Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through     Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via     unspecified vectors related to JMX, aka Issue 52, a different vulnerability than CVE-2013-1490.
    (CVE-2013-0431)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote host is affected by the vulnerability described in GLSA-201406-32 (IcedTea JDK: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the IcedTea JDK. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, obtain       sensitive information, bypass intended security policies, or have other       unspecified impact.
  Workaround :

    There is no known workaround at this time.

java-1_7_0-openjdk was updated to icedtea-2.3.6 (bnc#803379) containing various security and bugfixes :

  - Security fixes

  - S6563318, CVE-2013-0424: RMI data sanitization

  - S6664509, CVE-2013-0425: Add logging context

  - S6664528, CVE-2013-0426: Find log level matching its     name or value given at construction time

  - S6776941: CVE-2013-0427: Improve thread pool shutdown

  - S7141694, CVE-2013-0429: Improving CORBA internals

  - S7173145: Improve in-memory representation of     splashscreens

  - S7186945: Unpack200 improvement

  - S7186946: Refine unpacker resource usage

  - S7186948: Improve Swing data validation

  - S7186952, CVE-2013-0432: Improve clipboard access

  - S7186954: Improve connection performance

  - S7186957: Improve Pack200 data validation

  - S7192392, CVE-2013-0443: Better validation of client     keys

  - S7192393, CVE-2013-0440: Better Checking of order of TLS     Messages

  - S7192977, CVE-2013-0442: Issue in toolkit thread

  - S7197546, CVE-2013-0428: (proxy) Reflect about creating     reflective proxies

  - S7200491: Tighten up JTable layout code

  - S7200493, CVE-2013-0444: Improve cache handling

  - S7200499: Better data validation for options

  - S7200500: Launcher better input validation

  - S7201064: Better dialogue checking

  - S7201066, CVE-2013-0441: Change modifiers on unused     fields

  - S7201068, CVE-2013-0435: Better handling of UI elements

  - S7201070: Serialization to conform to protocol

  - S7201071, CVE-2013-0433: InetSocketAddress serialization     issue

  - S8000210: Improve JarFile code quality

  - S8000537, CVE-2013-0450: Contextualize     RequiredModelMBean class

  - S8000539, CVE-2013-0431: Introspect JMX data handling

  - S8000540, CVE-2013-1475: Improve IIOP type reuse     management

  - S8000631, CVE-2013-1476: Restrict access to class     constructor

  - S8001235, CVE-2013-0434: Improve JAXP HTTP handling

  - S8001242: Improve RMI HTTP conformance

  - S8001307: Modify ACC_SUPER behavior

  - S8001972, CVE-2013-1478: Improve image processing

  - S8002325, CVE-2013-1480: Improve management of images

  - Backports

  - S7057320:
    test/java/util/concurrent/Executors/AutoShutdown.java     failing intermittently

  - S7083664: TEST_BUG: test hard code of using c:/temp but     this dir might not exist

  - S7107613: scalability blocker in     javax.crypto.CryptoPermissions

  - S7107616: scalability blocker in     javax.crypto.JceSecurityManager

  - S7146424: Wildcard expansion for single entry classpath

  - S7160609: [macosx] JDK crash in libjvm.dylib ( C     [GeForceGLDriver+0x675a] gldAttachDrawable+0x941)

  - S7160951: [macosx] ActionListener called twice for     JMenuItem using ScreenMenuBar

  - S7162488: VM not printing unknown -XX options

  - S7169395: Exception throws due to the changes in JDK 7     object tranversal and break backward compatibility

  - S7175616: Port fix for TimeZone from JDK 8 to JDK 7

  - S7176485: (bf) Allow temporary buffer cache to grow to     IOV_MAX

  - S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and     reinitialize build number

  - S7184326: TEST_BUG:
    java/awt/Frame/7024749/bug7024749.java has a typo

  - S7185245: Licensee source bundle tries to compile JFR

  - S7185471: Avoid key expansion when AES cipher is re-init     w/ the same key

  - S7186371: [macosx] Main menu shortcuts not displayed     (7u6 regression)

  - S7187834: [macosx] Usage of private API in macosx 2d     implementation causes Apple Store rejection

  - S7188114: (launcher) need an alternate command line     parser for Windows

  - S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and     reinitialize build number

  - S7189350: Fix failed for CR 7162144

  - S7190550: REGRESSION: Some closed/com/oracle/jfr/api     tests fail to compile because of fix 7185245

  - S7193219: JComboBox serialization fails in JDK 1.7

  - S7193977: REGRESSION:Java 7's JavaBeans persistence     ignoring the 'transient' flag on properties

  - S7195106: REGRESSION : There is no way to get Icon inf,     once Softreference is released

  - S7195301: XML Signature DOM implementation should not     use instanceof to determine type of Node

  - S7195931: UnsatisfiedLinkError on     PKCS11.C_GetOperationState while using NSS from jre7u6+

  - S7197071: Makefiles for various security providers     aren't including the default manifest.

  - S7197652: Impossible to run any signed JNLP applications     or applets, OCSP off by default

  - S7198146: Another new regression test does not compile     on windows-amd64

  - S7198570: (tz) Support tzdata2012f

  - S7198640: new hotspot build - hs23.6-b04

  - S7199488: [TEST] runtime/7158800/InternTest.java failed     due to false-positive on PID match.

  - S7199645: Increment build # of hs23.5 to b02

  - S7199669: Update tags in .hgtags file for CPU release     rename

  - S7200720: crash in net.dll during NTLM authentication

  - S7200742: (se) Selector.select does not block when     starting Coherence (sol11u1)

  - S7200762: [macosx] Stuck in     sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Na     tive Method)

  - S8000285: Deadlock between PostEventQueue.noEvents,     EventQueue.isDispatchThread and     SwingUtilities.invokeLater

  - S8000286: [macosx] Views keep scrolling back to the drag     position after DnD

  - S8000297: REGRESSION:
    closed/java/awt/EventQueue/PostEventOrderingTest.java     fails

  - S8000307: Jre7cert: focusgained does not get called for     all focus req when do alt + tab

  - S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and     reinitialize build number

  - S8001124: jdk7u ProblemList.txt updates (10/2012)

  - S8001242: Improve RMI HTTP conformance

  - S8001808: Create a test for 8000327

  - S8001876: Create regtest for 8000283

  - S8002068: Build broken: corba code changes unable to use     new JDK 7 classes

  - S8002091: tools/launcher/ToolsOpts.java test started to     fail since 7u11 b01 on Windows

  - S8002114: fix failed for JDK-7160951: [macosx]     ActionListener called twice for JMenuItem using     ScreenMenuBar

  - S8002225: (tz) Support tzdata2012i

  - S8003402: (dc)     test/java/nio/channels/DatagramChannel/SendToUnresovled.
    java failing after 7u11 cleanup issues

  - S8003403: Test ShortRSAKeyWithinTLS and     ClientJSSEServerJSSE failing after 7u11 cleanup

  - S8003948: NTLM/Negotiate authentication problem

  - S8004175: Restricted packages added in java.security are     missing in java.security-(macosx, solaris, windows)

  - S8004302: javax/xml/soap/Test7013971.java fails since     jdk6u39b01

  - S8004341: Two JCK tests fails with 7u11 b06

  - S8005615: Java Logger fails to load tomcat logger     implementation (JULI)

  - Bug fixes

  - Fix build using Zero's HotSpot so all patches apply     again.

  - PR1295: jamvm parallel unpack failure

  - removed icedtea-2.3.2-fix-extract-jamvm-dependency.patch

  - removed     icedtea-2.3.3-refresh-6924259-string_offset.patch

  - few missing /openjdk/%(origin)/ changes

The remote host has a version of IBM Domino (formerly Lotus Domino) 9.x prior to 9.0.1 installed. It is, therefore, reportedly affected by the following vulnerabilities :

  - The included version of the IBM Java SDK contains a     version of IBM JRE that contains numerous security     issues. (CVE-2013-0809, CVE-2013-1493, CVE-2013-2436,     CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,     CVE-2013-3008, CVE-2013-3009, CVE-2013-3010,     CVE-2013-3011, CVE-2013-3012)

  - An input validation error exists related to handling     content in email messages that could allow cross-site     scripting attacks. (CVE-2013-4063)

  - An input validation error exists related to iNotes when     running in 'ultra-light' mode that could allow cross-     site scripting attacks. (CVE-2013-4064)

  - An input validation error exists related to handling     content in email messages and iNotes when running in     'ultra-light' mode that could allow cross-site     scripting attacks. (CVE-2013-4065)

  - Note that fixes in the Oracle Java CPUs for February,     April and June 2013 are included in the fixed IBM Java     release, which is included in the fixed IBM Domino     release. (CVE-2012-1541, CVE-2012-3213, CVE-2012-3342,     CVE-2013-0351, CVE-2013-0401, CVE-2013-0402,     CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,     CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,     CVE-2013-0427, CVE-2013-0428, CVE-2013-0429,     CVE-2013-0430, CVE-2013-0431, CVE-2013-0432,     CVE-2013-0433, CVE-2013-0434, CVE-2013-0435,     CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,     CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,     CVE-2013-0444, CVE-2013-0445, CVE-2013-0446,     CVE-2013-0448, CVE-2013-0449, CVE-2013-0450,     CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,     CVE-2013-1478, CVE-2013-1479, CVE-2013-1480,     CVE-2013-1481, CVE-2013-1488, CVE-2013-1489,     CVE-2013-1491, CVE-2013-1500, CVE-2013-1518,     CVE-2013-1537, CVE-2013-1540, CVE-2013-1557,     CVE-2013-1558, CVE-2013-1561, CVE-2013-1563,     CVE-2013-1564, CVE-2013-1569, CVE-2013-1571,     CVE-2013-2383, CVE-2013-2384, CVE-2013-2394,     CVE-2013-2400, CVE-2013-2407, CVE-2013-2412,     CVE-2013-2414, CVE-2013-2415, CVE-2013-2416,     CVE-2013-2417, CVE-2013-2418, CVE-2013-2419,     CVE-2013-2420, CVE-2013-2421, CVE-2013-2422,     CVE-2013-2423, CVE-2013-2424, CVE-2013-2425,     CVE-2013-2426, CVE-2013-2427, CVE-2013-2428,     CVE-2013-2429, CVE-2013-2430, CVE-2013-2431,     CVE-2013-2432, CVE-2013-2433, CVE-2013-2434,     CVE-2013-2435, CVE-2013-2437, CVE-2013-2438,     CVE-2013-2439, CVE-2013-2440, CVE-2013-2442,     CVE-2013-2443, CVE-2013-2444, CVE-2013-2445,     CVE-2013-2446, CVE-2013-2447, CVE-2013-2448,     CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,     CVE-2013-2452, CVE-2013-2453, CVE-2013-2454,     CVE-2013-2456, CVE-2013-2457, CVE-2013-2458,     CVE-2013-2459, CVE-2013-2460, CVE-2013-2461,     CVE-2013-2462, CVE-2013-2463, CVE-2013-2464,     CVE-2013-2465, CVE-2013-2466, CVE-2013-2467,     CVE-2013-2468, CVE-2013-2469, CVE-2013-2470,     CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,     CVE-2013-3743, CVE-2013-3744, CVE-2013-4002)

According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) on the remote host is 9.x earlier than 9.0.1.  It is, therefore, affected by the following vulnerabilities :

  - The included version of the IBM Java SDK contains a     version of IBM JRE that contains numerous security     issues. (CVE-2013-0809, CVE-2013-1493, CVE-2013-2436,     CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,     CVE-2013-3008, CVE-2013-3009, CVE-2013-3010,     CVE-2013-3011, CVE-2013-3012)

  - An input validation error exists related to handling     content in email messages that could allow cross-site     scripting attacks. (CVE-2013-4063)

  - An input validation error exists related to iNotes when     running in 'ultra-light' mode that could allow cross-     site scripting attacks. (CVE-2013-4064)

  - An input validation error exists related to handling     content in email messages and iNotes when running in     'ultra-light' mode that could allow cross-site     scripting attacks. (CVE-2013-4065)

  - Note that fixes in the Oracle Java CPUs for February,     April and June 2013 are included in the fixed IBM Java     release, which is included in the fixed IBM Domino     release. (CVE-2012-1541, CVE-2012-3213, CVE-2012-3342,     CVE-2013-0351, CVE-2013-0401, CVE-2013-0402,     CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,     CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,     CVE-2013-0427, CVE-2013-0428, CVE-2013-0429,     CVE-2013-0430, CVE-2013-0431, CVE-2013-0432,     CVE-2013-0433, CVE-2013-0434, CVE-2013-0435,     CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,     CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,     CVE-2013-0444, CVE-2013-0445, CVE-2013-0446,     CVE-2013-0448, CVE-2013-0449, CVE-2013-0450,     CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,     CVE-2013-1478, CVE-2013-1479, CVE-2013-1480,     CVE-2013-1481, CVE-2013-1488, CVE-2013-1489,     CVE-2013-1491, CVE-2013-1500, CVE-2013-1518,     CVE-2013-1537, CVE-2013-1540, CVE-2013-1557,     CVE-2013-1558, CVE-2013-1561, CVE-2013-1563,     CVE-2013-1564, CVE-2013-1569, CVE-2013-1571,     CVE-2013-2383, CVE-2013-2384, CVE-2013-2394,     CVE-2013-2400, CVE-2013-2407, CVE-2013-2412,     CVE-2013-2414, CVE-2013-2415, CVE-2013-2416,     CVE-2013-2417, CVE-2013-2418, CVE-2013-2419,     CVE-2013-2420, CVE-2013-2421, CVE-2013-2422,     CVE-2013-2423, CVE-2013-2424, CVE-2013-2425,     CVE-2013-2426, CVE-2013-2427, CVE-2013-2428,     CVE-2013-2429, CVE-2013-2430, CVE-2013-2431,     CVE-2013-2432, CVE-2013-2433, CVE-2013-2434,     CVE-2013-2435, CVE-2013-2437, CVE-2013-2438,     CVE-2013-2439, CVE-2013-2440, CVE-2013-2442,     CVE-2013-2443, CVE-2013-2444, CVE-2013-2445,     CVE-2013-2446, CVE-2013-2447, CVE-2013-2448,     CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,     CVE-2013-2452, CVE-2013-2453, CVE-2013-2454,     CVE-2013-2456, CVE-2013-2457, CVE-2013-2458,     CVE-2013-2459, CVE-2013-2460, CVE-2013-2461,     CVE-2013-2462, CVE-2013-2463, CVE-2013-2464,     CVE-2013-2465, CVE-2013-2466, CVE-2013-2467,     CVE-2013-2468, CVE-2013-2469, CVE-2013-2470,     CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,     CVE-2013-3743, CVE-2013-3744, CVE-2013-4002)

The remote host has a version of IBM Notes (formerly Lotus Notes) 8.5.x prior to 8.5.3 Fix Pack 5 installed.  It is, therefore, reportedly affected by the following vulnerabilities :

  - The included version of the IBM Java SDK contains a     version of the IBM JRE that contains numerous security     issues. (CVE-2013-0809, CVE-2013-1493, CVE-2013-2436,     CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,     CVE-2013-3008, CVE-2013-3009, CVE-2013-3010,     CVE-2013-3011, CVE-2013-3012)

  - Note also that fixes in the Oracle Java CPUs for     February, April and June 2013 are included in the     fixed IBM Java release, which is included in the     fixed IBM Notes release.
    (CVE-2012-1541, CVE-2012-3213, CVE-2012-3342,     CVE-2013-0351, CVE-2013-0401, CVE-2013-0402,     CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,     CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,     CVE-2013-0427, CVE-2013-0428, CVE-2013-0429,     CVE-2013-0430, CVE-2013-0431, CVE-2013-0432,     CVE-2013-0433, CVE-2013-0434, CVE-2013-0435,     CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,     CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,     CVE-2013-0444, CVE-2013-0445, CVE-2013-0446,     CVE-2013-0448, CVE-2013-0449, CVE-2013-0450,     CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,     CVE-2013-1478, CVE-2013-1479, CVE-2013-1480,     CVE-2013-1481, CVE-2013-1488, CVE-2013-1489,     CVE-2013-1491, CVE-2013-1500, CVE-2013-1518,     CVE-2013-1537, CVE-2013-1540, CVE-2013-1557,     CVE-2013-1558, CVE-2013-1561, CVE-2013-1563,     CVE-2013-1564, CVE-2013-1569, CVE-2013-1571,     CVE-2013-2383, CVE-2013-2384, CVE-2013-2394,     CVE-2013-2400, CVE-2013-2407, CVE-2013-2412,     CVE-2013-2414, CVE-2013-2415, CVE-2013-2416,     CVE-2013-2417, CVE-2013-2418, CVE-2013-2419,     CVE-2013-2420, CVE-2013-2421, CVE-2013-2422,     CVE-2013-2423, CVE-2013-2424, CVE-2013-2425,     CVE-2013-2426, CVE-2013-2427, CVE-2013-2428,     CVE-2013-2429, CVE-2013-2430, CVE-2013-2431,     CVE-2013-2432, CVE-2013-2433, CVE-2013-2434,     CVE-2013-2435, CVE-2013-2437, CVE-2013-2438,     CVE-2013-2439, CVE-2013-2440, CVE-2013-2442,     CVE-2013-2443, CVE-2013-2444, CVE-2013-2445,     CVE-2013-2446, CVE-2013-2447, CVE-2013-2448,     CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,     CVE-2013-2452, CVE-2013-2453, CVE-2013-2454,     CVE-2013-2456, CVE-2013-2457, CVE-2013-2458,     CVE-2013-2459, CVE-2013-2460, CVE-2013-2461,     CVE-2013-2462, CVE-2013-2463, CVE-2013-2464,     CVE-2013-2465, CVE-2013-2466, CVE-2013-2467,     CVE-2013-2468, CVE-2013-2469, CVE-2013-2470,     CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,     CVE-2013-3743, CVE-2013-3744, CVE-2013-4002)

The remote host has a version of IBM Domino (formerly Lotus Domino) 8.5.x prior to 8.5.3 Fix Pack 5 installed.  It is, therefore, reportedly affected by the following vulnerabilities :

  - The included version of the IBM Java SDK contains a     version of the IBM JRE that contains numerous security     issues. (CVE-2013-0809, CVE-2013-1493, CVE-2013-2436,     CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,     CVE-2013-3008, CVE-2013-3009, CVE-2013-3010,     CVE-2013-3011, CVE-2013-3012)

  - Note also that fixes in the Oracle Java CPUs for     February, April and June 2013 are included in the     fixed IBM Java release, which is itself included     in the fixed IBM Domino release.
    (CVE-2012-1541, CVE-2012-3213, CVE-2012-3342,     CVE-2013-0351, CVE-2013-0401, CVE-2013-0402,     CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,     CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,     CVE-2013-0427, CVE-2013-0428, CVE-2013-0429,     CVE-2013-0430, CVE-2013-0431, CVE-2013-0432,     CVE-2013-0433, CVE-2013-0434, CVE-2013-0435,     CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,     CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,     CVE-2013-0444, CVE-2013-0445, CVE-2013-0446,     CVE-2013-0448, CVE-2013-0449, CVE-2013-0450,     CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,     CVE-2013-1478, CVE-2013-1479, CVE-2013-1480,     CVE-2013-1481, CVE-2013-1488, CVE-2013-1489,     CVE-2013-1491, CVE-2013-1500, CVE-2013-1518,     CVE-2013-1537, CVE-2013-1540, CVE-2013-1557,     CVE-2013-1558, CVE-2013-1561, CVE-2013-1563,     CVE-2013-1564, CVE-2013-1569, CVE-2013-1571,     CVE-2013-2383, CVE-2013-2384, CVE-2013-2394,     CVE-2013-2400, CVE-2013-2407, CVE-2013-2412,     CVE-2013-2414, CVE-2013-2415, CVE-2013-2416,     CVE-2013-2417, CVE-2013-2418, CVE-2013-2419,     CVE-2013-2420, CVE-2013-2421, CVE-2013-2422,     CVE-2013-2423, CVE-2013-2424, CVE-2013-2425,     CVE-2013-2426, CVE-2013-2427, CVE-2013-2428,     CVE-2013-2429, CVE-2013-2430, CVE-2013-2431,     CVE-2013-2432, CVE-2013-2433, CVE-2013-2434,     CVE-2013-2435, CVE-2013-2437, CVE-2013-2438,     CVE-2013-2439, CVE-2013-2440, CVE-2013-2442,     CVE-2013-2443, CVE-2013-2444, CVE-2013-2445,     CVE-2013-2446, CVE-2013-2447, CVE-2013-2448,     CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,     CVE-2013-2452, CVE-2013-2453, CVE-2013-2454,     CVE-2013-2456, CVE-2013-2457, CVE-2013-2458,     CVE-2013-2459, CVE-2013-2460, CVE-2013-2461,     CVE-2013-2462, CVE-2013-2463, CVE-2013-2464,     CVE-2013-2465, CVE-2013-2466, CVE-2013-2467,     CVE-2013-2468, CVE-2013-2469, CVE-2013-2470,     CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,     CVE-2013-3743, CVE-2013-3744, CVE-2013-4002)

According to its banner, the version of IBM Domino (formerly IBM Lotus Domino) on the remote host is 8.5.x earlier than 8.5.3 FP5.
It is, therefore, affected by the following vulnerabilities :

  - The included version of the IBM Java SDK contains a     version of the IBM JRE that contains numerous security     issues. (CVE-2013-0809, CVE-2013-1493, CVE-2013-2436,     CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,     CVE-2013-3008, CVE-2013-3009, CVE-2013-3010,     CVE-2013-3011, CVE-2013-3012)

  - Note also that fixes in the Oracle Java CPUs for     February, April and June 2013 are included in the     fixed IBM Java release, which is included in the     fixed IBM Domino release.
    (CVE-2012-1541, CVE-2012-3213, CVE-2012-3342,     CVE-2013-0351, CVE-2013-0401, CVE-2013-0402,     CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,     CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,     CVE-2013-0427, CVE-2013-0428, CVE-2013-0429,     CVE-2013-0430, CVE-2013-0431, CVE-2013-0432,     CVE-2013-0433, CVE-2013-0434, CVE-2013-0435,     CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,     CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,     CVE-2013-0444, CVE-2013-0445, CVE-2013-0446,     CVE-2013-0448, CVE-2013-0449, CVE-2013-0450,     CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,     CVE-2013-1478, CVE-2013-1479, CVE-2013-1480,     CVE-2013-1481, CVE-2013-1488, CVE-2013-1489,     CVE-2013-1491, CVE-2013-1500, CVE-2013-1518,     CVE-2013-1537, CVE-2013-1540, CVE-2013-1557,     CVE-2013-1558, CVE-2013-1561, CVE-2013-1563,     CVE-2013-1564, CVE-2013-1569, CVE-2013-1571,     CVE-2013-2383, CVE-2013-2384, CVE-2013-2394,     CVE-2013-2400, CVE-2013-2407, CVE-2013-2412,     CVE-2013-2414, CVE-2013-2415, CVE-2013-2416,     CVE-2013-2417, CVE-2013-2418, CVE-2013-2419,     CVE-2013-2420, CVE-2013-2421, CVE-2013-2422,     CVE-2013-2423, CVE-2013-2424, CVE-2013-2425,     CVE-2013-2426, CVE-2013-2427, CVE-2013-2428,     CVE-2013-2429, CVE-2013-2430, CVE-2013-2431,     CVE-2013-2432, CVE-2013-2433, CVE-2013-2434,     CVE-2013-2435, CVE-2013-2437, CVE-2013-2438,     CVE-2013-2439, CVE-2013-2440, CVE-2013-2442,     CVE-2013-2443, CVE-2013-2444, CVE-2013-2445,     CVE-2013-2446, CVE-2013-2447, CVE-2013-2448,     CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,     CVE-2013-2452, CVE-2013-2453, CVE-2013-2454,     CVE-2013-2456, CVE-2013-2457, CVE-2013-2458,     CVE-2013-2459, CVE-2013-2460, CVE-2013-2461,     CVE-2013-2462, CVE-2013-2463, CVE-2013-2464,     CVE-2013-2465, CVE-2013-2466, CVE-2013-2467,     CVE-2013-2468, CVE-2013-2469, CVE-2013-2470,     CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,     CVE-2013-3743, CVE-2013-3744, CVE-2013-4002)

Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442 , CVE-2013-0445 , CVE-2013-0441 , CVE-2013-1475 , CVE-2013-1476 , CVE-2013-0429 , CVE-2013-0450 , CVE-2013-0425 , CVE-2013-0426 , CVE-2013-0428 , CVE-2013-0444)

Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.
(CVE-2013-1478 , CVE-2013-1480)

A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)

The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)

Multiple improper permission check issues were discovered in the JMX, Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0431 , CVE-2013-0427 , CVE-2013-0433 , CVE-2013-0434)

It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.
(CVE-2013-0424)

It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.
(CVE-2013-0440)

It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-0247 advisory.

    [1.7.0.9-2.3.5.3.0.1.el6_3]
    - Update DISTRO_NAME in specfile

    [1.7.0.9-2.3.5.3.el6_3]
    - Sync logging fixes with upstream (icedtea7-forest and jdk7u)

    [1.7.0.9-2.3.5.1.el6_3]
    - Removed 6664509 backout and added 8005615 to fix the issue

    [1.7.0.9-2.3.5.el6_3.1]
    - Backed out 6664509 and 7201064.patch which cause regressions

    [1.7.0.9-2.3.5.el6_3]
    - Bumped to 2.3.5
    - Changed BR to java7-devel >= 1:1.7.0 as required by CORBA changes in 2.3.5
    - Resolves: rhbz#906707

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated java-1.7.0-openjdk packages fix security vulnerabilities :

Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2012-3174, CVE-2013-0422).

Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-0444).

Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges (CVE-2013-1478, CVE-2013-1480).

A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions (CVE-2013-0432).

The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted (CVE-2013-0435).

Multiple improper permission check issues were discovered in the JMX, Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2013-0431, CVE-2013-0427, CVE-2013-0433, CVE-2013-0434).

It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack (CVE-2013-0424).

It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake (CVE-2013-0440).

It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack (CVE-2013-0443).

Multiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2013-1486, CVE-2013-1484).

An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2013-1485).

It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle (CVE-2013-0169).

An integer overflow flaw was found in the way the 2D component handled certain sample model instances. A specially crafted sample model instance could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges (CVE-2013-0809).

It was discovered that the 2D component did not properly reject certain malformed images. Specially crafted raster parameters could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges (CVE-2013-1493).

IBM Java 7 was updated to SR4, fixing various critical security issues and bugs.

Please see the IBM JDK Alert page for more information :

http://www.ibm.com/developerworks/java/jdk/alerts/

Security issues fixed :

  - / CVE-2012-3174. (CVE-2013-1487 / CVE-2013-1486 /     CVE-2013-1478 / CVE-2013-0445 / CVE-2013-1480 /     CVE-2013-0441 / CVE-2013-1476 / CVE-2012-1541 /     CVE-2013-0446 / CVE-2012-3342 / CVE-2013-0442 /     CVE-2013-0450 / CVE-2013-0425 / CVE-2013-0426 /     CVE-2013-0428 / CVE-2012-3213 / CVE-2013-0419 /     CVE-2013-0423 / CVE-2013-0351 / CVE-2013-0432 /     CVE-2013-1473 / CVE-2013-0435 / CVE-2013-0434 /     CVE-2013-0409 / CVE-2013-0427 / CVE-2013-0433 /     CVE-2013-0424 / CVE-2013-0440 / CVE-2013-0438 /     CVE-2013-0443 / CVE-2013-1484 / CVE-2013-1485 /     CVE-2013-0437 / CVE-2013-0444 / CVE-2013-0449 /     CVE-2013-0431 / CVE-2013-0422)

Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2012-1541, CVE-2012-3174, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0422, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0449, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486, CVE-2013-1487, CVE-2013-1493)

All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR4 release. All running instances of IBM Java must be restarted for the update to take effect.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 13 or 6 Update 39, or is earlier than or equal to 5 Update 38 or 1.4.2 Update 40.  It is, therefore, potentially affected by security issues in the following components :

  - 2D
  - AWT
  - Beans
  - CORBA
  - Deployment
  - Install
  - JavaFX
  - JAXP
  - JAX-WS
  - JMX
  - JSSE
  - Libraries
  - Networking
  - RMI
  - Scripting
  - Sound

Updated java-1.7.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit.

Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-0444)

Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.
(CVE-2013-1478, CVE-2013-1480)

A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)

The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)

Multiple improper permission check issues were discovered in the JMX, Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0431, CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)

It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.
(CVE-2013-0424)

It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.
(CVE-2013-0440)

It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)

This erratum also upgrades the OpenJDK package to IcedTea7 2.3.5.
Refer to the NEWS file, linked to in the References, for further information.

All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.

Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-0444)

Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.
(CVE-2013-1478, CVE-2013-1480)

A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)

The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435)

Multiple improper permission check issues were discovered in the JMX, Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0431, CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)

It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.
(CVE-2013-0424)

It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.
(CVE-2013-0440)

It was discovered that the JSSE component did not properly validate Diffie- Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443)

This erratum also upgrades the OpenJDK package to IcedTea7 2.3.5.

All running instances of OpenJDK Java must be restarted for the update to take effect.

Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0448, CVE-2013-0449, CVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478, CVE-2013-1479, CVE-2013-1480, CVE-2013-1489)

All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 13 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

This version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is 7 Update 11 or earlier and is, therefore, potentially affected by security issues in the following components :

 - 2D

  - AWT

  - Beans

  - CORBA

  - Deployment

  - Install

  - JavaFX

  - JAXP

  - JAX-WS

  - JMX

  - JSSE

  - Libraries

  - Networking

  - RMI

  - Scripting

  - Sound

ID	Name	Product	Family	Severity
217965	Linux Distros Unpatched Vulnerability : CVE-2013-0431	Nessus	Misc.	medium
76303	GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT)	Nessus	Gentoo Local Security Checks	critical
74907	openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0377-1)	Nessus	SuSE Local Security Checks	critical
71861	IBM Domino 9.x < 9.0.1 Multiple Vulnerabilities (credentialed check)	Nessus	Windows	critical
71859	IBM Domino 9.x < 9.0.1 Multiple Vulnerabilities (uncredentialed check)	Nessus	Misc.	critical
70744	IBM Notes 8.5.x < 8.5.3 FP5 Multiple Vulnerabilities	Nessus	Windows	critical
70743	IBM Domino 8.5.x < 8.5.3 FP5 Multiple Vulnerabilities	Nessus	Windows	critical
70742	IBM Domino 8.5.x < 8.5.3 FP 5 Multiple Vulnerabilities	Nessus	Misc.	critical
69715	Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-156)	Nessus	Amazon Linux Local Security Checks	critical
68728	Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0247)	Nessus	Oracle Linux Local Security Checks	high
66107	Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:095)	Nessus	Mandriva Local Security Checks	critical
65246	SuSE 11.2 Security Update : Java (SAT Patch Number 7454)	Nessus	SuSE Local Security Checks	critical
65204	RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2013:0626)	Nessus	Red Hat Local Security Checks	critical
64850	Oracle Java SE Multiple Vulnerabilities (February 2013 CPU) (Unix)	Nessus	Misc.	critical
64537	CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0247)	Nessus	CentOS Local Security Checks	critical
64523	Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL6.x i386/x86_64 (20130208)	Nessus	Scientific Linux Local Security Checks	critical
64520	RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0247)	Nessus	Red Hat Local Security Checks	critical
64468	RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0237)	Nessus	Red Hat Local Security Checks	critical
64454	Oracle Java SE Multiple Vulnerabilities (February 2013 CPU)	Nessus	Windows	critical
6685	Oracle Java SE 7 <= Update 11 Multiple Vulnerabilities (February 2013 CPU)	Nessus Network Monitor	Web Clients	critical

Detections

Analytics

CVE-2013-0431

medium

Tenable Plugins

medium

critical

critical

critical

critical

critical

critical

critical

critical

high

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical