ID CVE-2014-0428
Summary Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to "insufficient security checks in IIOP streams," which allows attackers to escape the sandbox.
References
Vulnerable Configurations
  • Oracle JDK 1.6.0 Update 65
    cpe:2.3:a:oracle:jdk:1.6.0:update_65
  • Oracle JRE 1.6.0 Update 65
    cpe:2.3:a:oracle:jre:1.6.0:update_65
  • Oracle JDK 1.5.0 Update 55
    cpe:2.3:a:oracle:jdk:1.5.0:update_55
  • Oracle JRE 1.5.0 Update 55
    cpe:2.3:a:oracle:jre:1.5.0:update_55
  • Oracle JDK 1.7.0 Update 45
    cpe:2.3:a:oracle:jdk:1.7.0:update_45
  • Oracle JRE 1.7.0 Update 45
    cpe:2.3:a:oracle:jre:1.7.0:update_45
CVSS
Base: 10.0 (as of 17-11-2016 - 09:36)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201401-30.NASL
    description The remote host is affected by the vulnerability described in GLSA-201401-30 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below for details. Impact : An unauthenticated, remote attacker could exploit these vulnerabilities to execute arbitrary code. Furthermore, a local or remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-03
    plugin id 72139
    published 2014-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72139
    title GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL17381.NASL
    description Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 86358
    published 2015-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86358
    title F5 Networks BIG-IP : OpenJDK vulnerability (SOL17381)
  • NASL family Windows
    NASL id LOTUS_NOTES_9_0_1_FP1.NASL
    description The remote host has a version of IBM Notes (formerly Lotus Notes) 8.0.x / 8.5.x / 9.0.x that is bundled with an IBM Java version prior to 1.6 SR15 FP1. It is, therefore, affected by the vulnerabilities mentioned in the Oracle Java Critical Patch Update advisories for October 2013 and January 2014.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 73970
    published 2014-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73970
    title IBM Notes 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_JAVA-1_7_0-IBM-140206.NASL
    description This update contains the Oracle January 14 2014 CPU for java-1_7_0-ibm. Find more information at: http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_January_14_2 014_CPU
    last seen 2019-02-21
    modified 2014-04-20
    plugin id 72555
    published 2014-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72555
    title SuSE 11.3 Security Update : IBM Java (SAT Patch Number 8878)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2089-1.NASL
    description Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-3829, CVE-2013-5783, CVE-2013-5804, CVE-2014-0411) Several vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2013-4002, CVE-2013-5803, CVE-2013-5823, CVE-2013-5825, CVE-2013-5896, CVE-2013-5910) Several vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2013-5772, CVE-2013-5774, CVE-2013-5784, CVE-2013-5797, CVE-2013-5820, CVE-2014-0376, CVE-2014-0416) Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-5778, CVE-2013-5780, CVE-2013-5790, CVE-2013-5800, CVE-2013-5840, CVE-2013-5849, CVE-2013-5851, CVE-2013-5884, CVE-2014-0368) Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2013-5782, CVE-2013-5802, CVE-2013-5809, CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5830, CVE-2013-5842, CVE-2013-5850, CVE-2013-5878, CVE-2013-5893, CVE-2013-5907, CVE-2014-0373, CVE-2014-0408, CVE-2014-0422, CVE-2014-0428) A vulnerability was discovered in the OpenJDK JRE related to information disclosure and availability. An attacker could exploit this to expose sensitive data over the network or cause a denial of service. (CVE-2014-0423). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 72117
    published 2014-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72117
    title Ubuntu 12.10 / 13.04 / 13.10 : openjdk-7 vulnerabilities (USN-2089-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-283.NASL
    description An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428 , CVE-2014-0422) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373 , CVE-2013-5878 , CVE-2013-5910 , CVE-2013-5896 , CVE-2013-5884 , CVE-2014-0416 , CVE-2014-0376 , CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to a disclosure of information about the used encryption keys. (CVE-2014-0411)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 72301
    published 2014-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72301
    title Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2014-283)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_JAVA-1_6_0-IBM-140213.NASL
    description IBM Java 6 was updated to version SR15-FP1 which received security and bug fixes. More information at: http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_January_14_2 014_CPU
    last seen 2019-02-21
    modified 2014-04-20
    plugin id 72681
    published 2014-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72681
    title SuSE 11.3 Security Update : IBM Java 6 (SAT Patch Number 8896)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_JAVA-1_7_0-IBM-140515.NASL
    description IBM Java 7 was updated to version SR7, which received security and bug fixes. More information is available at: http://www.ibm.com/developerworks/java/jdk/aix/j764/Java7_64.fixes.htm l#SR7
    last seen 2019-02-21
    modified 2015-01-28
    plugin id 74254
    published 2014-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74254
    title SuSE 11.3 Security Update : IBM Java 7 (SAT Patch Number 9263)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0414.NASL
    description Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. [Updated 12th May 2014] The package list in this erratum has been updated to make the packages available in the Oracle Java for Red Hat Enterprise Linux 6 Workstation x86_64 channels on the Red Hat Network. Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory pages, listed in the References section. (CVE-2013-1500, CVE-2013-1571, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2459, CVE-2013-2461, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5852, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2403, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 75 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-26
    plugin id 79011
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79011
    title RHEL 5 / 6 : java-1.6.0-sun (RHSA-2014:0414)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0982.NASL
    description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Network Satellite Server 5.4, 5.5, and 5.6. The Red Hat Security Response Team has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Network Satellite Server 5.4, 5.5, and 5.6. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment. (CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0457, CVE-2014-0458, CVE-2014-0460, CVE-2014-0461, CVE-2014-0878, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) Users of Red Hat Network Satellite Server 5.4, 5.5, and 5.6 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16 release. For this update to take effect, Red Hat Network Satellite Server must be restarted ('/usr/sbin/rhn-satellite restart'), as well as all running instances of IBM Java.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 79039
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79039
    title RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2014:0982)
  • NASL family AIX Local Security Checks
    NASL id AIX_JAVA_JAN2014_ADVISORY.NASL
    description The version of Java SDK installed on the remote host is potentially affected by the following vulnerabilities : - Vulnerabilities in Oracle Java allow a remote attacker to bypass security features through flaws in XML document parsing. (CVE-2013-5878, CVE-2013-5910) - An information disclosure flaw in Oracle Java allows a remote attacker access to sensitive information through a flaw in the COBRA component. (CVE-2013-5884) - A vulnerability in Oracle Java allows a remote attacker to conduct a denial of service attack through a flaw in the Deployment component. (CVE-2013-5887) - Unspecified vulnerabilities exist in Oracle Java due to flaws in the Deployment component. (CVE-2013-5888, CVE-2013-5898, CVE-2013-5899, CVE-2014-0375, CVE-2014-0403, CVE-2014-0424) - Vulnerabilities in Oracle Java allow remote code execution through a flaw in the Deployment component. (CVE-2013-5889, CVE-2014-0387, CVE-2014-0410, CVE-2014-0415) - A vulnerability in Oracle Java allows a remote attacker to conduct a denial of service attack through a flaw in the COBRA component. (CVE-2013-5896) - A vulnerability in Oracle Java allows remote code execution through a flaw in the 2D component. (CVE-2013-5907) - An information disclosure and security bypass flaw exist in Oracle Java's Networking component. (CVE-2014-0368) - A vulnerability in Oracle Java allows a remote attacker to bypass security features through flaws in the Serviceability component. (CVE-2014-0373) - A vulnerability in Oracle Java allows a remote attacker to bypass security features through flaws in the JAXP component. (CVE-2014-0376) - An information disclosure flaw in Oracle Java allows a remote attacker access to information about encryption keys through a flaw in the JSSE component. (CVE-2014-0411) - A vulnerability in Oracle Java allows a remote attacker to bypass security features through flaws in the JAAS component. (CVE-2014-0416) - An unspecified vulnerability exists in Oracle Java due to flaws in the 2D component. (CVE-2014-0417) - A vulnerability in Oracle Java allows remote code execution through a flaw in the JNDI component. (CVE-2014-0422) - An information disclosure and denial of service flaw exist in Oracle Java's Beans component when XML data is read. (CVE-2014-0423) - A vulnerability in Oracle Java allows remote code execution through a flaw in the COBRA component. (CVE-2014-0428)
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 76871
    published 2014-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76871
    title AIX Java Advisory : java_jan2014_advisory.asc
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-0026.NASL
    description Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) Note: The java-1.7.0-openjdk package shipped with Red Hat Enterprise Linux 6.5 via RHBA-2013:1611 replaced 'java7' with 'java' in the provides list. This update re-adds 'java7' to the provides list to maintain backwards compatibility with releases prior to Red Hat Enterprise Linux 6.5. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71978
    published 2014-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71978
    title CentOS 6 : java-1.7.0-openjdk (CESA-2014:0026)
  • NASL family Misc.
    NASL id ORACLE_JAVA_CPU_JAN_2014_UNIX.NASL
    description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 51, 6 Update 71, or 5 Update 61. It is, therefore, potentially affected by security issues in the following components : - 2D - Beans - CORBA - Deployment - Hotspot - Install - JAAS - JavaFX - JAXP - JNDI - JSSE - Libraries - Networking - Security - Serviceability
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 71967
    published 2014-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71967
    title Oracle Java SE Multiple Vulnerabilities (January 2014 CPU) (Unix)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_JAVA-1_6_0-IBM-140514.NASL
    description BM Java 6 was updated to version 6 SR16 to fix several security issues and various other bugs. More information can be found at: http://www.ibm.com/developerworks/java/jdk/alerts/
    last seen 2019-02-21
    modified 2015-01-28
    plugin id 74284
    published 2014-06-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74284
    title SuSE 11.3 Security Update : IBM Java 6 (SAT Patch Number 9256)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0134.NASL
    description Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428) All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR6-FP1 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 72319
    published 2014-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72319
    title RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2014:0134)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0135.NASL
    description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR15-FP1 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 72320
    published 2014-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72320
    title RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2014:0135)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0030.NASL
    description Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2013-5870, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5893, CVE-2013-5895, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0382, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428) All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 51 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-26
    plugin id 71987
    published 2014-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71987
    title RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2014:0030)
  • NASL family Windows
    NASL id LOTUS_DOMINO_9_0_1_FP1.NASL
    description The remote host has a version of IBM Domino (formerly Lotus Domino) 8.0.x / 8.5.x / 9.0.x that is bundled with an IBM Java version prior to 1.6 SR15 FP1. It is, therefore, affected by the vulnerabilities mentioned in the Oracle Java Critical Patch Update advisories for October 2013 and January 2014.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 73969
    published 2014-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73969
    title IBM Domino 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities (credentialed check)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140127_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL
    description An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to a disclosure of information about the used encryption keys. (CVE-2014-0411) All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 72162
    published 2014-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72162
    title Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x i386/x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-280.NASL
    description An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428 , CVE-2014-0422 , CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373 , CVE-2013-5878 , CVE-2013-5910 , CVE-2013-5896 , CVE-2013-5884 , CVE-2014-0416 , CVE-2014-0376 , CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 72298
    published 2014-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72298
    title Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2014-280)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2124-1.NASL
    description A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-0411) Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422, CVE-2014-0428) Two vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-5884, CVE-2014-0368) Two vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2013-5896, CVE-2013-5910) Two vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2014-0376, CVE-2014-0416) A vulnerability was discovered in the OpenJDK JRE related to information disclosure and availability. An attacker could exploit this to expose sensitive data over the network or cause a denial of service. (CVE-2014-0423) In addition to the above, USN-2033-1 fixed several vulnerabilities and bugs in OpenJDK 6. This update introduced a regression which caused an exception condition in javax.xml when instantiating encryption algorithms. This update fixes the problem. We apologize for the inconvenience. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 72740
    published 2014-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72740
    title Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2124-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0097.NASL
    description Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to a disclosure of information about the used encryption keys. (CVE-2014-0411) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 72161
    published 2014-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72161
    title RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2014:0097)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140115_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL
    description An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) Note: The java-1.7.0-openjdk package shipped with Scientific Linux 6.5 via SLBA-2013:1611 replaced 'java7' with 'java' in the provides list. This update re-adds 'java7' to the provides list to maintain backwards compatibility with releases prior to Scientific Linux 6.5. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 71989
    published 2014-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71989
    title Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-011.NASL
    description Multiple vulnerabilities has been discovered and corrected in java-1.7.0-openjdk : An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions (CVE-2013-5907). Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893). Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368). It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability (CVE-2014-0423). It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys (CVE-2014-0411). The updated packages provides a solution for these security issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 72055
    published 2014-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72055
    title Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2014:011)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0097.NASL
    description From Red Hat Security Advisory 2014:0097 : Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to a disclosure of information about the used encryption keys. (CVE-2014-0411) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 72160
    published 2014-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72160
    title Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2014-0097)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-96.NASL
    description - Fix a file conflict between -devel and -headless package - Update to 2.4.4 (bnc#858818) - changed from xz to gzipped tarball as the first was not available during update - changed a keyring file due release manager change new one is signed by 66484681 from omajid@redhat.com, see http://mail.openjdk.java.net/pipermail/distro-pkg-dev/20 14-January/025800.html - Security fixes - S6727821: Enhance JAAS Configuration - S7068126, CVE-2014-0373: Enhance SNMP statuses - S8010935: Better XML handling - S8011786, CVE-2014-0368: Better applet networking - S8021257, S8025022, CVE-2013-5896 : com.sun.corba.se.** should be on restricted package list - S8021271, S8021266, CVE-2014-0408: Better buffering in ObjC code - S8022904: Enhance JDBC Parsers - S8022927: Input validation for byte/endian conversions - S8022935: Enhance Apache resolver classes - S8022945: Enhance JNDI implementation classes - S8023057: Enhance start up image display - S8023069, CVE-2014-0411: Enhance TLS connections - S8023245, CVE-2014-0423: Enhance Beans decoding - S8023301: Enhance generic classes - S8023338: Update jarsigner to encourage timestamping - S8023672: Enhance jar file validation - S8024302: Clarify jar verifications - S8024306, CVE-2014-0416: Enhance Subject consistency - S8024530: Enhance font process resilience - S8024867: Enhance logging start up - S8025014: Enhance Security Policy - S8025018, CVE-2014-0376: Enhance JAX-P set up - S8025026, CVE-2013-5878: Enhance canonicalization - S8025034, CVE-2013-5907: Improve layout lookups - S8025448: Enhance listening events - S8025758, CVE-2014-0422: Enhance Naming management - S8025767, CVE-2014-0428: Enhance IIOP Streams - S8026172: Enhance UI Management - S8026176: Enhance document printing - S8026193, CVE-2013-5884: Enhance CORBA stub factories - S8026204: Enhance auth login contexts - S8026417, CVE-2013-5910: Enhance XML canonicalization - S8026502: java/lang/invoke/MethodHandleConstants.java fails on all platforms - S8027201, CVE-2014-0376: Enhance JAX-P set up - S8029507, CVE-2013-5893: Enhance JVM method processing - S8029533: REGRESSION: closed/java/lang/invoke/8008140/Test8008140.java fails against - Backports - S8025255: (tz) Support tzdata2013g - S8026826: JDK 7 fix for 8010935 broke the build - Bug fixes - PR1618: Include defs.make in vm.make so VM_LITTLE_ENDIAN is defined on Zero builds - D729448: 32-bit alignment on mips and mipsel - PR1623: Collision between OpenJDK 6 & 7 classes when bootstrapping with OpenJDK 6 - Add update.py, helper script to download openjdk tarballs from hg repo - Buildrequire quilt unconditionally as it's used unconditionally. - Really disable tests on non-JIT architectures. (from Ulrich Weigand) - Add headless subpackage wich does not require X and pulse/alsa - Add accessibility to extra subpackage, which requires new java-atk-wrapper package - removed java-1.7.0-openjdk-java-access-bridge-idlj.patch - removed java-1.7.0-openjdk-java-access-bridge-tck.patch - removed java-access-bridge-1.26.2.tar.bz2 - Refreshed - java-1.7.0-openjdk-java-access-bridge-security.patch - Add a support for running tests using --with tests - this is ignored on non-jit architectures - Prefer global over define as bcond_with does use them - Forward declare aarch64 arch macro - Define archbuild/archinstall macros for arm and aarch64 - remove a few ifarch conditions by using those macros in filelist - Need ecj-bootstrap in bootstrap mode (noted by mmatz) - Don't install vim and quilt in bootstrap mode - A few enhancenments of bootstrap mode - usable wia --with bootstrap - disable docs, javadoc package - fix configure arguments on bootstrap - Add the unversioned SDK directory link to the files list of -devel package (fixes update-alternatives from %post). - Add support for bootstrapping with just gcj (using included ecj directly). Increase stacksize for powerpc (amends java-1.7.0-openjdk-ppc-zero-jdk.patch). Add support for ppc64le. - fix stackoverflow for powerpc (java-1_7_0-openjdk-ppc-stackoverflow.patch)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75414
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75414
    title openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2014:0180-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-95.NASL
    description - Fix a file conflict between -devel and -headless package - Update to 2.4.4 (bnc#858818) - changed from xz to gzipped tarball as the first was not available during update - changed a keyring file due release manager change new one is signed by 66484681 from omajid@redhat.com, see http://mail.openjdk.java.net/pipermail/distro-pkg-dev/20 14-January/025800.html - Security fixes - S6727821: Enhance JAAS Configuration - S7068126, CVE-2014-0373: Enhance SNMP statuses - S8010935: Better XML handling - S8011786, CVE-2014-0368: Better applet networking - S8021257, S8025022, CVE-2013-5896 : com.sun.corba.se.** should be on restricted package list - S8021271, S8021266, CVE-2014-0408: Better buffering in ObjC code - S8022904: Enhance JDBC Parsers - S8022927: Input validation for byte/endian conversions - S8022935: Enhance Apache resolver classes - S8022945: Enhance JNDI implementation classes - S8023057: Enhance start up image display - S8023069, CVE-2014-0411: Enhance TLS connections - S8023245, CVE-2014-0423: Enhance Beans decoding - S8023301: Enhance generic classes - S8023338: Update jarsigner to encourage timestamping - S8023672: Enhance jar file validation - S8024302: Clarify jar verifications - S8024306, CVE-2014-0416: Enhance Subject consistency - S8024530: Enhance font process resilience - S8024867: Enhance logging start up - S8025014: Enhance Security Policy - S8025018, CVE-2014-0376: Enhance JAX-P set up - S8025026, CVE-2013-5878: Enhance canonicalization - S8025034, CVE-2013-5907: Improve layout lookups - S8025448: Enhance listening events - S8025758, CVE-2014-0422: Enhance Naming management - S8025767, CVE-2014-0428: Enhance IIOP Streams - S8026172: Enhance UI Management - S8026176: Enhance document printing - S8026193, CVE-2013-5884: Enhance CORBA stub factories - S8026204: Enhance auth login contexts - S8026417, CVE-2013-5910: Enhance XML canonicalization - S8026502: java/lang/invoke/MethodHandleConstants.java fails on all platforms - S8027201, CVE-2014-0376: Enhance JAX-P set up - S8029507, CVE-2013-5893: Enhance JVM method processing - S8029533: REGRESSION: closed/java/lang/invoke/8008140/Test8008140.java fails against - Backports - S8025255: (tz) Support tzdata2013g - S8026826: JDK 7 fix for 8010935 broke the build - Bug fixes - PR1618: Include defs.make in vm.make so VM_LITTLE_ENDIAN is defined on Zero builds - D729448: 32-bit alignment on mips and mipsel - PR1623: Collision between OpenJDK 6 & 7 classes when bootstrapping with OpenJDK 6 - Add update.py, helper script to download openjdk tarballs from hg repo - Buildrequire quilt unconditionally as it's used unconditionally. - Really disable tests on non-JIT architectures. (from Ulrich Weigand) - Add headless subpackage wich does not require X and pulse/alsa - Add accessibility to extra subpackage, which requires new java-atk-wrapper package - removed java-1.7.0-openjdk-java-access-bridge-idlj.patch - removed java-1.7.0-openjdk-java-access-bridge-tck.patch - removed java-access-bridge-1.26.2.tar.bz2 - Refreshed - java-1.7.0-openjdk-java-access-bridge-security.patch - Add a support for running tests using --with tests - this is ignored on non-jit architectures - Prefer global over define as bcond_with does use them - Forward declare aarch64 arch macro - Define archbuild/archinstall macros for arm and aarch64 - remove a few ifarch conditions by using those macros in filelist - Need ecj-bootstrap in bootstrap mode (noted by mmatz) - Don't install vim and quilt in bootstrap mode - A few enhancenments of bootstrap mode - usable wia --with bootstrap - disable docs, javadoc package - fix configure arguments on bootstrap - Add the unversioned SDK directory link to the files list of -devel package (fixes update-alternatives from %post). - Add support for bootstrapping with just gcj (using included ecj directly). Increase stacksize for powerpc (amends java-1.7.0-openjdk-ppc-zero-jdk.patch). Add support for ppc64le. - fix stackoverflow for powerpc (java-1_7_0-openjdk-ppc-stackoverflow.patch)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75413
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75413
    title openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2014:0174-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2124-2.NASL
    description USN-2124-1 fixed vulnerabilities in OpenJDK 6. Due to an upstream regression, memory was not properly zeroed under certain circumstances which could lead to instability. This update fixes the problem. We apologize for the inconvenience. A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-0411) Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422, CVE-2014-0428) Two vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2013-5884, CVE-2014-0368) Two vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2013-5896, CVE-2013-5910) Two vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2014-0376, CVE-2014-0416) A vulnerability was discovered in the OpenJDK JRE related to information disclosure and availability. An attacker could exploit this to expose sensitive data over the network or cause a denial of service. (CVE-2014-0423) In addition to the above, USN-2033-1 fixed several vulnerabilities and bugs in OpenJDK 6. This update introduced a regression which caused an exception condition in javax.xml when instantiating encryption algorithms. This update fixes the problem. We apologize for the inconvenience. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 73398
    published 2014-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73398
    title Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 regression (USN-2124-2)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0705.NASL
    description Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 7 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5907, CVE-2013-5910, CVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428) All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR1 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 76900
    published 2014-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76900
    title RHEL 7 : java-1.7.1-ibm (RHSA-2014:0705)
  • NASL family Misc.
    NASL id DOMINO_9_0_1_FP1.NASL
    description According to its version, the IBM Domino (formerly IBM Lotus Domino) on the remote host is 9.x prior to 9.0.1 Fix Pack 1 (FP1). It is, therefore, affected by the following vulnerabilities : - A stack overflow issue exists due to the insecure '-z execstack' flag being used during compilation, which could aid remote attackers in executing arbitrary code. Note that this issue only affects installs on 32-bit hosts running Linux. (CVE-2014-0892) - Note that the fixes in the Oracle Java CPUs for October 2013 and January 2014 are included in the fixed IBM Java release, which is included in the fixed IBM Domino release. (CVE-2013-0408, CVE-2013-3829, CVE-2013-4002, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5456, CVE-2013-5457, CVE-2013-5458, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805, CVE-2013-5806, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5893, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0892)
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 73968
    published 2014-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73968
    title IBM Domino 9.x < 9.0.1 Fix Pack 1 Multiple Vulnerabilities (uncredentialed check)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0136.NASL
    description Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-5907, CVE-2014-0368, CVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416, CVE-2014-0417, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP5 release. All running instances of IBM Java must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 72321
    published 2014-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72321
    title RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2014:0136)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0027.NASL
    description Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71963
    published 2014-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71963
    title RHEL 5 : java-1.7.0-openjdk (RHSA-2014:0027)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_JAVA-1_7_0-OPENJDK-140205.NASL
    description This openjdk update fixes several security issues. For a complete list of fixed vulnerabilities and their description please refer to : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025 800.html
    last seen 2019-02-21
    modified 2014-04-20
    plugin id 72423
    published 2014-02-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72423
    title SuSE 11.3 Security Update : openjdk (SAT Patch Number 8874)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0026.NASL
    description Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) Note: The java-1.7.0-openjdk package shipped with Red Hat Enterprise Linux 6.5 via RHBA-2013:1611 replaced 'java7' with 'java' in the provides list. This update re-adds 'java7' to the provides list to maintain backwards compatibility with releases prior to Red Hat Enterprise Linux 6.5. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71962
    published 2014-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71962
    title RHEL 6 : java-1.7.0-openjdk (RHSA-2014:0026)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0026.NASL
    description From Red Hat Security Advisory 2014:0026 : Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) Note: The java-1.7.0-openjdk package shipped with Red Hat Enterprise Linux 6.5 via RHBA-2013:1611 replaced 'java7' with 'java' in the provides list. This update re-adds 'java7' to the provides list to maintain backwards compatibility with releases prior to Red Hat Enterprise Linux 6.5. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 71984
    published 2014-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71984
    title Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2014-0026)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140115_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL
    description An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 71988
    published 2014-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71988
    title Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0027.NASL
    description From Red Hat Security Advisory 2014:0027 : Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 71985
    published 2014-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71985
    title Oracle Linux 5 : java-1.7.0-openjdk (ELSA-2014-0027)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-0027.NASL
    description Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422, CVE-2013-5893) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. (CVE-2014-0411) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71979
    published 2014-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71979
    title CentOS 5 : java-1.7.0-openjdk (CESA-2014:0027)
  • NASL family Windows
    NASL id ORACLE_JAVA_CPU_JAN_2014.NASL
    description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 51, 6 Update 71, or 5 Update 61. It is, therefore, potentially affected by security issues in the following components : - 2D - Beans - CORBA - Deployment - Hotspot - Install - JAAS - JavaFX - JAXP - JNDI - JSSE - Libraries - Networking - Security - Serviceability
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 71966
    published 2014-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71966
    title Oracle Java SE Multiple Vulnerabilities (January 2014 CPU)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-0097.NASL
    description Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2013-5907) Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0428, CVE-2014-0422) Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-0373, CVE-2013-5878, CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376, CVE-2014-0368) It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. (CVE-2014-0423) It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to a disclosure of information about the used encryption keys. (CVE-2014-0411) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 72153
    published 2014-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72153
    title CentOS 5 / 6 : java-1.6.0-openjdk (CESA-2014:0097)
redhat via4
advisories
  • bugzilla
    id 1053266
    title CVE-2013-5896 OpenJDK: com.sun.corba.se. should be restricted package (CORBA, 8025022)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment java-1.7.0-openjdk is earlier than 1:1.7.0.51-2.4.4.1.el6_5
          oval oval:com.redhat.rhsa:tst:20140026005
        • comment java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20121009006
      • AND
        • comment java-1.7.0-openjdk-demo is earlier than 1:1.7.0.51-2.4.4.1.el6_5
          oval oval:com.redhat.rhsa:tst:20140026007
        • comment java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20121009010
      • AND
        • comment java-1.7.0-openjdk-devel is earlier than 1:1.7.0.51-2.4.4.1.el6_5
          oval oval:com.redhat.rhsa:tst:20140026009
        • comment java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20121009008
      • AND
        • comment java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.51-2.4.4.1.el6_5
          oval oval:com.redhat.rhsa:tst:20140026011
        • comment java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20121009012
      • AND
        • comment java-1.7.0-openjdk-src is earlier than 1:1.7.0.51-2.4.4.1.el6_5
          oval oval:com.redhat.rhsa:tst:20140026013
        • comment java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20121009014
    rhsa
    id RHSA-2014:0026
    released 2014-01-15
    severity Critical
    title RHSA-2014:0026: java-1.7.0-openjdk security update (Critical)
  • bugzilla
    id 1053266
    title CVE-2013-5896 OpenJDK: com.sun.corba.se. should be restricted package (CORBA, 8025022)
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment java-1.7.0-openjdk is earlier than 1:1.7.0.51-2.4.4.1.el5_10
          oval oval:com.redhat.rhsa:tst:20140027002
        • comment java-1.7.0-openjdk is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20130165017
      • AND
        • comment java-1.7.0-openjdk-demo is earlier than 1:1.7.0.51-2.4.4.1.el5_10
          oval oval:com.redhat.rhsa:tst:20140027004
        • comment java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20130165025
      • AND
        • comment java-1.7.0-openjdk-devel is earlier than 1:1.7.0.51-2.4.4.1.el5_10
          oval oval:com.redhat.rhsa:tst:20140027008
        • comment java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20130165023
      • AND
        • comment java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.51-2.4.4.1.el5_10
          oval oval:com.redhat.rhsa:tst:20140027010
        • comment java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20130165021
      • AND
        • comment java-1.7.0-openjdk-src is earlier than 1:1.7.0.51-2.4.4.1.el5_10
          oval oval:com.redhat.rhsa:tst:20140027006
        • comment java-1.7.0-openjdk-src is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20130165019
    rhsa
    id RHSA-2014:0027
    released 2014-01-15
    severity Important
    title RHSA-2014:0027: java-1.7.0-openjdk security update (Important)
  • bugzilla
    id 1053266
    title CVE-2013-5896 OpenJDK: com.sun.corba.se. should be restricted package (CORBA, 8025022)
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331001
      • OR
        • AND
          • comment java-1.6.0-openjdk is earlier than 1:1.6.0.0-3.1.13.1.el5_10
            oval oval:com.redhat.rhsa:tst:20140097002
          • comment java-1.6.0-openjdk is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20090377003
        • AND
          • comment java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-3.1.13.1.el5_10
            oval oval:com.redhat.rhsa:tst:20140097008
          • comment java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20090377011
        • AND
          • comment java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-3.1.13.1.el5_10
            oval oval:com.redhat.rhsa:tst:20140097006
          • comment java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20090377005
        • AND
          • comment java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-3.1.13.1.el5_10
            oval oval:com.redhat.rhsa:tst:20140097004
          • comment java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20090377007
        • AND
          • comment java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-3.1.13.1.el5_10
            oval oval:com.redhat.rhsa:tst:20140097010
          • comment java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20090377009
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhba:tst:20111656001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhba:tst:20111656002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhba:tst:20111656003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20111656004
      • OR
        • AND
          • comment java-1.6.0-openjdk is earlier than 1:1.6.0.0-3.1.13.1.el6_5
            oval oval:com.redhat.rhsa:tst:20140097016
          • comment java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20100865006
        • AND
          • comment java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-3.1.13.1.el6_5
            oval oval:com.redhat.rhsa:tst:20140097022
          • comment java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20100865010
        • AND
          • comment java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-3.1.13.1.el6_5
            oval oval:com.redhat.rhsa:tst:20140097024
          • comment java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20100865008
        • AND
          • comment java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-3.1.13.1.el6_5
            oval oval:com.redhat.rhsa:tst:20140097018
          • comment java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20100865014
        • AND
          • comment java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-3.1.13.1.el6_5
            oval oval:com.redhat.rhsa:tst:20140097020
          • comment java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20100865012
    rhsa
    id RHSA-2014:0097
    released 2014-01-27
    severity Important
    title RHSA-2014:0097: java-1.6.0-openjdk security update (Important)
  • rhsa
    id RHSA-2014:0030
  • rhsa
    id RHSA-2014:0134
  • rhsa
    id RHSA-2014:0135
  • rhsa
    id RHSA-2014:0136
  • rhsa
    id RHSA-2014:0414
rpms
  • java-1.7.0-openjdk-1:1.7.0.51-2.4.4.1.el6_5
  • java-1.7.0-openjdk-demo-1:1.7.0.51-2.4.4.1.el6_5
  • java-1.7.0-openjdk-devel-1:1.7.0.51-2.4.4.1.el6_5
  • java-1.7.0-openjdk-javadoc-1:1.7.0.51-2.4.4.1.el6_5
  • java-1.7.0-openjdk-src-1:1.7.0.51-2.4.4.1.el6_5
  • java-1.7.0-openjdk-1:1.7.0.51-2.4.4.1.el5_10
  • java-1.7.0-openjdk-demo-1:1.7.0.51-2.4.4.1.el5_10
  • java-1.7.0-openjdk-devel-1:1.7.0.51-2.4.4.1.el5_10
  • java-1.7.0-openjdk-javadoc-1:1.7.0.51-2.4.4.1.el5_10
  • java-1.7.0-openjdk-src-1:1.7.0.51-2.4.4.1.el5_10
  • java-1.6.0-openjdk-1:1.6.0.0-3.1.13.1.el5_10
  • java-1.6.0-openjdk-demo-1:1.6.0.0-3.1.13.1.el5_10
  • java-1.6.0-openjdk-devel-1:1.6.0.0-3.1.13.1.el5_10
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-3.1.13.1.el5_10
  • java-1.6.0-openjdk-src-1:1.6.0.0-3.1.13.1.el5_10
  • java-1.6.0-openjdk-1:1.6.0.0-3.1.13.1.el6_5
  • java-1.6.0-openjdk-demo-1:1.6.0.0-3.1.13.1.el6_5
  • java-1.6.0-openjdk-devel-1:1.6.0.0-3.1.13.1.el6_5
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-3.1.13.1.el6_5
  • java-1.6.0-openjdk-src-1:1.6.0.0-3.1.13.1.el6_5
refmap via4
bid
  • 64758
  • 64935
confirm
hp
  • HPSBUX02972
  • HPSBUX02973
  • SSRT101454
  • SSRT101455
misc http://hg.openjdk.java.net/jdk7u/jdk7u/corba/rev/0a879f00b698
osvdb 101996
sectrack 1029608
secunia
  • 56432
  • 56485
  • 56486
  • 56535
suse
  • SUSE-SU-2014:0246
  • SUSE-SU-2014:0266
  • SUSE-SU-2014:0451
  • openSUSE-SU-2014:0174
  • openSUSE-SU-2014:0177
  • openSUSE-SU-2014:0180
ubuntu
  • USN-2089-1
  • USN-2124-1
Last major update 26-09-2016 - 21:59
Published 15-01-2014 - 11:08
Last modified 04-01-2018 - 21:29
Back to Top