ID CVE-2014-8891
Summary Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors related to the security manager.
References
Vulnerable Configurations
  • IBM Java SDK Technology Edition 5.0.16.8 (5.0 Service Refresh 16 FixPack 8)
    cpe:2.3:a:ibm:java_sdk:5.0.16.8:-:-:-:technology
  • IBM Java SDK Technology Edition 6.0.16.3 (6.0 Service Refresh 16, FixPack 3)
    cpe:2.3:a:ibm:java_sdk:6.0.16.3:-:-:-:technology
  • IBM Java SDK Technology Edition 6.1.8.2 (6R1 Service Refresh 8, FixPack 2)
    cpe:2.3:a:ibm:java_sdk:6.1.8.2:-:-:-:technology
  • IBM Java SDK Technology Edition 7.0.8.10 (7.0 Service Refresh 8, FixPack 10)
    cpe:2.3:a:ibm:java_sdk:7.0.8.10:-:-:-:technology
  • IBM Java SDK Technology Edition 7.1.2.10 (7R1 Service Refresh 2 FixPack 10)
    cpe:2.3:a:ibm:java_sdk:7.1.2.10:-:-:-:technology
CVSS
Base: 10.0 (as of 09-03-2015 - 10:06)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0264.NASL
    description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Satellite 5.6. Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5.6. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment. (CVE-2014-3065, CVE-2014-3068, CVE-2014-3566, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) The CVE-2014-4262 and CVE-2014-6512 issues were discovered by Florian Weimer of Red Hat Product Security. Users of Red Hat Satellite 5.6 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16-FP3 release. For this update to take effect, Red Hat Satellite must be restarted ('/usr/sbin/rhn-satellite restart'), as well as all running instances of IBM Java.
    last seen 2019-01-16
    modified 2018-12-27
    plugin id 81505
    published 2015-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81505
    title RHEL 5 / 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:0264) (POODLE)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_JAVA-1_7_0-IBM-150210.NASL
    description java-1_7_0-ibm was updated to fix two security issues : - Unspecified vulnerability. (CVE-2014-8891) - Unspecified vulnerability. (CVE-2014-8892)
    last seen 2018-09-02
    modified 2015-03-10
    plugin id 81436
    published 2015-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81436
    title SuSE 11.3 Security Update : java-1_7_0-ibm (SAT Patch Number 10300)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_JAVA-1_6_0-IBM-150210.NASL
    description java-1_6_0-ibm was updated to fix two security issues : - Unspecified vulnerability. (CVE-2014-8891) - Unspecified vulnerability. (CVE-2014-8892)
    last seen 2018-09-01
    modified 2015-03-10
    plugin id 81435
    published 2015-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81435
    title SuSE 11.3 Security Update : java-1_6_0-ibm (SAT Patch Number 10299)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0306-1.NASL
    description java-1_6_0-ibm was updated to fix two security issues. These security issues were fixed : - CVE-2014-8892: Unspecified vulnerability (bnc#916265). - CVE-2014-8891: Unspecified vulnerability (bnc#916266). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 119960
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119960
    title SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2015:0306-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0136.NASL
    description Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-6585, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP9 release. All running instances of IBM Java must be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-12-27
    plugin id 81204
    published 2015-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81204
    title RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:0136)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0263.NASL
    description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Satellite 5.7. Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5.7. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment. (CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) Users of Red Hat Satellite 5.7 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16-FP3 release. For this update to take effect, Red Hat Satellite must be restarted ('/usr/sbin/rhn-satellite restart'), as well as all running instances of IBM Java.
    last seen 2019-01-16
    modified 2018-12-20
    plugin id 81504
    published 2015-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81504
    title RHEL 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:0263)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1073-1.NASL
    description This update fixes the following security issues : - Version bump to 7.1-3.0 release bnc#930365 CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138 - Fix removeing links before update-alternatives run. bnc#931702 - Fix bnc#912434, javaws/plugin stuff should slave plugin update-alternatives - Fix bnc#912447, use system cacerts - Update to 7.1.2.10 for sec issues bnc#916266 and bnc#916265 CVE-2014-8892 CVE-2014-8891 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-29
    plugin id 84260
    published 2015-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84260
    title SUSE SLES12 Security Update : java-1_7_0-ibm (SUSE-SU-2015:1073-1) (Bar Mitzvah)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0135.NASL
    description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP3 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2019-01-16
    modified 2018-12-27
    plugin id 81203
    published 2015-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81203
    title RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2015:0135)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0133.NASL
    description Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR2-FP10 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2019-01-16
    modified 2018-12-20
    plugin id 81201
    published 2015-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81201
    title RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:0133)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0134.NASL
    description Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412) All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR8-FP10 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 81202
    published 2015-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81202
    title RHEL 5 : java-1.7.0-ibm (RHSA-2015:0134)
  • NASL family AIX Local Security Checks
    NASL id AIX_JAVA_FEB2015_ADVISORY.NASL
    description The version of Java SDK installed on the remote host is affected by the following vulnerabilities : - A man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) - Information disclosure flaws exist in the font parsing code in the 2D component in OpenJDK. A specially crafted font file can exploit boundary check flaws and allow an untrusted Java applet or application to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) - A NULL pointer dereference flaw exists in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java applet or application can use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) - The SSL/TLS implementation in the JSSE component in OpenJDK fails to properly check whether the ChangeCipherSpec was received during a SSL/TLS connection handshake. An MitM attacker can use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) - An unspecified privilege escalation vulnerability exists in IBM Java Virtual Machine. (CVE-2014-8891) - An unspecified information disclosure vulnerability exists in the Libraries component of Oracle Java SE. (CVE-2015-0400) - An unspecified information disclosure vulnerability exists in the Deployment component of Oracle Java SE. (CVE-2015-0403) - Unspecified denial of service and information disclosure vulnerabilities exist in the Deployment component of Oracle Java SE. (CVE-2015-0406) - An information disclosure vulnerability exists in the Swing component in OpenJDK. An untrusted Java applet or application can use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) - Multiple improper permission check vulnerabilities exist in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java applet or application can use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) - A denial of service vulnerability exists in the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK when handling negative length values. A specially crafted, DER-encoded input can cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410)
    last seen 2019-01-16
    modified 2018-07-17
    plugin id 81491
    published 2015-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81491
    title AIX Java Advisory : java_feb2015_advisory.asc (POODLE)
redhat via4
advisories
  • rhsa
    id RHSA-2015:0136
  • rhsa
    id RHSA-2015:0264
refmap via4
confirm
suse
  • SUSE-SU-2015:0304
  • SUSE-SU-2015:0306
  • SUSE-SU-2015:0343
  • SUSE-SU-2015:0344
  • SUSE-SU-2015:0345
  • SUSE-SU-2015:0376
  • SUSE-SU-2015:0392
  • SUSE-SU-2015:1073
Last major update 27-12-2016 - 21:59
Published 06-03-2015 - 18:59
Back to Top