Alpine: openjdk6: security update to 1.6.0-r0 (deprecated)

critical Tenable Self-Hosted Container Security Plugin ID 401273

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and
earlier, 6 update 32 and earlier, and 5 update 35 and earlier allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors related to Hotspot. (CVE-2012-1725)

- Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and
earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote
attackers to affect confidentiality and availability via unknown vectors related to Sound. (CVE-2011-3563)

- Unspecified vulnerability in the Virtual Desktop Infrastructure (VDI) component in Oracle Virtualization
3.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related
to Session. NOTE: this CVE identifier was accidentally used for a Concurrency issue in Java Runtime
Environment, but that issue has been reassigned to CVE-2012-0507. (CVE-2011-3571)

- Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System
Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters
without restricting the ability to trigger hash collisions predictably, which allows remote attackers to
cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket
S0104869. (CVE-2011-5035)

- Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and
earlier, and 6 Update 30 and earlier, allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to 2D. (CVE-2012-0497)

See Also

https://git.alpinelinux.org/aports/commit/?id=5f832d4ab99a9d5372ea94b97de4287e5cdfe9fe

https://git.alpinelinux.org/aports/commit/?id=f5ea352121c614e1abdd86e67ba9c8c3827eb653

Plugin Details

Severity: Critical

ID: 401273

Version: Revision 1.24

Type: Local

Published: 8/16/2023

Updated: 7/17/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-1725

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2012-1723

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/5/2012

Vulnerability Publication Date: 12/29/2011

CISA Known Exploited Vulnerability Due Dates: 3/24/2022

Exploitable With

Core Impact

Metasploit (Java Applet Field Bytecode Verifier Cache Remote Code Execution)

Reference Information

CVE: CVE-2011-3563, CVE-2011-3571, CVE-2011-5035, CVE-2012-0497, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0547, CVE-2012-1682, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725

BID: 51194, 51467, 52009, 52011, 52012, 52013, 52014, 52017, 52018, 53946, 53947, 53949, 53950, 53951, 53952, 53954, 53958, 53960, 55336, 55339