Oracle JRockit R28 < R28.3.7 Multiple Vulnerabilities (July 2015 CPU) (Bar Mitzvah) (Logjam)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

A programming platform installed on the remote Windows host is
affected by multiple vulnerabilities.

Description :

The version of Oracle JRockit installed on the remote Windows host is
R28 prior to R28.3.7. It is, therefore, affected by multiple
vulnerabilities :

- An unspecified flaw exists in the JCE component that
allows a remote attacker to gain access to sensitive
information. (CVE-2015-2601)

- An unspecified flaw exists in the JSSE component when
handling the SSL/TLS protocol. A remote attacker can
exploit this to gain access to sensitive information.
(CVE-2015-2625)

- A security feature bypass vulnerability exists, known as
Bar Mitzvah, due to improper combination of state data
with key data by the RC4 cipher algorithm during the
initialization phase. A man-in-the-middle attacker can
exploit this, via a brute-force attack using LSB values,
to decrypt the traffic. (CVE-2015-2808)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

- An unspecified flaw exists in the Security component
when handling the Online Certificate Status Protocol
(OCSP). A remote attacker can exploit this to execute
arbitrary code. (CVE-2015-4748)

- An unspecified flaw exists in the JNDI component that
allows a remote attacker to cause a denial of service.
(CVE-2015-4749)

See also :

http://www.nessus.org/u?d18c2a85

Solution :

Upgrade to Oracle JRockit version R28.3.7 or later as referenced in
the July 2015 Oracle Critical Patch Update advisory.

Risk factor :

High / CVSS Base Score : 7.6
(CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now