", "CVE-2019-2983", "CVE-2018-3136", "CVE-2020-2757", "CVE-2020-2816", "CVE-2019-2999", "CVE-2018-3150", "CVE-2019-2816", "CVE-2019-2962", "CVE-2018-3211", "CVE-2019-2964", "CVE-2020-2805", "CVE-2020-2590", "CVE-2019-2602", "CVE-2019-2745", "CVE-2019-2949", "CVE-2018-13785", "CVE-2020-2655", "CVE-2018-3139", "CVE-2020-2583", "CVE-2018-11212", "CVE-2019-2821", "CVE-2019-2426", "CVE-2020-2601", "CVE-2019-2958", "CVE-2019-2684", "CVE-2020-2773", "CVE-2019-2769", "CVE-2019-2894", "CVE-2019-2975", "CVE-2019-2988", "CVE-2019-2766", "CVE-2020-2593", "CVE-2018-3169", "CVE-2018-3149", "CVE-2020-2756", "CVE-2020-2778", "CVE-2019-2981", "CVE-2019-2786", "CVE-2019-2987", "CVE-2019-2977", "CVE-2019-2422", "CVE-2019-2989", "CVE-2019-2978", "CVE-2019-2933", "CVE-2020-2767", "CVE-2020-2654", "CVE-2020-2754"], "modified": "2020-04-29T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openjdk11", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2020-1_0-0290_OPENJDK11.NASL", "href": "https://www.tenable.com/plugins/nessus/136109", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0290. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136109);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/01\");\n\n script_cve_id(\n \"CVE-2018-3136\",\n \"CVE-2018-3139\",\n \"CVE-2018-3149\",\n \"CVE-2018-3150\",\n \"CVE-2018-3157\",\n \"CVE-2018-3169\",\n \"CVE-2018-3180\",\n \"CVE-2018-3183\",\n \"CVE-2018-3211\",\n \"CVE-2018-11212\",\n \"CVE-2018-13785\",\n \"CVE-2018-14048\",\n \"CVE-2019-2422\",\n \"CVE-2019-2426\",\n \"CVE-2019-2602\",\n \"CVE-2019-2684\",\n \"CVE-2019-2745\",\n \"CVE-2019-2762\",\n \"CVE-2019-2766\",\n \"CVE-2019-2769\",\n \"CVE-2019-2786\",\n \"CVE-2019-2816\",\n \"CVE-2019-2818\",\n \"CVE-2019-2821\",\n \"CVE-2019-2894\",\n \"CVE-2019-2933\",\n \"CVE-2019-2945\",\n \"CVE-2019-2949\",\n \"CVE-2019-2958\",\n \"CVE-2019-2962\",\n \"CVE-2019-2964\",\n \"CVE-2019-2973\",\n \"CVE-2019-2975\",\n \"CVE-2019-2977\",\n \"CVE-2019-2978\",\n \"CVE-2019-2981\",\n \"CVE-2019-2983\",\n \"CVE-2019-2987\",\n \"CVE-2019-2988\",\n \"CVE-2019-2989\",\n \"CVE-2019-2992\",\n \"CVE-2019-2999\",\n \"CVE-2020-2583\",\n \"CVE-2020-2590\",\n \"CVE-2020-2593\",\n \"CVE-2020-2601\",\n \"CVE-2020-2654\",\n \"CVE-2020-2655\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2767\",\n \"CVE-2020-2773\",\n \"CVE-2020-2778\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2816\",\n \"CVE-2020-2830\"\n );\n script_bugtraq_id(\n 105587,\n 105591,\n 105595,\n 105597,\n 105599,\n 105601,\n 105602,\n 105608,\n 105617,\n 105622,\n 106583,\n 106590,\n 106596,\n 107918,\n 107922,\n 109184,\n 109185,\n 109186,\n 109187,\n 109188,\n 109189,\n 109201,\n 109210\n );\n\n script_name(english:\"Photon OS 1.0: Openjdk11 PHSA-2020-1.0-0290\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openjdk11 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-290.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-3183\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openjdk11\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", cpu:\"x86_64\", reference:\"openjdk11-11.0.7-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", cpu:\"x86_64\", reference:\"openjdk11-debuginfo-11.0.7-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", cpu:\"x86_64\", reference:\"openjdk11-doc-11.0.7-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", cpu:\"x86_64\", reference:\"openjdk11-src-11.0.7-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openjdk11\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-03T01:44:35", "description": "An update of the openjdk11 package has been released.", "edition": 2, "cvss3": {"score": 9.0, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-04-29T00:00:00", "title": "Photon OS 3.0: Openjdk11 PHSA-2020-3.0-0084", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3157", "CVE-2019-2973", "CVE-2019-2992", "CVE-2018-3183", "CVE-2019-2818", "CVE-2019-2945", "CVE-2020-2830", "CVE-2020-2803", "CVE-2018-14048", "CVE-2018-3180", "CVE-2019-2762", "CVE-2020-2781", "CVE-2020-2755", "CVE-2018-2973", "CVE-2020-2800", "CVE-2019-2983", "CVE-2018-3136", "CVE-2020-2757", "CVE-2020-2816", "CVE-2019-2999", "CVE-2018-3150", "CVE-2019-2816", "CVE-2019-2962", "CVE-2018-3211", "CVE-2019-2964", "CVE-2020-2805", "CVE-2020-2590", "CVE-2019-2602", "CVE-2019-2745", "CVE-2019-2949", "CVE-2018-2964", "CVE-2018-2972", "CVE-2018-13785", "CVE-2020-2655", "CVE-2018-3139", "CVE-2020-2583", "CVE-2018-11212", "CVE-2019-2821", "CVE-2019-2426", "CVE-2020-2601", "CVE-2019-2958", "CVE-2019-2684", "CVE-2020-2773", "CVE-2019-2769", "CVE-2019-2894", "CVE-2019-2975", "CVE-2019-2988", "CVE-2018-2941", "CVE-2018-2940", "CVE-2019-2766", "CVE-2020-2593", "CVE-2018-3169", "CVE-2018-3149", "CVE-2020-2756", "CVE-2020-2778", "CVE-2019-2981", "CVE-2019-2786", "CVE-2019-2987", "CVE-2019-2977", "CVE-2019-2422", "CVE-2019-2989", "CVE-2019-2978", "CVE-2019-2933", "CVE-2020-2767", "CVE-2020-2654", "CVE-2018-2952", "CVE-2020-2754"], "modified": "2020-04-29T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openjdk11", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2020-3_0-0084_OPENJDK11.NASL", "href": "https://www.tenable.com/plugins/nessus/136100", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-3.0-0084. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136100);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/01\");\n\n script_cve_id(\n \"CVE-2018-2940\",\n \"CVE-2018-2941\",\n \"CVE-2018-2952\",\n \"CVE-2018-2964\",\n \"CVE-2018-2972\",\n \"CVE-2018-2973\",\n \"CVE-2018-3136\",\n \"CVE-2018-3139\",\n \"CVE-2018-3149\",\n \"CVE-2018-3150\",\n \"CVE-2018-3157\",\n \"CVE-2018-3169\",\n \"CVE-2018-3180\",\n \"CVE-2018-3183\",\n \"CVE-2018-3211\",\n \"CVE-2018-11212\",\n \"CVE-2018-13785\",\n \"CVE-2018-14048\",\n \"CVE-2019-2422\",\n \"CVE-2019-2426\",\n \"CVE-2019-2602\",\n \"CVE-2019-2684\",\n \"CVE-2019-2745\",\n \"CVE-2019-2762\",\n \"CVE-2019-2766\",\n \"CVE-2019-2769\",\n \"CVE-2019-2786\",\n \"CVE-2019-2816\",\n \"CVE-2019-2818\",\n \"CVE-2019-2821\",\n \"CVE-2019-2894\",\n \"CVE-2019-2933\",\n \"CVE-2019-2945\",\n \"CVE-2019-2949\",\n \"CVE-2019-2958\",\n \"CVE-2019-2962\",\n \"CVE-2019-2964\",\n \"CVE-2019-2973\",\n \"CVE-2019-2975\",\n \"CVE-2019-2977\",\n \"CVE-2019-2978\",\n \"CVE-2019-2981\",\n \"CVE-2019-2983\",\n \"CVE-2019-2987\",\n \"CVE-2019-2988\",\n \"CVE-2019-2989\",\n \"CVE-2019-2992\",\n \"CVE-2019-2999\",\n \"CVE-2020-2583\",\n \"CVE-2020-2590\",\n \"CVE-2020-2593\",\n \"CVE-2020-2601\",\n \"CVE-2020-2654\",\n \"CVE-2020-2655\",\n \"CVE-2020-2754\",\n \"CVE-2020-2755\",\n \"CVE-2020-2756\",\n \"CVE-2020-2757\",\n \"CVE-2020-2767\",\n \"CVE-2020-2773\",\n \"CVE-2020-2778\",\n \"CVE-2020-2781\",\n \"CVE-2020-2800\",\n \"CVE-2020-2803\",\n \"CVE-2020-2805\",\n \"CVE-2020-2816\",\n \"CVE-2020-2830\"\n );\n script_bugtraq_id(\n 104765,\n 104768,\n 104773,\n 104775,\n 104780,\n 104782,\n 105587,\n 105591,\n 105595,\n 105597,\n 105599,\n 105601,\n 105602,\n 105608,\n 105617,\n 105622,\n 106583,\n 106590,\n 106596,\n 107918,\n 107922,\n 109184,\n 109185,\n 109186,\n 109187,\n 109188,\n 109189,\n 109201,\n 109210\n );\n\n script_name(english:\"Photon OS 3.0: Openjdk11 PHSA-2020-3.0-0084\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openjdk11 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-84.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-3183\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openjdk11\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 3.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-3.0\", cpu:\"x86_64\", reference:\"openjdk11-11.0.7-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", cpu:\"x86_64\", reference:\"openjdk11-debuginfo-11.0.7-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", cpu:\"x86_64\", reference:\"openjdk11-doc-11.0.7-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", cpu:\"x86_64\", reference:\"openjdk11-src-11.0.7-1.ph3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openjdk11\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:46:39", "bulletinFamily": "unix", "cvelist": ["CVE-2018-13785", "CVE-2018-3136", "CVE-2018-3139", "CVE-2018-3149", "CVE-2018-3169", "CVE-2018-3180", "CVE-2018-3183", "CVE-2018-3209", "CVE-2018-3211", "CVE-2018-3214"], "description": "Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 191.\n\nSecurity Fix(es):\n\n* OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169)\n\n* OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX) (CVE-2018-3209)\n\n* OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149)\n\n* OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136)\n\n* OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139)\n\n* OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1 (Serviceability) (CVE-2018-3211)\n\n* OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214)\n\n* libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service (CVE-2018-13785)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2018-10-25T00:57:52", "published": "2018-10-25T00:52:31", "id": "RHSA-2018:3002", "href": "https://access.redhat.com/errata/RHSA-2018:3002", "type": "redhat", "title": "(RHSA-2018:3002) Critical: java-1.8.0-oracle security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:38", "bulletinFamily": "unix", "cvelist": ["CVE-2018-13785", "CVE-2018-3136", "CVE-2018-3139", "CVE-2018-3149", "CVE-2018-3169", "CVE-2018-3180", "CVE-2018-3183", "CVE-2018-3209", "CVE-2018-3211", "CVE-2018-3214"], "description": "Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.\n\nThis update upgrades Oracle Java SE 8 to version 8 Update 191.\n\nSecurity Fix(es):\n\n* OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169)\n\n* OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX) (CVE-2018-3209)\n\n* OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149)\n\n* OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136)\n\n* OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139)\n\n* OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180)\n\n* Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1 (Serviceability) (CVE-2018-3211)\n\n* OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214)\n\n* libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service (CVE-2018-13785)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2018-10-25T00:57:51", "published": "2018-10-25T00:52:37", "id": "RHSA-2018:3003", "href": "https://access.redhat.com/errata/RHSA-2018:3003", "type": "redhat", "title": "(RHSA-2018:3003) Critical: java-1.8.0-oracle security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T11:46:56", "bulletinFamily": "info", "cvelist": ["CVE-2018-3157", "CVE-2018-3183", "CVE-2018-3180", "CVE-2018-3136", "CVE-2018-3150", "CVE-2018-3214", "CVE-2018-3211", "CVE-2018-3209", "CVE-2018-13785", "CVE-2018-3139", "CVE-2018-3169", "CVE-2018-3149"], "description": "### *Detect date*:\n10/16/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities were found in Oracle Java SE. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, cause denial of service, bypass security restrictions.\n\n### *Affected products*:\nJava SE 6u201 and earlier \nJava SE 7u191 and earlier \nJava SE 8u182 and earlier \nJava SE 11 and earlier \nJava SE Embedded 8u181 and earlier \nJRockit R28.3.19 and earlier\n\n### *Solution*:\nUpdate to the latest version \n[Oracle software downloads](<http://www.oracle.com/technetwork/indexes/downloads/index.html>)\n\n### *Original advisories*:\n[https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA](<Oracle Critical Patch Update Advisory - October 2018>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Oracle Java JRE 1.8.x](<https://threats.kaspersky.com/en/product/Oracle-Java-JRE-1.8.x/>)\n\n### *CVE-IDS*:\n[CVE-2018-3183](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3183>)9.0Critical \n[CVE-2018-3209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3209>)8.3Critical \n[CVE-2018-3169](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3169>)8.3Critical \n[CVE-2018-3149](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149>)8.3Critical \n[CVE-2018-3211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3211>)6.6High \n[CVE-2018-3180](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180>)5.6High \n[CVE-2018-3214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3214>)5.3High \n[CVE-2018-3157](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3157>)3.7Warning \n[CVE-2018-3150](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3150>)3.7Warning \n[CVE-2018-13785](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13785>)3.7Warning \n[CVE-2018-3136](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3136>)3.4Warning \n[CVE-2018-3139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3139>)3.1Warning", "edition": 21, "modified": "2020-05-22T00:00:00", "published": "2018-10-16T00:00:00", "id": "KLA11340", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11340", "title": "\r KLA11340Multiple vulnerabilities in Oracle Java SE ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2019-08-15T19:22:56", "bulletinFamily": "unix", "cvelist": ["CVE-2018-3157", "CVE-2018-3183", "CVE-2018-3180", "CVE-2018-3136", "CVE-2019-2697", "CVE-2018-3150", "CVE-2018-3214", "CVE-2018-3211", "CVE-2018-3209", "CVE-2019-2602", "CVE-2018-13785", "CVE-2018-3139", "CVE-2019-2698", "CVE-2019-2684", "CVE-2019-2699", "CVE-2018-3169", "CVE-2018-3149"], "description": "### Background\n\nJava Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in today\u2019s demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that today\u2019s applications require. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Oracle\u2019s JDK and JRE software suites. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JDK bin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jdk-bin-1.8.0.202:1.8\"\n \n\nAll Oracle JRE bin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jre-bin-1.8.0.202:1.8\"", "edition": 1, "modified": "2019-08-15T00:00:00", "published": "2019-08-15T00:00:00", "id": "GLSA-201908-10", "href": "https://security.gentoo.org/glsa/201908-10", "title": "Oracle JDK/JRE: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oracle": [{"lastseen": "2019-05-29T18:21:14", "bulletinFamily": "software", "cvelist": ["CVE-2018-3170", "CVE-2018-3157", "CVE-2018-3138", "CVE-2018-3254", "CVE-2017-5533", "CVE-2018-3204", "CVE-2018-3141", "CVE-2017-7407", "CVE-2015-9251", "CVE-2016-8620", "CVE-2017-9798", "CVE-2016-8623", "CVE-2018-1000120", "CVE-2016-5244", "CVE-2018-0732", "CVE-2018-3183", "CVE-2015-0235", "CVE-2016-5420", "CVE-2018-3274", "CVE-2018-3271", "CVE-2018-1304", "CVE-2018-3297", "CVE-2018-3130", "CVE-2016-9840", "CVE-2018-3184", "CVE-2018-3227", "CVE-2018-3231", "CVE-2016-8615", "CVE-2016-8616", "CVE-2018-3188", "CVE-2018-3137", "CVE-2018-3174", "CVE-2018-3203", "CVE-2018-3154", "CVE-2016-5019", "CVE-2016-8619", "CVE-2015-3236", "CVE-2018-3189", "CVE-2018-1275", "CVE-2018-14048", "CVE-2018-3301", "CVE-2018-3294", "CVE-2018-3129", "CVE-2018-7489", "CVE-2018-3287", "CVE-2018-3180", "CVE-2018-3257", "CVE-2018-3280", "CVE-2018-3293", "CVE-2018-3247", "CVE-2018-3239", "CVE-2018-2911", "CVE-2018-3270", "CVE-2018-3249", "CVE-2018-3259", "CVE-2018-3167", "CVE-2018-3236", "CVE-2018-3292", "CVE-2017-3735", "CVE-2018-2912", "CVE-2018-3175", "CVE-2018-3250", "CVE-2014-0014", "CVE-2018-3299", "CVE-2018-1271", "CVE-2016-5080", "CVE-2018-3256", "CVE-2018-3136", "CVE-2018-3246", "CVE-2018-3152", "CVE-2016-8618", "CVE-2018-1000121", "CVE-2018-3285", "CVE-2018-3115", "CVE-2018-3263", "CVE-2018-11039", "CVE-2018-3282", "CVE-2018-3218", "CVE-2018-3150", "CVE-2018-3145", "CVE-2018-3132", "CVE-2018-3190", "CVE-2016-7141", "CVE-2018-3220", "CVE-2018-11307", "CVE-2018-3133", "CVE-2018-2889", "CVE-2018-3128", "CVE-2018-3214", "CVE-2018-3182", "CVE-2018-3211", "CVE-2018-3210", "CVE-2016-0729", "CVE-2018-3233", "CVE-2018-3209", "CVE-2018-3131", "CVE-2018-3302", "CVE-2016-0635", "CVE-2016-0755", "CVE-2016-2107", "CVE-2018-3267", "CVE-2018-3261", "CVE-2015-7501", "CVE-2018-3219", "CVE-2018-3291", "CVE-2018-3244", "CVE-2018-3265", "CVE-2018-3266", "CVE-2018-3193", "CVE-2018-3144", "CVE-2018-3206", "CVE-2018-3298", "CVE-2016-8617", "CVE-2016-9842", "CVE-2018-12022", "CVE-2018-3212", "CVE-2018-8014", "CVE-2016-1182", "CVE-2015-3153", "CVE-2018-1258", "CVE-2018-3234", "CVE-2018-3255", "CVE-2018-3226", "CVE-2018-1000122", "CVE-2018-3173", "CVE-2018-3215", "CVE-2018-3248", "CVE-2018-1305", "CVE-2018-3187", "CVE-2018-3276", "CVE-2018-3156", "CVE-2018-3241", "CVE-2018-3228", "CVE-2018-11776", "CVE-2018-3122", "CVE-2018-13785", "CVE-2018-3011", "CVE-2018-3139", "CVE-2017-7805", "CVE-2018-3223", "CVE-2018-3205", "CVE-2018-3230", "CVE-2018-1257", "CVE-2018-3213", "CVE-2017-5715", "CVE-2018-3161", "CVE-2018-3290", "CVE-2018-3201", "CVE-2018-1000300", "CVE-2018-3251", "CVE-2018-3225", "CVE-2018-2902", "CVE-2018-3163", "CVE-2015-3144", "CVE-2018-2887", "CVE-2014-0114", "CVE-2018-3179", "CVE-2018-3262", "CVE-2018-3237", "CVE-2018-0739", "CVE-2018-3222", "CVE-2018-3155", "CVE-2015-0252", "CVE-2018-3253", "CVE-2018-3126", "CVE-2018-8034", "CVE-2018-3127", "CVE-2018-3221", "CVE-2018-3059", "CVE-2015-3237", "CVE-2018-3279", "CVE-2018-3151", "CVE-2018-2909", "CVE-2018-3245", "CVE-2018-3252", "CVE-2018-3284", "CVE-2018-8013", "CVE-2018-3235", "CVE-2016-8622", "CVE-2018-3275", "CVE-2015-7990", "CVE-2018-3162", "CVE-2018-3197", "CVE-2018-1272", "CVE-2018-3278", "CVE-2018-3186", "CVE-2017-7525", "CVE-2018-3159", "CVE-2018-3171", "CVE-2018-3296", "CVE-2018-3194", "CVE-2018-3217", "CVE-2018-3273", "CVE-2018-3178", "CVE-2018-3147", "CVE-2018-3288", "CVE-2018-1270", "CVE-2014-7817", "CVE-2018-3191", "CVE-2018-18224", "CVE-2012-1007", "CVE-2018-3143", "CVE-2016-8624", "CVE-2018-0733", "CVE-2016-1181", "CVE-2018-3281", "CVE-2018-2971", "CVE-2016-3739", "CVE-2018-3146", "CVE-2016-9843", "CVE-2018-3277", "CVE-2018-3208", "CVE-2017-14735", "CVE-2015-3145", "CVE-2017-3738", "CVE-2018-3172", "CVE-2018-3164", "CVE-2018-3176", "CVE-2018-3169", "CVE-2018-3160", "CVE-2018-3149", "CVE-2014-3490", "CVE-2018-3185", "CVE-2018-3232", "CVE-2018-3264", "CVE-2018-8037", "CVE-2018-3258", "CVE-2017-5645", "CVE-2016-5421", "CVE-2016-9586", "CVE-2018-3272", "CVE-2018-3142", "CVE-2018-3295", "CVE-2018-2914", "CVE-2018-3192", "CVE-2018-3153", "CVE-2018-3283", "CVE-2017-5529", "CVE-2018-3269", "CVE-2016-9841", "CVE-2018-3196", "CVE-2016-4000", "CVE-2018-3289", "CVE-2018-3229", "CVE-2017-3736", "CVE-2018-3286", "CVE-2018-3177", "CVE-2018-3243", "CVE-2018-3242", "CVE-2018-3148", "CVE-2018-3181", "CVE-2018-18223", "CVE-2018-0737", "CVE-2018-3268", "CVE-2018-3200", "CVE-2016-5419", "CVE-2018-3195", "CVE-2017-15095", "CVE-2016-7167", "CVE-2018-11040", "CVE-2018-3198", "CVE-2018-3166", "CVE-2016-6814", "CVE-2018-3202", "CVE-2016-1000031", "CVE-2018-3158", "CVE-2018-1000301", "CVE-2018-3238", "CVE-2018-3134", "CVE-2018-12023", "CVE-2018-3224", "CVE-2018-3165", "CVE-2016-8621", "CVE-2018-3135", "CVE-2018-3168", "CVE-2015-6937", "CVE-2018-2922", "CVE-2018-3140", "CVE-2018-2913", "CVE-2018-3207"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n * [Critical Patch Updates, Security Alerts and Bulletins](<https://www.oracle.com/securityalerts>) for information about Oracle Security Advisories.\n\n \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 301 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2456979.1>).\n", "modified": "2018-10-16T00:00:00", "published": "2018-12-18T00:00:00", "id": "ORACLE:CPUOCT2018-4428296", "href": "", "type": "oracle", "title": "CPU Oct 2018", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-04T21:15:56", "bulletinFamily": "software", "cvelist": ["CVE-2012-1007", "CVE-2014-0014", "CVE-2014-0114", "CVE-2014-3490", "CVE-2014-7817", "CVE-2015-0235", "CVE-2015-0252", "CVE-2015-3144", "CVE-2015-3145", "CVE-2015-3153", "CVE-2015-3236", "CVE-2015-3237", "CVE-2015-6937", "CVE-2015-7501", "CVE-2015-7990", "CVE-2015-9251", "CVE-2016-0635", "CVE-2016-0729", "CVE-2016-0755", "CVE-2016-1000031", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2107", "CVE-2016-3739", "CVE-2016-4000", "CVE-2016-5019", "CVE-2016-5080", "CVE-2016-5244", "CVE-2016-5419", "CVE-2016-5420", "CVE-2016-5421", "CVE-2016-6814", "CVE-2016-7141", "CVE-2016-7167", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8620", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-9586", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-14735", "CVE-2017-15095", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3738", "CVE-2017-5529", "CVE-2017-5533", "CVE-2017-5645", "CVE-2017-5715", "CVE-2017-7407", "CVE-2017-7525", "CVE-2017-7805", "CVE-2017-9798", "CVE-2018-0732", "CVE-2018-0733", "CVE-2018-0737", "CVE-2018-0739", "CVE-2018-1000120", "CVE-2018-1000121", "CVE-2018-1000122", "CVE-2018-1000300", "CVE-2018-1000301", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-11307", "CVE-2018-11776", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-1257", "CVE-2018-1258", "CVE-2018-1270", "CVE-2018-1271", "CVE-2018-1272", "CVE-2018-1275", "CVE-2018-1304", "CVE-2018-1305", "CVE-2018-13785", "CVE-2018-14048", "CVE-2018-18223", "CVE-2018-18224", "CVE-2018-2887", "CVE-2018-2889", "CVE-2018-2902", "CVE-2018-2909", "CVE-2018-2911", "CVE-2018-2912", "CVE-2018-2913", "CVE-2018-2914", "CVE-2018-2922", "CVE-2018-2971", "CVE-2018-3011", "CVE-2018-3059", "CVE-2018-3115", "CVE-2018-3122", "CVE-2018-3126", "CVE-2018-3127", "CVE-2018-3128", "CVE-2018-3129", "CVE-2018-3130", "CVE-2018-3131", "CVE-2018-3132", "CVE-2018-3133", "CVE-2018-3134", "CVE-2018-3135", "CVE-2018-3136", "CVE-2018-3137", "CVE-2018-3138", "CVE-2018-3139", "CVE-2018-3140", "CVE-2018-3141", "CVE-2018-3142", "CVE-2018-3143", "CVE-2018-3144", "CVE-2018-3145", "CVE-2018-3146", "CVE-2018-3147", "CVE-2018-3148", "CVE-2018-3149", "CVE-2018-3150", "CVE-2018-3151", "CVE-2018-3152", "CVE-2018-3153", "CVE-2018-3154", "CVE-2018-3155", "CVE-2018-3156", "CVE-2018-3157", "CVE-2018-3158", "CVE-2018-3159", "CVE-2018-3160", "CVE-2018-3161", "CVE-2018-3162", "CVE-2018-3163", "CVE-2018-3164", "CVE-2018-3165", "CVE-2018-3166", "CVE-2018-3167", "CVE-2018-3168", "CVE-2018-3169", "CVE-2018-3170", "CVE-2018-3171", "CVE-2018-3172", "CVE-2018-3173", "CVE-2018-3174", "CVE-2018-3175", "CVE-2018-3176", "CVE-2018-3177", "CVE-2018-3178", "CVE-2018-3179", "CVE-2018-3180", "CVE-2018-3181", "CVE-2018-3182", "CVE-2018-3183", "CVE-2018-3184", "CVE-2018-3185", "CVE-2018-3186", "CVE-2018-3187", "CVE-2018-3188", "CVE-2018-3189", "CVE-2018-3190", "CVE-2018-3191", "CVE-2018-3192", "CVE-2018-3193", "CVE-2018-3194", "CVE-2018-3195", "CVE-2018-3196", "CVE-2018-3197", "CVE-2018-3198", "CVE-2018-3200", "CVE-2018-3201", "CVE-2018-3202", "CVE-2018-3203", "CVE-2018-3204", "CVE-2018-3205", "CVE-2018-3206", "CVE-2018-3207", "CVE-2018-3208", "CVE-2018-3209", "CVE-2018-3210", "CVE-2018-3211", "CVE-2018-3212", "CVE-2018-3213", "CVE-2018-3214", "CVE-2018-3215", "CVE-2018-3217", "CVE-2018-3218", "CVE-2018-3219", "CVE-2018-3220", "CVE-2018-3221", "CVE-2018-3222", "CVE-2018-3223", "CVE-2018-3224", "CVE-2018-3225", "CVE-2018-3226", "CVE-2018-3227", "CVE-2018-3228", "CVE-2018-3229", "CVE-2018-3230", "CVE-2018-3231", "CVE-2018-3232", "CVE-2018-3233", "CVE-2018-3234", "CVE-2018-3235", "CVE-2018-3236", "CVE-2018-3237", "CVE-2018-3238", "CVE-2018-3239", "CVE-2018-3241", "CVE-2018-3242", "CVE-2018-3243", "CVE-2018-3244", "CVE-2018-3245", "CVE-2018-3246", "CVE-2018-3247", "CVE-2018-3248", "CVE-2018-3249", "CVE-2018-3250", "CVE-2018-3251", "CVE-2018-3252", "CVE-2018-3253", "CVE-2018-3254", "CVE-2018-3255", "CVE-2018-3256", "CVE-2018-3257", "CVE-2018-3258", "CVE-2018-3259", "CVE-2018-3261", "CVE-2018-3262", "CVE-2018-3263", "CVE-2018-3264", "CVE-2018-3265", "CVE-2018-3266", "CVE-2018-3267", "CVE-2018-3268", "CVE-2018-3269", "CVE-2018-3270", "CVE-2018-3271", "CVE-2018-3272", "CVE-2018-3273", "CVE-2018-3274", "CVE-2018-3275", "CVE-2018-3276", "CVE-2018-3277", "CVE-2018-3278", "CVE-2018-3279", "CVE-2018-3280", "CVE-2018-3281", "CVE-2018-3282", "CVE-2018-3283", "CVE-2018-3284", "CVE-2018-3285", "CVE-2018-3286", "CVE-2018-3287", "CVE-2018-3288", "CVE-2018-3289", "CVE-2018-3290", "CVE-2018-3291", "CVE-2018-3292", "CVE-2018-3293", "CVE-2018-3294", "CVE-2018-3295", "CVE-2018-3296", "CVE-2018-3297", "CVE-2018-3298", "CVE-2018-3299", "CVE-2018-3301", "CVE-2018-3302", "CVE-2018-7489", "CVE-2018-8013", "CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n * [Critical Patch Updates, Security Alerts and Bulletins](<https://www.oracle.com/securityalerts>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 301 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/epmos/faces/DocumentDisplay?id=2456979.1>).\n", "modified": "2018-10-16T00:00:00", "published": "2018-12-18T00:00:00", "id": "ORACLE:CPUOCT2018", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - October 2018", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}