SUSE-SU-2014:1422

SUSE-SU-2014:1526

SUSE-SU-2014:1549

SUSE-SU-2015:0344

SUSE-SU-2015:0345

SUSE-SU-2015:0392

SSRT101770

61609

61629

GLSA-201502-12

http://www-01.ibm.com/support/docview.wss?uid=swg21688283

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

70569

USN-2386-1

USN-2388-1

USN-2388-2

java-1_6_0-ibm was updated to version 1.6.0_sr16.2 to fix 18 security issues.

These security issues were fixed :

  - Unspecified vulnerability in Oracle Java SE 6u81     (CVE-2014-3065).

  - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i     and other products, uses nondeterministic CBC padding,     which makes it easier for man-in-the-middle attackers to     obtain cleartext data via a padding-oracle attack, aka     the 'POODLE' issue (CVE-2014-3566).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, and Java SE Embedded 7u60, allows remote     attackers to affect confidentiality, integrity, and     availability via vectors related to AWT (CVE-2014-6513).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532     (CVE-2014-6503).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503     (CVE-2014-6532).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532     (CVE-2014-4288).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532     (CVE-2014-6493).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Firefox, allows remote     attackers to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment     (CVE-2014-6492).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows local users to affect confidentiality,     integrity, and availability via unknown vectors related     to Deployment (CVE-2014-6458).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Internet Explorer, allows     local users to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment     (CVE-2014-6466).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality, integrity,     and availability via unknown vectors related to     Libraries (CVE-2014-6506).

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment (CVE-2014-6515).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20 allows remote attackers to affect     confidentiality via unknown vectors related to 2D     (CVE-2014-6511).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality via unknown     vectors related to Libraries (CVE-2014-6531).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and R28.3.3 allows remote attackers to affect     integrity via unknown vectors related to Libraries     (CVE-2014-6512).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3, and R28.3.3 allows remote attackers to affect     confidentiality and integrity via vectors related to     JSSE (CVE-2014-6457).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect integrity via unknown vectors     related to Libraries (CVE-2014-6502).

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and JRockit R28.3.3 allows remote attackers to     affect integrity via unknown vectors related to Security     (CVE-2014-6558).

Further information can be found at http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update
_Nove mber_2014

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

OpenJDK was updated to icedtea 2.5.3 (OpenJDK 7u71) fixing security issues and bugs.

  - Security :

  - S8015256: Better class accessibility

  - S8022783, CVE-2014-6504: Optimize C2 optimizations

  - S8035162: Service printing service

  - S8035781: Improve equality for annotations

  - S8036805: Correct linker method lookup.

  - S8036810: Correct linker field lookup

  - S8036936: Use local locales

  - S8037066, CVE-2014-6457: Secure transport layer

  - S8037846, CVE-2014-6558: Ensure streaming of input     cipher streams

  - S8038364: Use certificate exceptions correctly

  - S8038899: Safer safepoints

  - S8038903: More native monitor monitoring

  - S8038908: Make Signature more robust

  - S8038913: Bolster XML support

  - S8039509, CVE-2014-6512: Wrap sockets more thoroughly

  - S8039533, CVE-2014-6517: Higher resolution resolvers

  - S8041540, CVE-2014-6511: Better use of pages in font     processing

  - S8041529: Better parameterization of parameter lists

  - S8041545: Better validation of generated rasters

  - S8041564, CVE-2014-6506: Improved management of logger     resources

  - S8041717, CVE-2014-6519: Issue with class file parser

  - S8042609, CVE-2014-6513: Limit splashiness of splash     images

  - S8042797, CVE-2014-6502: Avoid strawberries in LogRecord

  - S8044274, CVE-2014-6531: Proper property processing

  - Backports :

  - S4963723: Implement SHA-224

  - S7044060: Need to support NSA Suite B Cryptography     algorithms

  - S7122142: (ann) Race condition between     isAnnotationPresent and getAnnotations

  - S7160837: DigestOutputStream does not turn off digest     calculation when 'close()' is called

  - S8006935: Need to take care of long secret keys in     HMAC/PRF computation

  - S8012637: Adjust CipherInputStream class to work in     AEAD/GCM mode

  - S8028192: Use of PKCS11-NSS provider in FIPS mode broken

  - S8038000: java.awt.image.RasterFormatException:
    Incorrect scanline stride

  - S8039396: NPE when writing a class descriptor object to     a custom ObjectOutputStream

  - S8042603: 'SafepointPollOffset' was not declared in     static member function 'static bool     Arguments::check_vm_args_consistency()'

  - S8042850: Extra unused entries in ICU ScriptCodes enum

  - S8052162: REGRESSION: sun/java2d/cmm/ColorConvertOp     tests fail since 7u71 b01

  - S8053963: (dc) Use DatagramChannel.receive() instead of     read() in connect()

  - S8055176: 7u71 l10n resource file translation update

  - Bugfixes :

  - PR1988: C++ Interpreter should no longer be used on     ppc64

  - PR1989: Make jdk_generic_profile.sh handle missing     programs better and be more verbose

  - PR1992, RH735336: Support retrieving proxy settings on     GNOME 3.12.2

  - PR2000: Synchronise HEAD tarball paths with release     branch paths

  - PR2002: Fix references to hotspot.map following PR2000

  - PR2003: --disable-system-gtk option broken by     refactoring in PR1736

  - PR2009: Checksum of policy JAR files changes on every     build

  - PR2014: Use version from hotspot.map to create tarball     filename

  - PR2015: Update hotspot.map documentation in INSTALL

  - PR2025: LCMS_CFLAGS and LCMS_LIBS should not be used     unless SYSTEM_LCMS is enabled

  - RH1015432: java-1.7.0-openjdk: Fails on PPC with     StackOverflowError (revised comprehensive fix)

  - CACAO

  - PR2030, G453612, CA172: ARM hardfloat support for CACAO

  - AArch64 port

  - AArch64 C2 instruct for smull

  - Add frame anchor fences.

  - Add MacroAssembler::maybe_isb()

  - Add missing instruction synchronization barriers and     cache flushes.

  - Add support for a few simple intrinsics

  - Add support for builtin crc32 instructions

  - Add support for Neon implementation of CRC32

  - All address constants are 48 bits in size.

  - array load must only read 32 bits

  - Define uabs(). Use it everywhere an absolute value is     wanted.

  - Fast string comparison

  - Fast String.equals()

  - Fix register usage in generate_verify_oop().

  - Fix thinko in Atomic::xchg_ptr.

  - Fix typo in fsqrts

  - Improve C1 performance improvements in ic_cache checks

  - Performance improvement and ease of use changes pulled     from upstream

  - Remove obsolete C1 patching code.

  - Replace hotspot jtreg test suite with tests from jdk7u

  - S8024648: 7141246 breaks Zero port

  - Save intermediate state before removing C1 patching     code.

  - Unwind native AArch64 frames.

  - Use 2- and 3-instruction immediate form of movoop and     mov_metadata in C2-generated code.

  - Various concurrency fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201502-12 (Oracle JRE/JDK: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Oracle&rsquo;s Java SE       Development Kit and Runtime Environment. Please review the CVE       identifiers referenced below for details.
  Impact :

    A context-dependent attacker may be able to execute arbitrary code,       disclose, update, insert, or delete certain data.
  Workaround :

    There is no known workaround at this time.

java-1_7_0-ibm has been updated to version 1.7.0_sr7.2 to fix 21 security issues.

These security issues have been fixed :

  - Unspecified vulnerability. (CVE-2014-3065)

  - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i     and other products, uses nondeterministic CBC padding,     which makes it easier for man-in-the-middle attackers to     obtain cleartext data via a padding-oracle attack, aka     the 'POODLE' issue. (CVE-2014-3566)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, and Java SE Embedded 7u60, allows remote     attackers to affect confidentiality, integrity, and     availability via vectors related to AWT. (CVE-2014-6513)

  - Unspecified vulnerability in Oracle Java SE 7u67 and     8u20 allows remote attackers to affect confidentiality,     integrity, and availability via unknown vectors.
    (CVE-2014-6456)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6493 / CVE-2014-6532.
    (CVE-2014-6503)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6493 / CVE-2014-6503.
    (CVE-2014-6532)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-6493 / CVE-2014-6503 / CVE-2014-6532.
    (CVE-2014-4288)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6503 / CVE-2014-6532.
    (CVE-2014-6493)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Firefox, allows remote     attackers to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment.
    (CVE-2014-6492)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows local users to affect confidentiality,     integrity, and availability via unknown vectors related     to Deployment. (CVE-2014-6458)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Internet Explorer, allows     local users to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment.
    (CVE-2014-6466)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality, integrity,     and availability via unknown vectors related to     Libraries. (CVE-2014-6506)

  - Unspecified vulnerability in Oracle Java SE 7u67 and     8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment, a different     vulnerability than CVE-2014-6527. (CVE-2014-6476)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment. (CVE-2014-6515)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20 allows remote attackers to affect     confidentiality via unknown vectors related to 2D.
    (CVE-2014-6511)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality via unknown     vectors related to Libraries. (CVE-2014-6531)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and R28.3.3 allows remote attackers to affect     integrity via unknown vectors related to Libraries.
    (CVE-2014-6512)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3, and R28.3.3 allows remote attackers to affect     confidentiality and integrity via vectors related to     JSSE. (CVE-2014-6457)

  - Unspecified vulnerability in Oracle Java SE 7u67 and     8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment, a different     vulnerability than CVE-2014-6476. (CVE-2014-6527)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect integrity via unknown vectors     related to Libraries. (CVE-2014-6502)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and JRockit R28.3.3 allows remote attackers to     affect integrity via unknown vectors related to     Security. (CVE-2014-6558)

More information can be found at http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update
_November_2014

java-1_6_0-ibm has been updated to version 1.6.0_sr16.2 to fix 18 security issues.

These security issues has been fixed :

  - Unspecified vulnerability in Oracle Java SE 6u81.
    (CVE-2014-3065)

  - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i     and other products, uses nondeterministic CBC padding,     which makes it easier for man-in-the-middle attackers to     obtain cleartext data via a padding-oracle attack, aka     the 'POODLE' issue. (CVE-2014-3566)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, and Java SE Embedded 7u60, allows remote     attackers to affect confidentiality, integrity, and     availability via vectors related to AWT. (CVE-2014-6513)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6493 / CVE-2014-6532.
    (CVE-2014-6503)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6493 / CVE-2014-6503.
    (CVE-2014-6532)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-6493 / CVE-2014-6503 / CVE-2014-6532.
    (CVE-2014-4288)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect     confidentiality, integrity, and availability via unknown     vectors related to Deployment, a different vulnerability     than CVE-2014-4288 / CVE-2014-6503 / CVE-2014-6532.
    (CVE-2014-6493)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Firefox, allows remote     attackers to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment.
    (CVE-2014-6492)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows local users to affect confidentiality,     integrity, and availability via unknown vectors related     to Deployment. (CVE-2014-6458)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20, when running on Internet Explorer, allows     local users to affect confidentiality, integrity, and     availability via unknown vectors related to Deployment.
    (CVE-2014-6466)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality, integrity,     and availability via unknown vectors related to     Libraries. (CVE-2014-6506)

  - Unspecified vulnerability in Oracle Java SE 6u81, 7u67,     and 8u20 allows remote attackers to affect integrity via     unknown vectors related to Deployment. (CVE-2014-6515)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20 allows remote attackers to affect     confidentiality via unknown vectors related to 2D.
    (CVE-2014-6511)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect confidentiality via unknown     vectors related to Libraries. (CVE-2014-6531)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and R28.3.3 allows remote attackers to affect     integrity via unknown vectors related to Libraries.
    (CVE-2014-6512)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3, and R28.3.3 allows remote attackers to affect     confidentiality and integrity via vectors related to     JSSE. (CVE-2014-6457)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows     remote attackers to affect integrity via unknown vectors     related to Libraries. (CVE-2014-6502)

  - Unspecified vulnerability in Oracle Java SE 5.0u71,     6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit     R27.8.3 and JRockit R28.3.3 allows remote attackers to     affect integrity via unknown vectors related to     Security. (CVE-2014-6558)

More information can be found at http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update
_November_2014

The version of Java SDK installed on the remote host is affected by the following vulnerabilities :

  - A privilege escalation vulnerability in the IBM Java SDK     allows a local attacker to inject arbitrary code into     the shared classes cache due to a flaw in the default     configuration for the shared classes feature. Other     users are able to execute the injected code, which can     allow the attacker to gain elevated privileges.
    (CVE-2014-3065)

  - Oracle Java contains the flaw related to SSLv3 CBC-mode     ciphers known as POODLE. The vulnerability is due to the     way SSL 3.0 handles padding bytes when decrypting     messages encrypted using block ciphers in cipher block     chaining (CBC) mode. A man-in-the-middle attacker can     decrypt a selected byte of a cipher text in as few as     256 tries if they are able to force a victim application     to repeatedly send the same data over newly created SSL     3.0 connections. (CVE-2014-3566)

  - Vulnerabilities in Oracle Java allow remote code     execution via flaws in the Deployment subcomponent.
    (CVE-2014-4288, CVE-2014-6492, CVE-2014-6493,     CVE-2014-6503, CVE-2014-6532)

  - A session hijacking vulnerability exists in Oracle Java     due to a flaw related to handling of server certificate     changes during SSL/TLS renegotiation. This allows an     attacker to intercept communication between a client and     server to hijack a mutually authenticated session.
    (CVE-2014-6457)

  - Privilege escalation vulnerabilities exist in Oracle     Java within the the Deployment subcomponent.
    (CVE-2014-6458, CVE-2014-6466)

  - Data integrity vulnerabilities exist in Oracle Java     within the the Deployment subcomponent. (CVE-2014-6476,     CVE-2014-6515, CVE-2014-6527)

  - A privilege escalation vulnerability exists in Oracle     Java in the resource bundle handling code of the     'LogRecord::readObject' function within the file     'share/classes/java/util/logging/LogRecord.java',     which allows an attacker to bypass certain sandbox     restrictions. (CVE-2014-6502)

  - A privilege escalation vulnerability exists in Oracle     Java within the property processing and name handling     code of 'share/classes/java/util/ResourceBundle.java',     which allows an attacker to bypass certain sandbox     restrictions. (CVE-2014-6506)

  - Oracle Java contains an unspecified vulnerability in the     2D subcomponent. (CVE-2014-6511)

  - An information disclosure vulnerability exists in Oracle     Java due to a flaw related to the wrapping of datagram     sockets in the DatagramSocket implementation. This issue     may cause packets to be read that originate from other     sources than the connected, thus allowing a remote     attacker to carry out IP spoofing. (CVE-2014-6512)

  - A flaw exists in the way splash images are handled by     'windows/native/sun/awt/splashscreen/splashscreen_sys.c'     which allows remote code execution. (CVE-2014-6513)

  - A privilege escalation vulnerability exists in Oracle     Java in 'share/classes/java/util/logging/Logger.java'     because it fails to check permissions in certain cases,     allowing an attacker to bypass sandbox restrictions and     view or edit logs. (CVE-2014-6531)

  - A flaw related to input cipher streams within the file     'share/classes/javax/crypto/CipherInputStream.java' can     allow a remote attacker to affect the data integrity.
    (CVE-2014-6558)

Oracle Critical Patch Update Advisory - October 2014

Description :

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities.

Find more information here:
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.h tml

USN-2388-1 fixed vulnerabilities in OpenJDK 7 for Ubuntu 14.04 LTS.
This update provides the corresponding updates for Ubuntu 14.10.

A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-6457)

Several vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6527, CVE-2014-6558)

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network.
(CVE-2014-6504, CVE-2014-6511, CVE-2014-6517, CVE-2014-6531)

Two vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network.
(CVE-2014-6506, CVE-2014-6513).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-6457)

Several vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6527, CVE-2014-6558)

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-6504, CVE-2014-6511, CVE-2014-6517, CVE-2014-6531)

Two vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-6506, CVE-2014-6513).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-6457)

Several vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6558)

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-6504, CVE-2014-6511, CVE-2014-6517, CVE-2014-6531)

Two vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-6506, CVE-2014-6513).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 25, 7 Update 71, 6 Update 85, or 5 Update 75. It is, therefore, affected by security issues in the following components :

  - 2D
  - AWT
  - Deployment
  - Hotspot
  - JAXP
  - JSSE
  - JavaFX
  - Libraries
  - Security

Oracle's October 2014 security update for Java fixes remote and local vulnerabilities in the following components of the Java SE JDK/JRE:

  - 2D
  - AWT
  - Deployment
  - Hotspot
  - JAXP
  - JSSE
  - JavaFX
  - Libraries
  - Security

Twenty-two of these 25 fixed vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. no further details have been released by the vendor.

ID	Name	Product	Family	Severity
119959	SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2014:1541-1) (POODLE)	Nessus	SuSE Local Security Checks	critical
83643	SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2014:1422-1)	Nessus	SuSE Local Security Checks	critical
81370	GLSA-201502-12 : Oracle JRE/JDK: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
79635	SuSE 11.3 Security Update : IBM Java (SAT Patch Number 9999)	Nessus	SuSE Local Security Checks	critical
79634	SuSE 11.3 Security Update : IBM Java (SAT Patch Number 9992)	Nessus	SuSE Local Security Checks	critical
79626	AIX Java Advisory : java_oct2014_advisory.asc (POODLE)	Nessus	AIX Local Security Checks	critical
79208	SuSE 11.3 Security Update : Java OpenJDK (SAT Patch Number 9906)	Nessus	SuSE Local Security Checks	critical
78668	Ubuntu 14.10 : openjdk-7 vulnerabilities (USN-2388-2)	Nessus	Ubuntu Local Security Checks	critical
78654	Ubuntu 14.04 LTS : openjdk-7 vulnerabilities (USN-2388-1)	Nessus	Ubuntu Local Security Checks	critical
78539	Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2386-1)	Nessus	Ubuntu Local Security Checks	critical
78482	Oracle Java SE Multiple Vulnerabilities (October 2014 CPU) (Unix)	Nessus	Misc.	critical
78481	Oracle Java SE Multiple Vulnerabilities (October 2014 CPU)	Nessus	Windows	critical
8550	Oracle Java Update (October 2014) Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical

CVE-2014-6513

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins