Oracle JRockit R28.3.5 Multiple Vulnerabilities (April 2015 CPU) (FREAK)

medium Nessus Plugin ID 82830

Synopsis

The remote Windows host contains a programming platform that is affected by multiple vulnerabilities.

Description

The remote Windows host has a version of Oracle JRockit installed that is affected by multiple vulnerabilities :

- A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204)

- A flaw exists in the Java Cryptography Extension (JCE) subcomponent due to an implementation error in the RSA signature. A remote attacker can exploit this flaw to disclose sensitive information. (CVE-2015-0478)

- A flaw exists in the JSSE subcomponent due to improper parsing of X.509 certificate options. A remote attacker can exploit this flaw to trigger an application termination, resulting in a denial of service.
(CVE-2015-0488)

Solution

Upgrade to Oracle JRockit version R28.3.6 or later as referenced in the April 2015 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?56618dc1

https://www.smacktls.com/#freak

Plugin Details

Severity: Medium

ID: 82830

File Name: oracle_jrockit_cpu_apr_2015.nasl

Version: 1.8

Type: local

Agent: windows

Family: Windows

Published: 4/16/2015

Updated: 11/22/2019

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2015-0478

Vulnerability Information

CPE: cpe:/a:oracle:jrockit

Required KB Items: installed_sw/Oracle JRockit

Exploit Ease: No known exploits are available

Patch Publication Date: 4/14/2015

Vulnerability Publication Date: 1/6/2015

Reference Information

CVE: CVE-2015-0204, CVE-2015-0478, CVE-2015-0488

BID: 71936, 74147

CERT: 243585