AIX Java Advisory : java_jul2014_advisory.asc

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote AIX host has a version of Java SDK installed that is
affected by multiple vulnerabilities.

Description :

The version of Java SDK installed on the remote host is affected by
the following vulnerabilities :

- A privilege escalation vulnerability in IBM Java
Virtual Machine allows remote attackers to execute code
to increase access in the context of a security manager.
(CVE-2014-3086)

- Data integrity vulnerabilities exist in Oracle Java
within the the Deployment subcomponent. (CVE-2014-4208,
CVE-2014-4220, CVE-2014-4265)

- An information disclosure vulnerability in Oracle Java's
JMX subcomponent allows a remote attacker to view or
edit the SubjectDelegator class. (CVE-2014-4209)

- A vulnerability in Oracle Java allows a remote attacker
to bypass security features via flaws in 'Proxy.java'
in the Libraries subcomponent. (CVE-2014-4218)

- A vulnerability in Oracle Java allows remote code
execution via a flaw in the Hotspot subcomponent,
returning incomplete objects. (CVE-2014-4219)

- An information disclosure vulnerability in Oracle Java's
Libraries subcomponent allows a remote attacker to view
sensitive information. (CVE-2014-4221)

- Vulnerabilities in Oracle Java allow remote code
execution via flaws in the Deployment subcomponent.
(CVE-2014-4227)

- There are information disclosure vulnerabilities in the
Security subcomponent of Oracle Java that can allow
remote attackers to gain sensitive information,
including information about used keys. (CVE-2014-4244,
CVE-2014-4252, CVE-2014-4263)

- A vulnerability in Oracle Java allows remote code
execution via a memory corruption flaw in the Libraries
subcomponent. (CVE-2014-4262)

- A data integrity vulnerability exists in Oracle Java
within the Serviceability subcomponent due to incorrect
function return values. (CVE-2014-4266)

- An information disclosure vulnerability in Oracle Java's
Swing subcomponent allows a remote attacker to view
restricted file contents. (CVE-2014-4268)

See also :

http://www.nessus.org/u?0cd279e0
http://www.nessus.org/u?aacaab25
http://www.nessus.org/u?70623e16
http://www.nessus.org/u?1d08dc51
http://www.nessus.org/u?4ca2561a
http://www.nessus.org/u?a624fae8
http://www.nessus.org/u?aa3fc787
http://www.nessus.org/u?e42e2673
http://www.nessus.org/u?ae6bb0ba
http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels

Solution :

Fixes are available by version and can be downloaded from the AIX
website.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false