ID CVE-2015-0437
Summary Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
References
Vulnerable Configurations
  • Oracle JRE 1.8.0 Update 25
    cpe:2.3:a:oracle:jre:1.8.0:update_25
  • Oracle JDK 1.8.0 Update 25
    cpe:2.3:a:oracle:jdk:1.8.0:update_25
  • Novell SUSE Linux Enterprise Desktop 11.0 Service Pack 3
    cpe:2.3:o:novell:suse_linux_enterprise_desktop:11.0:sp3
CVSS
Base: 9.3 (as of 29-06-2016 - 10:43)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0069.NASL
    description Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601, CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 80882
    published 2015-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80882
    title RHEL 6 : java-1.8.0-openjdk (RHSA-2015:0069) (POODLE)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-0069.NASL
    description From Red Hat Security Advisory 2015:0069 : Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601, CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 80901
    published 2015-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80901
    title Oracle Linux 6 : java-1.8.0-openjdk (ELSA-2015-0069) (POODLE)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-0069.NASL
    description Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601, CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) The CVE-2015-0383 issue was discovered by Red Hat. All users of java-1.8.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 80870
    published 2015-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80870
    title CentOS 6 : java-1.8.0-openjdk (CESA-2015:0069) (POODLE)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-472.NASL
    description Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601 , CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412 , CVE-2014-6549 , CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585 , CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 80922
    published 2015-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80922
    title Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2015-472) (POODLE)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150121_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL
    description Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-6601, CVE-2015-0437) Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408) A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395) A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410) A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the- middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593) An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407) A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587) Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591) Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383) All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 80904
    published 2015-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80904
    title Scientific Linux Security Update : java-1.8.0-openjdk on SL6.x i386/x86_64 (POODLE)
  • NASL family Misc.
    NASL id ORACLE_JAVA_CPU_JAN_2015_UNIX.NASL
    description The version of Oracle Java SE or Java for Business installed on the remote host is prior to 8 Update 31, 7 Update 75, 6 Update 91, or 5 Update 81. It is, therefore, affected by security vulnerabilities in the following components : - 2D - Deployment - Hotspot - Install - JAX-WS - JSSE - Libraries - RMI - Security - Serviceability - Swing
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80907
    published 2015-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80907
    title Oracle Java SE Multiple Vulnerabilities (January 2015 CPU) (Unix) (POODLE)
  • NASL family Windows
    NASL id VMWARE_VCENTER_CHARGEBACK_MANAGER_VMSA_2015_0003.NASL
    description The version of VMware vCenter Chargeback Manager installed on the remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82899
    published 2015-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82899
    title VMware vCenter Chargeback Manager Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE)
  • NASL family Misc.
    NASL id VMWARE_WORKSPACE_PORTAL_VMSA2015-0003.NASL
    description The VMware Workspace Portal (formerly known as VMware Horizon Workspace) installed on the remote host is version 2.x prior to 2.1.1. It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82742
    published 2015-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82742
    title VMware Workspace Portal Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-198.NASL
    description Multiple vulnerabilities has been discovered and corrected in java-1.8.0-openjdk : Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions (CVE-2014-6601, CVE-2015-0437). Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408). A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions (CVE-2015-0395). A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded (CVE-2015-0410). A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack (CVE-2014-3566). Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled (CVE-2014-6593). An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2015-0407). A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions (CVE-2014-6587). Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory (CVE-2014-6585, CVE-2014-6591). Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack (CVE-2015-0383). The updated packages provides a solution for these security issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82684
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82684
    title Mandriva Linux Security Advisory : java-1.8.0-openjdk (MDVSA-2015:198)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201603-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-201603-11 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities exist in both Oracle’s JRE and JDK. Please review the referenced CVE’s for additional information. Impact : Remote attackers could gain access to information, remotely execute arbitrary code, and cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 89904
    published 2016-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89904
    title GLSA-201603-11 : Oracle JRE/JDK: Multiple vulnerabilities (Logjam)
  • NASL family Misc.
    NASL id VCENTER_OPERATIONS_MANAGER_VMSA_2015-0003-WIN.NASL
    description The version of VMware vCenter Operations Manager installed on the remote Windows host has a bundled version of the Java JRE prior to version 1.7.0_76-b13 (aka 7.0.760.13). It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407) VMware has released a patch that updates the JRE bundled with the appliance.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82707
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82707
    title VMware vCenter Operations Management Windows JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE)
  • NASL family Misc.
    NASL id VMWARE_VCENTER_VMSA-2015-0003.NASL
    description The VMware vCenter Server installed on the remote host is version 5.0 prior to 5.0u3d, 5.1 prior to 5.1u3a, 5.5 prior to 5.5u2e, or 6.0 prior to 6.0.0a. It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE, related to the bundled JRE component. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. Additionally, multiple unspecified vulnerabilities also exist in the following bundled JRE components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 83186
    published 2015-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83186
    title VMware vCenter Server Multiple Java Vulnerabilities (VMSA-2015-0003) (POODLE)
  • NASL family Windows
    NASL id VMWARE_HORIZON_VIEW_VMSA-2015-0003.NASL
    description The VMware Horizon View installed on the remote Windows host is version 5.x prior to 5.3.4 or version 6.x prior to 6.1. It is, therefore, affected by the following vulnerabilities : - A man-in-the-middle (MitM) information disclosure vulnerability, known as POODLE, exists due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) - An XML external entity (XXE) injection vulnerability exists in the included Flex BlazeDS component due to an incorrect configuration of the XML parser that allows external XML entities to be accepted from untrusted sources. An unauthenticated, remote attacker can exploit this vulnerability, via a via a crafted AMF message, to gain access to sensitive information. (CVE-2015-3269) - A flaw exists in the bundled Adobe ColdFusion and LiveCycle Data Services components related to request handling between a user and the server. A remote attacker can exploit this, via a specially crafted request, to bypass access restrictions (e.g. host or network ACLs), conduct port scanning of internal networks, enumerate internal hosts, or possibly invoke additional protocols (e.g. Gopher, TFTP). (CVE-2015-5255) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82741
    published 2015-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82741
    title VMware Horizon View Multiple Vulnerabilities (VMSA-2015-0003) (VMSA-2015-0008) (POODLE)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_JAVA-1_7_0-OPENJDK-150206.NASL
    description java-1_7_0-openjdk was updated to fix 19 security issues. Details are available at http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.h tml#AppendixJAVA
    last seen 2019-02-21
    modified 2015-04-18
    plugin id 81419
    published 2015-02-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81419
    title SuSE 11.3 Security Update : java-1_7_0-openjdk (SAT Patch Number 10286)
  • NASL family Misc.
    NASL id VCENTER_OPERATIONS_MANAGER_VMSA_2015-0003-LINUX.NASL
    description The version of VMware vCenter Operations Manager installed on the remote Linux host has a bundled version of the Java JRE prior to version 1.7.0_76-b13 (aka 7.0.760.13). It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407) VMware has released a patch that updates the JRE bundled with the appliance.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82705
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82705
    title VMware vCenter Operations Management Linux JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0080.NASL
    description Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2014-3566, CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413, CVE-2015-0421, CVE-2015-0437) The CVE-2015-0383 issue was discovered by Red Hat. Note: With this update, the Oracle Java SE now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the Red Hat Bugzilla bug linked to in the References section for instructions on how to re-enable SSL 3.0 support if needed. All users of java-1.8.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 8 Update 31 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 80932
    published 2015-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80932
    title RHEL 6 : java-1.8.0-oracle (RHSA-2015:0080) (POODLE)
  • NASL family Misc.
    NASL id VCENTER_OPERATIONS_MANAGER_VMSA_2015-0003-VAPP.NASL
    description The version of VMware vCenter Operations Manager installed on the remote host has a bundled version of the Java JRE prior to version 1.7.0_76-b13 (aka 7.0.760). It is, therefore, affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Additionally, unspecified vulnerabilities also exist in the following bundled Java components : - 2D (CVE-2014-6585, CVE-2014-6591) - Deployment (CVE-2015-0403, CVE-2015-0406) - Hotspot (CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0437) - Installation (CVE-2015-0421) - JAX-WS (CVE-2015-0412) - JSSE (CVE-2014-6593) - Libraries (CVE-2014-6549, CVE-2014-6587, CVE-2015-0400) - RMI (CVE-2015-0408) - Security (CVE-2015-0410) - Serviceability (CVE-2015-0413) - Swing (CVE-2015-0407) VMware has released a patch that updates the JRE bundled with the appliance.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 82706
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82706
    title VMware vCenter Operations Management vApp JRE Update 1.7.0_76-b13 (VMSA-2015-0003) (POODLE)
  • NASL family Windows
    NASL id ORACLE_JAVA_CPU_JAN_2015.NASL
    description The version of Oracle Java SE or Java for Business installed on the remote host is prior to 8 Update 31, 7 Update 75, 6 Update 91, or 5 Update 81. It is, therefore, affected by security vulnerabilities in the following components : - 2D - Deployment - Hotspot - Install - JAX-WS - JSSE - Libraries - RMI - Security - Serviceability - Swing
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80908
    published 2015-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80908
    title Oracle Java SE Multiple Vulnerabilities (January 2015 CPU) (POODLE)
redhat via4
advisories
  • bugzilla
    id 1183715
    title CVE-2014-6587 OpenJDK: MulticastSocket NULL pointer dereference (Libraries, 8056264)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment java-1.8.0-openjdk is earlier than 1:1.8.0.31-1.b13.el6_6
          oval oval:com.redhat.rhsa:tst:20150069005
        • comment java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141636006
      • AND
        • comment java-1.8.0-openjdk-demo is earlier than 1:1.8.0.31-1.b13.el6_6
          oval oval:com.redhat.rhsa:tst:20150069007
        • comment java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141636012
      • AND
        • comment java-1.8.0-openjdk-devel is earlier than 1:1.8.0.31-1.b13.el6_6
          oval oval:com.redhat.rhsa:tst:20150069013
        • comment java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141636016
      • AND
        • comment java-1.8.0-openjdk-headless is earlier than 1:1.8.0.31-1.b13.el6_6
          oval oval:com.redhat.rhsa:tst:20150069015
        • comment java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141636008
      • AND
        • comment java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.31-1.b13.el6_6
          oval oval:com.redhat.rhsa:tst:20150069011
        • comment java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141636014
      • AND
        • comment java-1.8.0-openjdk-src is earlier than 1:1.8.0.31-1.b13.el6_6
          oval oval:com.redhat.rhsa:tst:20150069009
        • comment java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141636010
    rhsa
    id RHSA-2015:0069
    released 2015-01-21
    severity Important
    title RHSA-2015:0069: java-1.8.0-openjdk security update (Important)
  • rhsa
    id RHSA-2015:0080
rpms
  • java-1.8.0-openjdk-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-demo-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-devel-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-headless-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-javadoc-1:1.8.0.31-1.b13.el6_6
  • java-1.8.0-openjdk-src-1:1.8.0.31-1.b13.el6_6
refmap via4
bid 72146
confirm http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
gentoo GLSA-201603-11
sectrack 1031580
suse SUSE-SU-2015:0336
xf oracle-cpujan2015-cve20150437(100144)
Last major update 02-01-2017 - 21:59
Published 21-01-2015 - 14:59
Last modified 07-09-2017 - 21:29
Back to Top