In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.

The version of IBM Cognos Analytics installed on the remote host is prior to 11.1.7 FP8, 11.2.4 FP3, or 12.0.2. It is, therefore, affected by multiple vulnerabilities as referenced in the IBM Security Bulletin No. 7123154, including the following:

  - When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the   allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using   Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which   addresses this issue. (CVE-2023-39410)

  - In order to decrypt SM2 encrypted data an application is expected to call the API function   EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the   'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required   to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call   EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the   implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the   plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by   the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a   second time with a buffer that is too small. A malicious attacker who is able present SM2 content for   decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of   62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour   or causing the application to crash. The location of the buffer is application dependent but is typically   heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). (CVE-2021-3711)

  - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
  Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using   SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend   upgrading to version 2.0 and beyond. (CVE-2022-1471)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3305-1 advisory.

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM     Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to     all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to     Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java     applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java     sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,     e.g., through a web service which supplies data to the APIs. (CVE-2023-21930)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf,     11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21937)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf,     11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). (CVE-2023-21938)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or     delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2023-21939)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21954)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM     Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21967)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf,     11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21968)

  - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.
    (CVE-2023-2597)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of IBM Java installed on the remote host is prior to 7.1 < 7.1.5.18 / 8.0 < 8.0.8.5. It is, therefore, affected by a vulnerability as referenced in the IBM Security Update June 2023 advisory.

  - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.
    (CVE-2023-2597)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2491-1 advisory.

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM     Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to     all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to     Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java     applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java     sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,     e.g., through a web service which supplies data to the APIs. (CVE-2023-21930)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf,     11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21937)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf,     11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). (CVE-2023-21938)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or     delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2023-21939)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21954)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM     Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21967)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf,     11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21968)

  - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.
    (CVE-2023-2597)

  - IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components     could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID:
    253188. (CVE-2023-30441)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2476-1 advisory.

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM     Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to     all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to     Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java     applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java     sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,     e.g., through a web service which supplies data to the APIs. (CVE-2023-21930)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf,     11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21937)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf,     11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). (CVE-2023-21938)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or     delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2023-21939)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21954)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,     17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM     Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21967)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf,     11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2023-21968)

  - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.
    (CVE-2023-2597)

  - IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components     could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID:
    253188. (CVE-2023-30441)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
193868	IBM Cognos Analytics 11.1.1 < 11.1.7 FP8 / 11.2.x < 11.2.4 FP3 / 12.0.x < 12.0.2 (7123154)	Nessus	CGI abuses	critical
179828	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : java-1_8_0-openj9 (SUSE-SU-2023:3305-1)	Nessus	SuSE Local Security Checks	critical
177455	IBM Java 7.1 < 7.1.5.18 / 8.0 < 8.0.8.5	Nessus	Misc.	critical
177278	SUSE SLES15 / openSUSE 15 Security Update : java-1_8_0-ibm (SUSE-SU-2023:2491-1)	Nessus	SuSE Local Security Checks	critical
177085	SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2023:2476-1)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2023-2597

critical

Tenable Plugins

critical

critical

critical

critical

critical