| nessus
via4
|
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0264.NASL | | description | Updated java-1.6.0-ibm packages that fix several security issues are
now available for Red Hat Satellite 5.6.
Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which
give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
This update corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Satellite 5.6. In a
typical operating environment, these are of low security risk as the
runtime is not used on untrusted applets.
Several flaws were fixed in the IBM Java 2 Runtime Environment.
(CVE-2014-3065, CVE-2014-3068, CVE-2014-3566, CVE-2014-4209,
CVE-2014-4218, CVE-2014-4219, CVE-2014-4227, CVE-2014-4244,
CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265,
CVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492,
CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506,
CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6531,
CVE-2014-6532, CVE-2014-6558, CVE-2014-6585, CVE-2014-6587,
CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892,
CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407,
CVE-2015-0408, CVE-2015-0410, CVE-2015-0412)
The CVE-2014-4262 and CVE-2014-6512 issues were discovered by Florian
Weimer of Red Hat Product Security.
Users of Red Hat Satellite 5.6 are advised to upgrade to these updated
packages, which contain the IBM Java SE 6 SR16-FP3 release. For this
update to take effect, Red Hat Satellite must be restarted
('/usr/sbin/rhn-satellite restart'), as well as all running instances
of IBM Java. | | last seen | 2019-01-16 | | modified | 2018-12-27 | | plugin id | 81505 | | published | 2015-02-25 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81505 | | title | RHEL 5 / 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:0264) (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0086.NASL | | description | Updated java-1.6.0-sun packages that fix several security issues are
now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and
7.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Oracle Java SE version 6 includes the Oracle Java Runtime Environment
and the Oracle Java Software Development Kit.
This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE
Critical Patch Update Advisory page, listed in the References section.
(CVE-2014-3566, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591,
CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408,
CVE-2015-0410, CVE-2015-0412)
The CVE-2015-0383 issue was discovered by Red Hat.
Note: With this update, the Oracle Java SE now disables the SSL 3.0
protocol to address the CVE-2014-3566 issue (also known as POODLE).
Refer to the Red Hat Bugzilla bug linked to in the References section
for instructions on how to re-enable SSL 3.0 support if needed.
All users of java-1.6.0-sun are advised to upgrade to these updated
packages, which provide Oracle Java 6 Update 91 and resolve these
issues. All running instances of Oracle Java must be restarted for the
update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 81014 | | published | 2015-01-27 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81014 | | title | RHEL 5 / 6 / 7 : java-1.6.0-sun (RHSA-2015:0086) (POODLE) |
| NASL family | Windows | | NASL id | ORACLE_JROCKIT_CPU_JAN_2015.NASL | | description | The remote host has a version of Oracle JRockit that is affected by
multiple vulnerabilities in the following components :
- Hotspot
- JSSE
- Security
Note that CVE-2014-3566 is an error related to the way SSL 3.0 handles
padding bytes when decrypting messages encrypted using block ciphers
in cipher block chaining (CBC) mode. A man-in-the-middle attacker can
decrypt a selected byte of a cipher text in as few as 256 tries if
they are able to force a victim application to repeatedly send the
same data over newly created SSL 3.0 connections. This is also known
as the 'POODLE' issue. | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 80890 | | published | 2015-01-21 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80890 | | title | Oracle JRockit R27.8.4 / R28.3.4 Multiple Vulnerabilities (January 2015 CPU) (POODLE) |
| NASL family | Web Servers | | NASL id | WEBSPHERE_7_0_0_37.NASL | | description | The IBM WebSphere Application Server running on the remote host is
version 7.0 prior to Fix Pack 37. It is, therefore, affected by the
following vulnerabilities :
- A man-in-the-middle (MitM) information disclosure
vulnerability known as POODLE. The vulnerability is due
to the way SSL 3.0 handles padding bytes when decrypting
messages encrypted using block ciphers in cipher block
chaining (CBC) mode. MitM attackers can decrypt a
selected byte of a cipher text in as few as 256 tries if
they are able to force a victim application to
repeatedly send the same data over newly created SSL 3.0
connections. (CVE-2014-3566 / PI27101)
- An input validation error exists related to session
input using URL rewriting that can allow cross-site
scripting attacks. (CVE-2014-6167 / PI23819)
- An error exists related to the administrative console
that can allow 'click-jacking' attacks.
(CVE-2014-6174 / PI27152)
- Multiple errors exist in the bundled IBM Java SDK. These
errors are corrected by the October 2014 IBM Java SDK
updates. (CVE-2014-6457, CVE-2014-6512, CVE-2014-6558 /
PI27101)
- Multiple errors exist in the bundled IBM Java SDK. These
errors are corrected by the January 2015 IBM Java SDK
updates. (CVE-2014-6593, CVE-2015-0400, CVE-2015-0410) /
PI33407 | | last seen | 2019-01-16 | | modified | 2018-08-06 | | plugin id | 81825 | | published | 2015-03-17 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81825 | | title | IBM WebSphere Application Server 7.0 < Fix Pack 37 Multiple Vulnerabilities (POODLE) |
| NASL family | Scientific Linux Local Security Checks | | NASL id | SL_20150121_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL | | description | Multiple flaws were found in the way the Hotspot component in OpenJDK
verified bytecode from the class files, and in the way this component
generated code for bytecode. An untrusted Java application or applet
could possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2014-6601, CVE-2015-0437)
Multiple improper permission check issues were discovered in the
JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the- middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
All running instances of OpenJDK Java must be restarted for the update
to take effect. | | last seen | 2019-01-16 | | modified | 2018-12-28 | | plugin id | 80904 | | published | 2015-01-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80904 | | title | Scientific Linux Security Update : java-1.8.0-openjdk on SL6.x i386/x86_64 (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0080.NASL | | description | Updated java-1.8.0-oracle packages that fix several security issues
are now available for Oracle Java for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Oracle Java SE version 8 includes the Oracle Java Runtime Environment
and the Oracle Java Software Development Kit.
This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE
Critical Patch Update Advisory page, listed in the References section.
(CVE-2014-3566, CVE-2014-6549, CVE-2014-6585, CVE-2014-6587,
CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383,
CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407,
CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413,
CVE-2015-0421, CVE-2015-0437)
The CVE-2015-0383 issue was discovered by Red Hat.
Note: With this update, the Oracle Java SE now disables the SSL 3.0
protocol to address the CVE-2014-3566 issue (also known as POODLE).
Refer to the Red Hat Bugzilla bug linked to in the References section
for instructions on how to re-enable SSL 3.0 support if needed.
All users of java-1.8.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 8 Update 31 and resolve these
issues. All running instances of Oracle Java must be restarted for the
update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 80932 | | published | 2015-01-23 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80932 | | title | RHEL 6 : java-1.8.0-oracle (RHSA-2015:0080) (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0133.NASL | | description | Updated java-1.7.1-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 6 and 7 Supplementary.
Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
IBM Java SE version 7 Release 1 includes the IBM Java Runtime
Environment and the IBM Java Software Development Kit.
This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM Security alerts
page, listed in the References section. (CVE-2014-6549, CVE-2014-6585,
CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891,
CVE-2014-8892, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407,
CVE-2015-0408, CVE-2015-0410, CVE-2015-0412)
All users of java-1.7.1-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7R1 SR2-FP10 release. All running
instances of IBM Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-12-20 | | plugin id | 81201 | | published | 2015-02-06 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81201 | | title | RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:0133) |
| NASL family | Windows | | NASL id | ORACLE_JAVA_CPU_JAN_2015.NASL | | description | The version of Oracle Java SE or Java for Business installed on the
remote host is prior to 8 Update 31, 7 Update 75, 6 Update 91, or 5
Update 81. It is, therefore, affected by security vulnerabilities in
the following components :
- 2D
- Deployment
- Hotspot
- Install
- JAX-WS
- JSSE
- Libraries
- RMI
- Security
- Serviceability
- Swing | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 80908 | | published | 2015-01-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80908 | | title | Oracle Java SE Multiple Vulnerabilities (January 2015 CPU) (POODLE) |
| NASL family | Misc. | | NASL id | VCENTER_OPERATIONS_MANAGER_VMSA_2015-0003-VAPP.NASL | | description | The version of VMware vCenter Operations Manager installed on the
remote host has a bundled version of the Java JRE prior to version
1.7.0_76-b13 (aka 7.0.760). It is, therefore, affected by a
man-in-the-middle (MitM) information disclosure vulnerability known as
POODLE. The vulnerability is due to the way SSL 3.0 handles padding
bytes when decrypting messages encrypted using block ciphers in cipher
block chaining (CBC) mode. MitM attackers can decrypt a selected byte
of a cipher text in as few as 256 tries if they are able to force a
victim application to repeatedly send the same data over newly created
SSL 3.0 connections. (CVE-2014-3566)
Additionally, unspecified vulnerabilities also exist in the following
bundled Java components :
- 2D (CVE-2014-6585, CVE-2014-6591)
- Deployment (CVE-2015-0403, CVE-2015-0406)
- Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
CVE-2015-0437)
- Installation (CVE-2015-0421)
- JAX-WS (CVE-2015-0412)
- JSSE (CVE-2014-6593)
- Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400)
- RMI (CVE-2015-0408)
- Security (CVE-2015-0410)
- Serviceability (CVE-2015-0413)
- Swing (CVE-2015-0407)
VMware has released a patch that updates the JRE bundled with the
appliance. | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 82706 | | published | 2015-04-10 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82706 | | title | VMware vCenter Operations Management vApp JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE) |
| NASL family | Scientific Linux Local Security Checks | | NASL id | SL_20150121_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL | | description | A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the- middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
All running instances of OpenJDK Java must be restarted for the update
to take effect. | | last seen | 2019-01-16 | | modified | 2018-12-28 | | plugin id | 80902 | | published | 2015-01-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80902 | | title | Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (POODLE) |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2015-471.NASL | | description | A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412 , CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585 , CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383) | | last seen | 2019-01-16 | | modified | 2018-08-31 | | plugin id | 80921 | | published | 2015-01-23 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80921 | | title | Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2015-471) (POODLE) |
| NASL family | Debian Local Security Checks | | NASL id | DEBIAN_DLA-157.NASL | | description | Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, information disclosure or denial of service.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-08-31 | | plugin id | 82140 | | published | 2015-03-26 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82140 | | title | Debian DLA-157-1 : openjdk-6 security update (POODLE) |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2015-480.NASL | | description | A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412 , CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585 , CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The
CVE-2015-0383 issue was discovered by Red Hat. | | last seen | 2019-01-16 | | modified | 2018-08-31 | | plugin id | 81326 | | published | 2015-02-13 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81326 | | title | Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2015-480) (POODLE) |
| NASL family | AIX Local Security Checks | | NASL id | AIX_JAVA_FEB2015_ADVISORY.NASL | | description | The version of Java SDK installed on the remote host is affected by
the following vulnerabilities :
- A man-in-the-middle (MitM) information disclosure
vulnerability known as POODLE. The vulnerability is due
to the way SSL 3.0 handles padding bytes when decrypting
messages encrypted using block ciphers in cipher block
chaining (CBC) mode. MitM attackers can decrypt a
selected byte of a cipher text in as few as 256 tries if
they are able to force a victim application to
repeatedly send the same data over newly created SSL 3.0
connections. (CVE-2014-3566)
- Information disclosure flaws exist in the font parsing
code in the 2D component in OpenJDK. A specially crafted
font file can exploit boundary check flaws and allow an
untrusted Java applet or application to disclose
portions of the Java Virtual Machine memory.
(CVE-2014-6585, CVE-2014-6591)
- A NULL pointer dereference flaw exists in the
MulticastSocket implementation in the Libraries
component of OpenJDK. An untrusted Java applet or
application can use this flaw to bypass certain
Java sandbox restrictions. (CVE-2014-6587)
- The SSL/TLS implementation in the JSSE component in
OpenJDK fails to properly check whether the
ChangeCipherSpec was received during a SSL/TLS
connection handshake. An MitM attacker can use this
flaw to force a connection to be established without
encryption being enabled. (CVE-2014-6593)
- An unspecified privilege escalation vulnerability exists
in IBM Java Virtual Machine. (CVE-2014-8891)
- An unspecified information disclosure vulnerability
exists in the Libraries component of Oracle Java SE.
(CVE-2015-0400)
- An unspecified information disclosure vulnerability
exists in the Deployment component of Oracle Java SE.
(CVE-2015-0403)
- Unspecified denial of service and information
disclosure vulnerabilities exist in the Deployment
component of Oracle Java SE. (CVE-2015-0406)
- An information disclosure vulnerability exists in the
Swing component in OpenJDK. An untrusted Java applet or
application can use this flaw to bypass certain Java
sandbox restrictions. (CVE-2015-0407)
- Multiple improper permission check vulnerabilities exist
in the JAX-WS, Libraries, and RMI components in OpenJDK.
An untrusted Java applet or application can use these
flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2014-6549, CVE-2015-0408)
- A denial of service vulnerability exists in the DER
(Distinguished Encoding Rules) decoder in the Security
component in OpenJDK when handling negative length
values. A specially crafted, DER-encoded input can cause
a Java application to enter an infinite loop when
decoded. (CVE-2015-0410) | | last seen | 2019-01-16 | | modified | 2018-07-17 | | plugin id | 81491 | | published | 2015-02-24 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81491 | | title | AIX Java Advisory : java_feb2015_advisory.asc (POODLE) |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2015-472.NASL | | description | Multiple flaws were found in the way the Hotspot component in OpenJDK
verified bytecode from the class files, and in the way this component
generated code for bytecode. An untrusted Java application or applet
could possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2014-6601 , CVE-2015-0437)
Multiple improper permission check issues were discovered in the
JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2015-0412 , CVE-2014-6549 , CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585 , CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383) | | last seen | 2019-01-16 | | modified | 2018-08-31 | | plugin id | 80922 | | published | 2015-01-23 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80922 | | title | Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2015-472) (POODLE) |
| NASL family | CentOS Local Security Checks | | NASL id | CENTOS_RHSA-2015-0069.NASL | | description | Updated java-1.8.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Multiple flaws were found in the way the Hotspot component in OpenJDK
verified bytecode from the class files, and in the way this component
generated code for bytecode. An untrusted Java application or applet
could possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2014-6601, CVE-2015-0437)
Multiple improper permission check issues were discovered in the
JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.8.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 80870 | | published | 2015-01-21 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80870 | | title | CentOS 6 : java-1.8.0-openjdk (CESA-2015:0069) (POODLE) |
| NASL family | Oracle Linux Local Security Checks | | NASL id | ORACLELINUX_ELSA-2015-0067.NASL | | description | From Red Hat Security Advisory 2015:0067 :
Updated java-1.7.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
Note: If the web browser plug-in provided by the icedtea-web package
was installed, the issues exposed via Java applets could have been
exploited without user interaction if a user visited a malicious
website.
All users of java-1.7.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-09-05 | | plugin id | 80899 | | published | 2015-01-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80899 | | title | Oracle Linux 6 / 7 : java-1.7.0-openjdk (ELSA-2015-0067) (POODLE) |
| NASL family | Debian Local Security Checks | | NASL id | DEBIAN_DSA-3147.NASL | | description | Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, information disclosure or denial of service. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 81111 | | published | 2015-02-02 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81111 | | title | Debian DSA-3147-1 : openjdk-6 - security update (POODLE) |
| NASL family | SuSE Local Security Checks | | NASL id | SUSE_SU-2015-0503-1.NASL | | description | This update fixes 13 security issues.
These security issues were fixed :
- CVE-2015-0395: Unspecified vulnerability in Oracle Java
SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers
to affect confidentiality, integrity, and availability
via unknown vectors related to Hotspot (bnc#914041).
- CVE-2015-0400: Unspecified vulnerability in Oracle Java
SE 6u85, 7u72, and 8u25 allowed remote attackers to
affect confidentiality via unknown vectors related to
Libraries (bnc#914041).
- CVE-2015-0383: Unspecified vulnerability in Oracle Java
SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71
and 8u6; and JRockit R27.8.4 and R28.3.4 allowed local
users to affect integrity and availability via unknown
vectors related to Hotspot (bnc#914041).
- CVE-2015-0412: Unspecified vulnerability in Oracle Java
SE 6u85, 7u72, and 8u25 allowed remote attackers to
affect confidentiality, integrity, and availability via
vectors related to JAX-WS (bnc#914041).
- CVE-2015-0407: Unspecified vulnerability in Oracle Java
SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers
to affect confidentiality via unknown vectors related to
Swing (bnc#914041).
- CVE-2015-0408: Unspecified vulnerability in Oracle Java
SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers
to affect confidentiality, integrity, and availability
via vectors related to RMI (bnc#914041).
- CVE-2014-6585: Unspecified vulnerability in Oracle Java
SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers
to affect confidentiality via unknown vectors reelated
to 2D, a different vulnerability than CVE-2014-6591
(bnc#914041).
- CVE-2014-6587: Unspecified vulnerability in Oracle Java
SE 6u85, 7u72, and 8u25 allowed local users to affect
confidentiality, integrity, and availability via unknown
vectors related to Libraries (bnc#914041).
- CVE-2014-6591: Unspecified vulnerability in the Java SE
component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25
allowed remote attackers to affect confidentiality via
unknown vectors related to 2D, a different vulnerability
than CVE-2014-6585 (bnc#914041).
- CVE-2014-6593: Unspecified vulnerability in Oracle Java
SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71
and 8u6; and JRockit 27.8.4 and 28.3.4 allowed remote
attackers to affect confidentiality and integrity via
vectors related to JSSE (bnc#914041).
- CVE-2014-6601: Unspecified vulnerability in Oracle Java
SE 6u85, 7u72, and 8u25 allowed remote attackers to
affect confidentiality, integrity, and availability via
unknown vectors related to Hotspot (bnc#914041).
- CVE-2015-0410: Unspecified vulnerability in the Java SE,
Java SE Embedded, JRockit component in Oracle Java SE
5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and
8u6; and JRockit R27.8.4 and R28.3.4 allowed remote
attackers to affect availability via unknown vectors
related to Security (bnc#914041).
- CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL
through 1.0.1i and other products, used nondeterministic
CBC padding, which made it easier for man-in-the-middle
attackers to obtain cleartext data via a padding-oracle
attack, aka the 'POODLE' issue (bnc#901223).
The update package also includes non-security fixes. See advisory for
details.
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-11-29 | | plugin id | 83699 | | published | 2015-05-20 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=83699 | | title | SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2015:0503-1) (POODLE) |
| NASL family | CentOS Local Security Checks | | NASL id | CENTOS_RHSA-2015-0085.NASL | | description | Updated java-1.6.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.6.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 81005 | | published | 2015-01-27 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81005 | | title | CentOS 5 / 6 / 7 : java-1.6.0-openjdk (CESA-2015:0085) (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0135.NASL | | description | Updated java-1.6.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
IBM Java SE version 6 includes the IBM Java Runtime Environment and
the IBM Java Software Development Kit.
This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM Security alerts
page, listed in the References section. (CVE-2014-6585, CVE-2014-6587,
CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892,
CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407,
CVE-2015-0408, CVE-2015-0410, CVE-2015-0412)
All users of java-1.6.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 6 SR16-FP3 release. All running
instances of IBM Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-12-27 | | plugin id | 81203 | | published | 2015-02-06 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81203 | | title | RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2015:0135) |
| NASL family | Oracle Linux Local Security Checks | | NASL id | ORACLELINUX_ELSA-2015-0085.NASL | | description | From Red Hat Security Advisory 2015:0085 :
Updated java-1.6.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.6.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-09-05 | | plugin id | 81011 | | published | 2015-01-27 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81011 | | title | Oracle Linux 5 / 6 / 7 : java-1.6.0-openjdk (ELSA-2015-0085) (POODLE) |
| NASL family | Ubuntu Local Security Checks | | NASL id | UBUNTU_USN-2487-1.NASL | | description | Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker
could exploit these to cause a denial of service or expose sensitive
data over the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601,
CVE-2015-0395, CVE-2015-0408, CVE-2015-0412)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose
sensitive data over the network. (CVE-2014-6585, CVE-2014-6591,
CVE-2015-0400, CVE-2015-0407)
A vulnerability was discovered in the OpenJDK JRE related to
information disclosure and integrity. An attacker could exploit this
to expose sensitive data over the network. (CVE-2014-6593)
A vulnerability was discovered in the OpenJDK JRE related to integrity
and availability. An attacker could exploit this to cause a denial of
service. (CVE-2015-0383)
A vulnerability was discovered in the OpenJDK JRE related to
availability. An attacker could this exploit to cause a denial of
service. (CVE-2015-0410)
A vulnerability was discovered in the OpenJDK JRE related to data
integrity. (CVE-2015-0413).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-12-01 | | plugin id | 81045 | | published | 2015-01-28 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81045 | | title | Ubuntu 14.04 LTS / 14.10 : openjdk-7 vulnerabilities (USN-2487-1) (POODLE) |
| NASL family | Mandriva Local Security Checks | | NASL id | MANDRIVA_MDVSA-2015-198.NASL | | description | Multiple vulnerabilities has been discovered and corrected in
java-1.8.0-openjdk :
Multiple flaws were found in the way the Hotspot component in OpenJDK
verified bytecode from the class files, and in the way this component
generated code for bytecode. An untrusted Java application or applet
could possibly use these flaws to bypass Java sandbox restrictions
(CVE-2014-6601, CVE-2015-0437).
Multiple improper permission check issues were discovered in the
JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408).
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions
(CVE-2015-0395).
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded (CVE-2015-0410).
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack (CVE-2014-3566).
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled (CVE-2014-6593).
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions (CVE-2015-0407).
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions (CVE-2014-6587).
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory (CVE-2014-6585, CVE-2014-6591).
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack (CVE-2015-0383).
The updated packages provides a solution for these security issues. | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 82684 | | published | 2015-04-10 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82684 | | title | Mandriva Linux Security Advisory : java-1.8.0-openjdk (MDVSA-2015:198) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0134.NASL | | description | Updated java-1.7.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 5 Supplementary.
Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
IBM Java SE version 7 includes the IBM Java Runtime Environment and
the IBM Java Software Development Kit.
This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM Security alerts
page, listed in the References section. (CVE-2014-6549, CVE-2014-6585,
CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891,
CVE-2014-8892, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407,
CVE-2015-0408, CVE-2015-0410, CVE-2015-0412)
All users of java-1.7.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7 SR8-FP10 release. All running
instances of IBM Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 81202 | | published | 2015-02-06 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81202 | | title | RHEL 5 : java-1.7.0-ibm (RHSA-2015:0134) |
| NASL family | Scientific Linux Local Security Checks | | NASL id | SL_20150121_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL | | description | A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the- middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
Note: If the web browser plug-in provided by the icedtea-web package
was installed, the issues exposed via Java applets could have been
exploited without user interaction if a user visited a malicious
website.
All running instances of OpenJDK Java must be restarted for the update
to take effect. | | last seen | 2019-01-16 | | modified | 2018-12-28 | | plugin id | 80903 | | published | 2015-01-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80903 | | title | Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x, SL7.x i386/x86_64 (POODLE) |
| NASL family | SuSE Local Security Checks | | NASL id | OPENSUSE-2015-91.NASL | | description | OpenJDK was updated to 2.5.4 - OpenJDK 7u75 to fix security issues and
bugs :
- Security fixes
- S8046656: Update protocol support
- S8047125, CVE-2015-0395: (ref) More phantom object
references
- S8047130: Fewer escapes from escape analysis
- S8048035, CVE-2015-0400: Ensure proper proxy protocols
- S8049253: Better GC validation
- S8050807, CVE-2015-0383: Better performing performance
data handling
- S8054367, CVE-2015-0412: More references for endpoints
- S8055304, CVE-2015-0407: More boxing for
DirectoryComboBoxModel
- S8055309, CVE-2015-0408: RMI needs better transportation
considerations
- S8055479: TLAB stability
- S8055489, CVE-2014-6585: Better substitution formats
- S8056264, CVE-2014-6587: Multicast support improvements
- S8056276, CVE-2014-6591: Fontmanager feature
improvements
- S8057555, CVE-2014-6593: Less cryptic cipher suite
management
- S8058982, CVE-2014-6601: Better verification of an
exceptional invokespecial
- S8059485, CVE-2015-0410: Resolve parsing ambiguity
- S8061210, CVE-2014-3566: Issues in TLS | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 81141 | | published | 2015-02-03 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81141 | | title | openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2015:0190-1) (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0068.NASL | | description | Updated java-1.7.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.7.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 80881 | | published | 2015-01-21 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80881 | | title | RHEL 5 : java-1.7.0-openjdk (RHSA-2015:0068) (POODLE) |
| NASL family | CentOS Local Security Checks | | NASL id | CENTOS_RHSA-2015-0067.NASL | | description | Updated java-1.7.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
Note: If the web browser plug-in provided by the icedtea-web package
was installed, the issues exposed via Java applets could have been
exploited without user interaction if a user visited a malicious
website.
All users of java-1.7.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 80868 | | published | 2015-01-21 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80868 | | title | CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:0067) (POODLE) |
| NASL family | Scientific Linux Local Security Checks | | NASL id | SL_20150126_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL | | description | A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the- middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
All running instances of OpenJDK Java must be restarted for the update
to take effect. | | last seen | 2019-01-16 | | modified | 2018-12-28 | | plugin id | 81015 | | published | 2015-01-27 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81015 | | title | Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64 (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0079.NASL | | description | Updated java-1.7.0-oracle packages that fix several security issues
are now available for Oracle Java for Red Hat Enterprise Linux 5, 6,
and 7.
Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Oracle Java SE version 7 includes the Oracle Java Runtime Environment
and the Oracle Java Software Development Kit.
This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE
Critical Patch Update Advisory page, listed in the References section.
(CVE-2014-3566, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591,
CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408,
CVE-2015-0410, CVE-2015-0412, CVE-2015-0413)
The CVE-2015-0383 issue was discovered by Red Hat.
Note: With this update, the Oracle Java SE now disables the SSL 3.0
protocol to address the CVE-2014-3566 issue (also known as POODLE).
Refer to the Red Hat Bugzilla bug linked to in the References section
for instructions on how to re-enable SSL 3.0 support if needed.
All users of java-1.7.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 7 Update 75 and resolve these
issues. All running instances of Oracle Java must be restarted for the
update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 80931 | | published | 2015-01-23 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80931 | | title | RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2015:0079) (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0136.NASL | | description | Updated java-1.5.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the
IBM Java Software Development Kit.
This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM Security alerts
page, listed in the References section. (CVE-2014-6585, CVE-2014-6591,
CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395,
CVE-2015-0407, CVE-2015-0408, CVE-2015-0410)
All users of java-1.5.0-ibm are advised to upgrade to these updated
packages, containing the IBM J2SE 5.0 SR16-FP9 release. All running
instances of IBM Java must be restarted for this update to take
effect. | | last seen | 2019-01-16 | | modified | 2018-12-27 | | plugin id | 81204 | | published | 2015-02-06 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81204 | | title | RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:0136) |
| NASL family | Oracle Linux Local Security Checks | | NASL id | ORACLELINUX_ELSA-2015-0069.NASL | | description | From Red Hat Security Advisory 2015:0069 :
Updated java-1.8.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Multiple flaws were found in the way the Hotspot component in OpenJDK
verified bytecode from the class files, and in the way this component
generated code for bytecode. An untrusted Java application or applet
could possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2014-6601, CVE-2015-0437)
Multiple improper permission check issues were discovered in the
JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.8.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-09-05 | | plugin id | 80901 | | published | 2015-01-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80901 | | title | Oracle Linux 6 : java-1.8.0-openjdk (ELSA-2015-0069) (POODLE) |
| NASL family | Mandriva Local Security Checks | | NASL id | MANDRIVA_MDVSA-2015-033.NASL | | description | Updated java-1.7.0 packages fix security vulnerabilities :
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions
(CVE-2014-6601).
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions
(CVE-2015-0412, CVE-2015-0408).
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions
(CVE-2015-0395).
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded (CVE-2015-0410).
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled (CVE-2014-6593).
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions (CVE-2015-0407).
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions (CVE-2014-6587).
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory (CVE-2014-6585, CVE-2014-6591).
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack (CVE-2015-0383).
Note: This update disables SSL 3.0 by default to mitigate the POODLE
issue, also known as CVE-2014-3566. The jdk.tls.disabledAlgorithms
security property can be used to re-enable SSL 3.0 support if needed.
For additional information, refer to the Red Hat Bugzilla bug linked
to in the References section. | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 81233 | | published | 2015-02-09 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81233 | | title | Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2015:033) |
| NASL family | Gentoo Local Security Checks | | NASL id | GENTOO_GLSA-201507-14.NASL | | description | The remote host is affected by the vulnerability described in GLSA-201507-14
(Oracle JRE/JDK: Multiple vulnerabilities)
Multiple vulnerabilities have been discovered in Oracle JRE/JDK. Please
review the CVE identifiers referenced below for details.
Impact :
An context-dependent attacker may be able to influence the
confidentiality, integrity, and availability of Java
applications/runtime.
Workaround :
There is no workaround at this time. | | last seen | 2019-01-16 | | modified | 2018-09-04 | | plugin id | 84719 | | published | 2015-07-14 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=84719 | | title | GLSA-201507-14 : Oracle JRE/JDK: Multiple vulnerabilities (POODLE) |
| NASL family | Misc. | | NASL id | VMWARE_VCENTER_VMSA-2015-0003.NASL | | description | The VMware vCenter Server installed on the remote host is version 5.0
prior to 5.0u3d, 5.1 prior to 5.1u3a, 5.5 prior to 5.5u2e, or 6.0
prior to 6.0.0a. It is, therefore, affected by a man-in-the-middle
(MitM) information disclosure vulnerability known as POODLE, related
to the bundled JRE component. The vulnerability is due to the way SSL
3.0 handles padding bytes when decrypting messages encrypted using
block ciphers in cipher block chaining (CBC) mode. MitM attackers can
decrypt a selected byte of a cipher text in as few as 256 tries if
they are able to force a victim application to repeatedly send the
same data over newly created SSL 3.0 connections.
Additionally, multiple unspecified vulnerabilities also exist in the
following bundled JRE components :
- 2D (CVE-2014-6585, CVE-2014-6591)
- Deployment (CVE-2015-0403, CVE-2015-0406)
- Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
CVE-2015-0437)
- Installation (CVE-2015-0421)
- JAX-WS (CVE-2015-0412)
- JSSE (CVE-2014-6593)
- Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400)
- RMI (CVE-2015-0408)
- Security (CVE-2015-0410)
- Serviceability (CVE-2015-0413)
- Swing (CVE-2015-0407) | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 83186 | | published | 2015-05-01 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=83186 | | title | VMware vCenter Server Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0263.NASL | | description | Updated java-1.6.0-ibm packages that fix several security issues are
now available for Red Hat Satellite 5.7.
Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which
give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
This update corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Satellite 5.7. In a
typical operating environment, these are of low security risk as the
runtime is not used on untrusted applets.
Several flaws were fixed in the IBM Java 2 Runtime Environment.
(CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593,
CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403,
CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410,
CVE-2015-0412)
Users of Red Hat Satellite 5.7 are advised to upgrade to these updated
packages, which contain the IBM Java SE 6 SR16-FP3 release. For this
update to take effect, Red Hat Satellite must be restarted
('/usr/sbin/rhn-satellite restart'), as well as all running instances
of IBM Java. | | last seen | 2019-01-16 | | modified | 2018-12-20 | | plugin id | 81504 | | published | 2015-02-25 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81504 | | title | RHEL 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:0263) |
| NASL family | Misc. | | NASL id | VCENTER_OPERATIONS_MANAGER_VMSA_2015-0003-LINUX.NASL | | description | The version of VMware vCenter Operations Manager installed on the
remote Linux host has a bundled version of the Java JRE prior to
version 1.7.0_76-b13 (aka 7.0.760.13). It is, therefore, affected by a
man-in-the-middle (MitM) information disclosure vulnerability known as
POODLE. The vulnerability is due to the way SSL 3.0 handles padding
bytes when decrypting messages encrypted using block ciphers in cipher
block chaining (CBC) mode. MitM attackers can decrypt a selected byte
of a cipher text in as few as 256 tries if they are able to force a
victim application to repeatedly send the same data over newly created
SSL 3.0 connections. (CVE-2014-3566)
Additionally, unspecified vulnerabilities also exist in the following
bundled Java components :
- 2D (CVE-2014-6585, CVE-2014-6591)
- Deployment (CVE-2015-0403, CVE-2015-0406)
- Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
CVE-2015-0437)
- Installation (CVE-2015-0421)
- JAX-WS (CVE-2015-0412)
- JSSE (CVE-2014-6593)
- Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400)
- RMI (CVE-2015-0408)
- Security (CVE-2015-0410)
- Serviceability (CVE-2015-0413)
- Swing (CVE-2015-0407)
VMware has released a patch that updates the JRE bundled with the
appliance. | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 82705 | | published | 2015-04-10 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82705 | | title | VMware vCenter Operations Management Linux JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE) |
| NASL family | Windows | | NASL id | VMWARE_HORIZON_VIEW_VMSA-2015-0003.NASL | | description | The VMware Horizon View installed on the remote Windows host is
version 5.x prior to 5.3.4 or version 6.x prior to 6.1. It is,
therefore, affected by the following vulnerabilities :
- A man-in-the-middle (MitM) information disclosure
vulnerability, known as POODLE, exists due to the way
SSL 3.0 handles padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining
(CBC) mode. A MitM attacker can decrypt a selected byte
of a cipher text in as few as 256 tries if they are able
to force a victim application to repeatedly send the
same data over newly created SSL 3.0 connections.
(CVE-2014-3566)
- An XML external entity (XXE) injection vulnerability
exists in the included Flex BlazeDS component due to an
incorrect configuration of the XML parser that allows
external XML entities to be accepted from untrusted
sources. An unauthenticated, remote attacker can exploit
this vulnerability, via a via a crafted AMF message, to
gain access to sensitive information. (CVE-2015-3269)
- A flaw exists in the bundled Adobe ColdFusion and
LiveCycle Data Services components related to request
handling between a user and the server. A remote
attacker can exploit this, via a specially crafted
request, to bypass access restrictions (e.g. host or
network ACLs), conduct port scanning of internal
networks, enumerate internal hosts, or possibly invoke
additional protocols (e.g. Gopher, TFTP).
(CVE-2015-5255)
Additionally, unspecified vulnerabilities also exist in the following
bundled Java components :
- 2D (CVE-2014-6585, CVE-2014-6591)
- Deployment (CVE-2015-0403, CVE-2015-0406)
- Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
CVE-2015-0437)
- Installation (CVE-2015-0421)
- JAX-WS (CVE-2015-0412)
- JSSE (CVE-2014-6593)
- Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400)
- RMI (CVE-2015-0408)
- Security (CVE-2015-0410)
- Serviceability (CVE-2015-0413)
- Swing (CVE-2015-0407) | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 82741 | | published | 2015-04-13 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82741 | | title | VMware Horizon View Multiple Vulnerabilities (VMSA-2015-0003) (VMSA-2015-0008) (POODLE) |
| NASL family | Misc. | | NASL id | VCENTER_OPERATIONS_MANAGER_VMSA_2015-0003-WIN.NASL | | description | The version of VMware vCenter Operations Manager installed on the
remote Windows host has a bundled version of the Java JRE prior to
version 1.7.0_76-b13 (aka 7.0.760.13). It is, therefore, affected by a
man-in-the-middle (MitM) information disclosure vulnerability known as
POODLE. The vulnerability is due to the way SSL 3.0 handles padding
bytes when decrypting messages encrypted using block ciphers in cipher
block chaining (CBC) mode. MitM attackers can decrypt a selected byte
of a cipher text in as few as 256 tries if they are able to force a
victim application to repeatedly send the same data over newly created
SSL 3.0 connections. (CVE-2014-3566)
Additionally, unspecified vulnerabilities also exist in the following
bundled Java components :
- 2D (CVE-2014-6585, CVE-2014-6591)
- Deployment (CVE-2015-0403, CVE-2015-0406)
- Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
CVE-2015-0437)
- Installation (CVE-2015-0421)
- JAX-WS (CVE-2015-0412)
- JSSE (CVE-2014-6593)
- Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400)
- RMI (CVE-2015-0408)
- Security (CVE-2015-0410)
- Serviceability (CVE-2015-0413)
- Swing (CVE-2015-0407)
VMware has released a patch that updates the JRE bundled with the
appliance. | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 82707 | | published | 2015-04-10 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82707 | | title | VMware vCenter Operations Management Windows JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0069.NASL | | description | Updated java-1.8.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Multiple flaws were found in the way the Hotspot component in OpenJDK
verified bytecode from the class files, and in the way this component
generated code for bytecode. An untrusted Java application or applet
could possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2014-6601, CVE-2015-0437)
Multiple improper permission check issues were discovered in the
JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.8.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 80882 | | published | 2015-01-21 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80882 | | title | RHEL 6 : java-1.8.0-openjdk (RHSA-2015:0069) (POODLE) |
| NASL family | SuSE Local Security Checks | | NASL id | SUSE_11_JAVA-1_7_0-OPENJDK-150206.NASL | | description | java-1_7_0-openjdk was updated to fix 19 security issues.
Details are available at
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.h
tml#AppendixJAVA | | last seen | 2019-01-16 | | modified | 2015-04-18 | | plugin id | 81419 | | published | 2015-02-20 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81419 | | title | SuSE 11.3 Security Update : java-1_7_0-openjdk (SAT Patch Number 10286) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0067.NASL | | description | Updated java-1.7.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
Note: If the web browser plug-in provided by the icedtea-web package
was installed, the issues exposed via Java applets could have been
exploited without user interaction if a user visited a malicious
website.
All users of java-1.7.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 80880 | | published | 2015-01-21 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80880 | | title | RHEL 6 / 7 : java-1.7.0-openjdk (RHSA-2015:0067) (POODLE) |
| NASL family | Debian Local Security Checks | | NASL id | DEBIAN_DSA-3144.NASL | | description | Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, information disclosure or denial of service. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 81090 | | published | 2015-01-30 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81090 | | title | Debian DSA-3144-1 : openjdk-7 - security update (POODLE) |
| NASL family | CentOS Local Security Checks | | NASL id | CENTOS_RHSA-2015-0068.NASL | | description | Updated java-1.7.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.7.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 80869 | | published | 2015-01-21 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80869 | | title | CentOS 5 : java-1.7.0-openjdk (CESA-2015:0068) (POODLE) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0085.NASL | | description | Updated java-1.6.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.6.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-12-27 | | plugin id | 81013 | | published | 2015-01-27 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81013 | | title | RHEL 5 / 6 / 7 : java-1.6.0-openjdk (RHSA-2015:0085) (POODLE) |
| NASL family | Misc. | | NASL id | ORACLE_JAVA_CPU_JAN_2015_UNIX.NASL | | description | The version of Oracle Java SE or Java for Business installed on the
remote host is prior to 8 Update 31, 7 Update 75, 6 Update 91, or 5
Update 81. It is, therefore, affected by security vulnerabilities in
the following components :
- 2D
- Deployment
- Hotspot
- Install
- JAX-WS
- JSSE
- Libraries
- RMI
- Security
- Serviceability
- Swing | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 80907 | | published | 2015-01-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80907 | | title | Oracle Java SE Multiple Vulnerabilities (January 2015 CPU) (Unix) (POODLE) |
| NASL family | Oracle Linux Local Security Checks | | NASL id | ORACLELINUX_ELSA-2015-0068.NASL | | description | From Red Hat Security Advisory 2015:0068 :
Updated java-1.7.0-openjdk packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the
JAX-WS, and RMI components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2015-0412, CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE
component in OpenJDK failed to properly check whether the
ChangeCipherSpec was received during the SSL/TLS connection handshake.
An MITM attacker could possibly use this flaw to force a connection to
be established without encryption being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK.
An untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in
the 2D component in OpenJDK. A specially crafted font file could allow
an untrusted Java application or applet to disclose portions of the
Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.7.0-openjdk are advised to upgrade to these
updated packages, which resolve these issues. All running instances of
OpenJDK Java must be restarted for the update to take effect. | | last seen | 2019-01-16 | | modified | 2018-09-05 | | plugin id | 80900 | | published | 2015-01-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80900 | | title | Oracle Linux 5 : java-1.7.0-openjdk (ELSA-2015-0068) (POODLE) |
| NASL family | Misc. | | NASL id | VMWARE_WORKSPACE_PORTAL_VMSA2015-0003.NASL | | description | The VMware Workspace Portal (formerly known as VMware Horizon
Workspace) installed on the remote host is version 2.x prior to 2.1.1.
It is, therefore, affected by a man-in-the-middle (MitM) information
disclosure vulnerability known as POODLE. The vulnerability is due to
the way SSL 3.0 handles padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining (CBC) mode.
MitM attackers can decrypt a selected byte of a cipher text in as few
as 256 tries if they are able to force a victim application to
repeatedly send the same data over newly created SSL 3.0 connections.
(CVE-2014-3566)
Additionally, unspecified vulnerabilities also exist in the following
bundled Java components :
- 2D (CVE-2014-6585, CVE-2014-6591)
- Deployment (CVE-2015-0403, CVE-2015-0406)
- Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
CVE-2015-0437)
- Installation (CVE-2015-0421)
- JAX-WS (CVE-2015-0412)
- JSSE (CVE-2014-6593)
- Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400)
- RMI (CVE-2015-0408)
- Security (CVE-2015-0410)
- Serviceability (CVE-2015-0413)
- Swing (CVE-2015-0407) | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 82742 | | published | 2015-04-13 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82742 | | title | VMware Workspace Portal Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE) |
| NASL family | Ubuntu Local Security Checks | | NASL id | UBUNTU_USN-2486-1.NASL | | description | Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker
could exploit these to cause a denial of service or expose sensitive
data over the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601,
CVE-2015-0395, CVE-2015-0408, CVE-2015-0412)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose
sensitive data over the network. (CVE-2014-6585, CVE-2014-6591,
CVE-2015-0400, CVE-2015-0407)
A vulnerability was discovered in the OpenJDK JRE related to
information disclosure and integrity. An attacker could exploit this
to expose sensitive data over the network. (CVE-2014-6593)
A vulnerability was discovered in the OpenJDK JRE related to integrity
and availability. An attacker could exploit this to cause a denial of
service. (CVE-2015-0383)
A vulnerability was discovered in the OpenJDK JRE related to
availability. An attacker could this exploit to cause a denial of
service. (CVE-2015-0410).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-12-01 | | plugin id | 81043 | | published | 2015-01-28 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81043 | | title | Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2486-1) (POODLE) |
| NASL family | Windows | | NASL id | VMWARE_VCENTER_CHARGEBACK_MANAGER_VMSA_2015_0003.NASL | | description | The version of VMware vCenter Chargeback Manager installed on the
remote host is affected by a man-in-the-middle (MitM) information
disclosure vulnerability known as POODLE. The vulnerability is due to
the way SSL 3.0 handles padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining (CBC) mode.
MitM attackers can decrypt a selected byte of a cipher text in as few
as 256 tries if they are able to force a victim application to
repeatedly send the same data over newly created SSL 3.0 connections.
(CVE-2014-3566)
Additionally, unspecified vulnerabilities also exist in the following
bundled Java components :
- 2D (CVE-2014-6585, CVE-2014-6591)
- Deployment (CVE-2015-0403, CVE-2015-0406)
- Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395,
CVE-2015-0437)
- Installation (CVE-2015-0421)
- JAX-WS (CVE-2015-0412)
- JSSE (CVE-2014-6593)
- Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400)
- RMI (CVE-2015-0408)
- Security (CVE-2015-0410)
- Serviceability (CVE-2015-0413)
- Swing (CVE-2015-0407) | | last seen | 2019-01-16 | | modified | 2018-11-15 | | plugin id | 82899 | | published | 2015-04-20 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82899 | | title | VMware vCenter Chargeback Manager Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE) |
|
