SUSE-SU-2014:1526

SUSE-SU-2014:1549

SUSE-SU-2015:0344

SUSE-SU-2015:0345

SUSE-SU-2015:0392

SSRT101770

RHSA-2014:1657

RHSA-2014:1658

RHSA-2014:1876

RHSA-2014:1877

RHSA-2014:1880

RHSA-2014:1882

RHSA-2015:0264

61163

61164

61609

61635

GLSA-201502-12

http://www-01.ibm.com/support/docview.wss?uid=swg21688283

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

70460

java-1_6_0-ibm was updated to version 1.6.0_sr16.2 to fix 18 security issues.

These security issues were fixed :

  - Unspecified vulnerability in Oracle Java SE 6u81     (CVE-2014-3065).

  - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i     and other products, uses nondeterministic CBC padding,     which makes it easier for man-in-the-middle attackers to     obtain cleartext data via a padding-oracle attack, aka     the 'POODLE' issue (CVE-2014-3566).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, and Java SE Embedded 7u60, allows remote     attackers to affect confidentiality, integrity, and     availability via vectors related to AWT (CVE-2014-6513).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532     (CVE-2014-6503).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503     (CVE-2014-6532).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532     (CVE-2014-4288).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532     (CVE-2014-6493).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Firefox, allows remote     attackers to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment     (CVE-2014-6492).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows local users to affect confidentiality,     integrity, and availability via unknown vectors related     to Deployment (CVE-2014-6458).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Internet Explorer, allows     local users to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment     (CVE-2014-6466).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality, integrity,     and availability via unknown vectors related to     Libraries (CVE-2014-6506).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment (CVE-2014-6515).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20 allows remote attackers to affect     confidentiality via unknown vectors related to 2D     (CVE-2014-6511).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality via unknown     vectors related to Libraries (CVE-2014-6531).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and R28.3.3 allows remote attackers to affect     integrity via unknown vectors related to Libraries     (CVE-2014-6512).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3, and R28.3.3 allows remote attackers to affect     confidentiality and integrity via vectors related to     JSSE (CVE-2014-6457).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect integrity via unknown vectors     related to Libraries (CVE-2014-6502).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and JRockit R28.3.3 allows remote attackers to     affect integrity via unknown vectors related to Security     (CVE-2014-6558).

Further information can be found at http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update
_Nove mber_2014

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Satellite 5.6.

Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5.6. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets.

Several flaws were fixed in the IBM Java 2 Runtime Environment.
(CVE-2014-3065, CVE-2014-3068, CVE-2014-3566, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412)

The CVE-2014-4262 and CVE-2014-6512 issues were discovered by Florian Weimer of Red Hat Product Security.

Users of Red Hat Satellite 5.6 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16-FP3 release. For this update to take effect, Red Hat Satellite must be restarted ('/usr/sbin/rhn-satellite restart'), as well as all running instances of IBM Java.

The remote host is affected by the vulnerability described in GLSA-201502-12 (Oracle JRE/JDK: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Oracle&rsquo;s Java SE       Development Kit and Runtime Environment. Please review the CVE       identifiers referenced below for details.
  Impact :

    A context-dependent attacker may be able to execute arbitrary code,       disclose, update, insert, or delete certain data.
  Workaround :

    There is no known workaround at this time.

java-1_7_0-ibm has been updated to version 1.7.0_sr7.2 to fix 21 security issues.

These security issues have been fixed :

  - Unspecified vulnerability. (CVE-2014-3065)

  - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i     and other products, uses nondeterministic CBC padding,     which makes it easier for man-in-the-middle attackers to     obtain cleartext data via a padding-oracle attack, aka     the 'POODLE' issue. (CVE-2014-3566)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, and Java SE Embedded 7u60, allows remote     attackers to affect confidentiality, integrity, and     availability via vectors related to AWT. (CVE-2014-6513)

  - Unspecified vulnerability in Oracle Java SE 7u67 and     8u20 allows remote attackers to affect confidentiality,     integrity, and availability via unknown vectors.
    (CVE-2014-6456)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6493 / CVE-2014-6532.
    (CVE-2014-6503)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6493 / CVE-2014-6503.
    (CVE-2014-6532)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-6493 / CVE-2014-6503 / CVE-2014-6532.
    (CVE-2014-4288)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6503 / CVE-2014-6532.
    (CVE-2014-6493)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Firefox, allows remote     attackers to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment.
    (CVE-2014-6492)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows local users to affect confidentiality,     integrity, and availability via unknown vectors related     to Deployment. (CVE-2014-6458)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Internet Explorer, allows     local users to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment.
    (CVE-2014-6466)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality, integrity,     and availability via unknown vectors related to     Libraries. (CVE-2014-6506)

  - Unspecified vulnerability in Oracle Java SE 7u67 and     8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment, a different     vulnerability than CVE-2014-6527. (CVE-2014-6476)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment. (CVE-2014-6515)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20 allows remote attackers to affect     confidentiality via unknown vectors related to 2D.
    (CVE-2014-6511)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality via unknown     vectors related to Libraries. (CVE-2014-6531)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and R28.3.3 allows remote attackers to affect     integrity via unknown vectors related to Libraries.
    (CVE-2014-6512)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3, and R28.3.3 allows remote attackers to affect     confidentiality and integrity via vectors related to     JSSE. (CVE-2014-6457)

  - Unspecified vulnerability in Oracle Java SE 7u67 and     8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment, a different     vulnerability than CVE-2014-6476. (CVE-2014-6527)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect integrity via unknown vectors     related to Libraries. (CVE-2014-6502)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and JRockit R28.3.3 allows remote attackers to     affect integrity via unknown vectors related to     Security. (CVE-2014-6558)

More information can be found at http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update
_November_2014

java-1_6_0-ibm has been updated to version 1.6.0_sr16.2 to fix 18 security issues.

These security issues has been fixed :

  - Unspecified vulnerability in Oracle Java SE 6u81.
    (CVE-2014-3065)

  - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i     and other products, uses nondeterministic CBC padding,     which makes it easier for man-in-the-middle attackers to     obtain cleartext data via a padding-oracle attack, aka     the 'POODLE' issue. (CVE-2014-3566)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, and Java SE Embedded 7u60, allows remote     attackers to affect confidentiality, integrity, and     availability via vectors related to AWT. (CVE-2014-6513)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6493 / CVE-2014-6532.
    (CVE-2014-6503)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6493 / CVE-2014-6503.
    (CVE-2014-6532)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-6493 / CVE-2014-6503 / CVE-2014-6532.
    (CVE-2014-4288)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6503 / CVE-2014-6532.
    (CVE-2014-6493)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Firefox, allows remote     attackers to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment.
    (CVE-2014-6492)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows local users to affect confidentiality,     integrity, and availability via unknown vectors related     to Deployment. (CVE-2014-6458)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Internet Explorer, allows     local users to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment.
    (CVE-2014-6466)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality, integrity,     and availability via unknown vectors related to     Libraries. (CVE-2014-6506)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment. (CVE-2014-6515)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20 allows remote attackers to affect     confidentiality via unknown vectors related to 2D.
    (CVE-2014-6511)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality via unknown     vectors related to Libraries. (CVE-2014-6531)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and R28.3.3 allows remote attackers to affect     integrity via unknown vectors related to Libraries.
    (CVE-2014-6512)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3, and R28.3.3 allows remote attackers to affect     confidentiality and integrity via vectors related to     JSSE. (CVE-2014-6457)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect integrity via unknown vectors     related to Libraries. (CVE-2014-6502)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and JRockit R28.3.3 allows remote attackers to     affect integrity via unknown vectors related to     Security. (CVE-2014-6558)

More information can be found at http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update
_November_2014

The version of Java SDK installed on the remote host is affected by the following vulnerabilities :

  - A privilege escalation vulnerability in the IBM Java SDK     allows a local attacker to inject arbitrary code into     the shared classes cache due to a flaw in the default     configuration for the shared classes feature. Other     users are able to execute the injected code, which can     allow the attacker to gain elevated privileges.
    (CVE-2014-3065)

  - Oracle Java contains the flaw related to SSLv3 CBC-mode     ciphers known as POODLE. The vulnerability is due to the     way SSL 3.0 handles padding bytes when decrypting     messages encrypted using block ciphers in cipher block     chaining (CBC) mode. A man-in-the-middle attacker can     decrypt a selected byte of a cipher text in as few as     256 tries if they are able to force a victim application     to repeatedly send the same data over newly created SSL     3.0 connections. (CVE-2014-3566)

  - Vulnerabilities in Oracle Java allow remote code     execution via flaws in the Deployment subcomponent.
    (CVE-2014-4288, CVE-2014-6492, CVE-2014-6493,     CVE-2014-6503, CVE-2014-6532)

  - A session hijacking vulnerability exists in Oracle Java     due to a flaw related to handling of server certificate     changes during SSL/TLS renegotiation. This allows an     attacker to intercept communication between a client and     server to hijack a mutually authenticated session.
    (CVE-2014-6457)

  - Privilege escalation vulnerabilities exist in Oracle     Java within the the Deployment subcomponent.
    (CVE-2014-6458, CVE-2014-6466)

  - Data integrity vulnerabilities exist in Oracle Java     within the the Deployment subcomponent. (CVE-2014-6476,     CVE-2014-6515, CVE-2014-6527)

  - A privilege escalation vulnerability exists in Oracle     Java in the resource bundle handling code of the     'LogRecord::readObject' function within the file     'share/classes/java/util/logging/LogRecord.java',     which allows an attacker to bypass certain sandbox     restrictions. (CVE-2014-6502)

  - A privilege escalation vulnerability exists in Oracle     Java within the property processing and name handling     code of 'share/classes/java/util/ResourceBundle.java',     which allows an attacker to bypass certain sandbox     restrictions. (CVE-2014-6506)

  - Oracle Java contains an unspecified vulnerability in the     2D subcomponent. (CVE-2014-6511)

  - An information disclosure vulnerability exists in Oracle     Java due to a flaw related to the wrapping of datagram     sockets in the DatagramSocket implementation. This issue     may cause packets to be read that originate from other     sources than the connected, thus allowing a remote     attacker to carry out IP spoofing. (CVE-2014-6512)

  - A flaw exists in the way splash images are handled by     'windows/native/sun/awt/splashscreen/splashscreen_sys.c'     which allows remote code execution. (CVE-2014-6513)

  - A privilege escalation vulnerability exists in Oracle     Java in 'share/classes/java/util/logging/Logger.java'     because it fails to check permissions in certain cases,     allowing an attacker to bypass sandbox restrictions and     view or edit logs. (CVE-2014-6531)

  - A flaw related to input cipher streams within the file     'share/classes/javax/crypto/CipherInputStream.java' can     allow a remote attacker to affect the data integrity.
    (CVE-2014-6558)

Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

[Updated 2 December 2014] This advisory has been updated to include updated java-1.7.0-ibm-jdbc and java-1.7.0-ibm-plugin packages, which were previously missing from this erratum. No changes were made to the other packages in this erratum.

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-3065, CVE-2014-3566, CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6476, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558)

The CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat Product Security.

Note: With this update, the IBM SDK now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the IBM article linked to in the References section for additional details about this change and instructions on how to re-enable SSL 3.0 support if needed.

Note: This is the last update for the java-1.7.0-ibm packages distributed via the Red Hat Enterprise Linux 6 Supplementary channels.
The RHEA-2014:1619 advisory, released as a part of Red Hat Enterprise Linux 6.6, introduced the new java-1.7.1-ibm packages. These packages contain IBM Java SE version 7 Release 1, which adds multiple enhancements over the IBM Java SE version 7 in the java-1.7.0-ibm packages. All java-1.7.0-ibm users must migrate to java-1.7.1-ibm packages to continue receiving updates for the IBM Java SE version 7 via the Red Hat Enterprise Linux 6 Supplementary channel.

All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR8 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-3065, CVE-2014-3566, CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6476, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558)

The CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat Product Security.

Note: With this update, the IBM SDK now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the IBM article linked to in the References section for additional details about this change and instructions on how to re-enable SSL 3.0 support if needed.

All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR2 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-3065, CVE-2014-3566, CVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558)

The CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat Product Security.

Note: With this update, the IBM SDK now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the IBM article linked to in the References section for additional details about this change and instructions on how to re-enable SSL 3.0 support if needed.

All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP2 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-3065, CVE-2014-3566, CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6476, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558)

The CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat Product Security.

Note: With this update, the IBM SDK now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the IBM article linked to in the References section for additional details about this change and instructions on how to re-enable SSL 3.0 support if needed.

All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR8 release. All running instances of IBM Java must be restarted for the update to take effect.

Oracle Critical Patch Update Advisory - October 2014

Description :

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities.

Find more information here:
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.h tml

Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6517, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558)

The CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat Product Security.

All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 85 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
(CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6476, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6517, CVE-2014-6519, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558)

The CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat Product Security.

All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 72 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 25, 7 Update 71, 6 Update 85, or 5 Update 75. It is, therefore, affected by security issues in the following components :

  - 2D
  - AWT
  - Deployment
  - Hotspot
  - JAXP
  - JSSE
  - JavaFX
  - Libraries
  - Security

Oracle's October 2014 security update for Java fixes remote and local vulnerabilities in the following components of the Java SE JDK/JRE:

  - 2D
  - AWT
  - Deployment
  - Hotspot
  - JAXP
  - JSSE
  - JavaFX
  - Libraries
  - Security

Twenty-two of these 25 fixed vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. no further details have been released by the vendor.

ID	Name	Product	Family	Severity
119959	SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2014:1541-1) (POODLE)	Nessus	SuSE Local Security Checks	critical
81505	RHEL 5 / 6 : Red Hat Satellite IBM Java Runtime (RHSA-2015:0264) (POODLE)	Nessus	Red Hat Local Security Checks	critical
81370	GLSA-201502-12 : Oracle JRE/JDK: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
79635	SuSE 11.3 Security Update : IBM Java (SAT Patch Number 9999)	Nessus	SuSE Local Security Checks	critical
79634	SuSE 11.3 Security Update : IBM Java (SAT Patch Number 9992)	Nessus	SuSE Local Security Checks	critical
79626	AIX Java Advisory : java_oct2014_advisory.asc (POODLE)	Nessus	AIX Local Security Checks	critical
79379	RHEL 6 : java-1.7.0-ibm (RHSA-2014:1882) (POODLE)	Nessus	Red Hat Local Security Checks	high
79377	RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2014:1880) (POODLE)	Nessus	Red Hat Local Security Checks	high
79352	RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2014:1877) (POODLE)	Nessus	Red Hat Local Security Checks	high
79351	RHEL 5 : java-1.7.0-ibm (RHSA-2014:1876) (POODLE)	Nessus	Red Hat Local Security Checks	high
79208	SuSE 11.3 Security Update : Java OpenJDK (SAT Patch Number 9906)	Nessus	SuSE Local Security Checks	critical
79057	RHEL 5 / 6 / 7 : java-1.6.0-sun (RHSA-2014:1658)	Nessus	Red Hat Local Security Checks	high
79056	RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2014:1657)	Nessus	Red Hat Local Security Checks	high
78482	Oracle Java SE Multiple Vulnerabilities (October 2014 CPU) (Unix)	Nessus	Misc.	critical
78481	Oracle Java SE Multiple Vulnerabilities (October 2014 CPU)	Nessus	Windows	critical
8550	Oracle Java Update (October 2014) Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical

CVE-2014-6458

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins