openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2015-512) (Bar Mitzvah) (Logjam)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

OpenJDK was updated to 2.6.1 - OpenJDK 8u51 to fix security issues and
bugs.

The following vulnerabilities were fixed :

- CVE-2015-2590: Easily exploitable vulnerability in the
Libraries component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-2597: Easily exploitable vulnerability in the
Install component requiring logon to Operating System.
Successful attack of this vulnerability could have
resulted in unauthorized Operating System takeover
including arbitrary code execution.

- CVE-2015-2601: Easily exploitable vulnerability in the
JCE component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2613: Easily exploitable vulnerability in the
JCE component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java SE, Java SE Embedded
accessible data.

- CVE-2015-2619: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2621: Easily exploitable vulnerability in the
JMX component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2625: Very difficult to exploit vulnerability
in the JSSE component allowed successful unauthenticated
network attacks via SSL/TLS. Successful attack of this
vulnerability could have resulted in unauthorized read
access to a subset of Java accessible data.

- CVE-2015-2627: Very difficult to exploit vulnerability
in the Install component allowed successful
unauthenticated network attacks via multiple protocols.
Successful attack of this vulnerability could have
resulted in unauthorized read access to a subset of Java
accessible data.

- CVE-2015-2628: Easily exploitable vulnerability in the
CORBA component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-2632: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2637: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
read access to a subset of Java accessible data.

- CVE-2015-2638: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

- CVE-2015-2659: Easily exploitable vulnerability in the
Security component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized ability to cause a partial denial of
service (partial DOS).

- CVE-2015-2664: Difficult to exploit vulnerability in the
Deployment component requiring logon to Operating
System. Successful attack of this vulnerability could
have resulted in unauthorized Operating System takeover
including arbitrary code execution.

- CVE-2015-2808: Very difficult to exploit vulnerability
in the JSSE component allowed successful unauthenticated
network attacks via SSL/TLS. Successful attack of this
vulnerability could have resulted in unauthorized
update, insert or delete access to some Java accessible
data as well as read access to a subset of Java
accessible data.

- CVE-2015-4000: Very difficult to exploit vulnerability
in the JSSE component allowed successful unauthenticated
network attacks via SSL/TLS. Successful attack of this
vulnerability could have resulted in unauthorized
update, insert or delete access to some Java accessible
data as well as read access to a subset of Java Embedded
accessible data.

- CVE-2015-4729: Very difficult to exploit vulnerability
in the Deployment component allowed successful
unauthenticated network attacks via multiple protocols.
Successful attack of this vulnerability could have
resulted in unauthorized update, insert or delete access
to some Java SE accessible data as well as read access
to a subset of Java SE accessible data.

- CVE-2015-4731: Easily exploitable vulnerability in the
JMX component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

- CVE-2015-4732: Easily exploitable vulnerability in the
Libraries component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-4733: Easily exploitable vulnerability in the
RMI component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

- CVE-2015-4736: Difficult to exploit vulnerability in the
Deployment component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-4748: Very difficult to exploit vulnerability
in the Security component allowed successful
unauthenticated network attacks via OCSP. Successful
attack of this vulnerability could have resulted in
unauthorized Operating System takeover including
arbitrary code execution.

- CVE-2015-4749: Difficult to exploit vulnerability in the
JNDI component allowed successful unauthenticated
network attacks via multiple protocols. Successful
attack of this vulnerability could have resulted in
unauthorized ability to cause a partial denial of
service (partial DOS).

- CVE-2015-4760: Easily exploitable vulnerability in the
2D component allowed successful unauthenticated network
attacks via multiple protocols. Successful attack of
this vulnerability could have resulted in unauthorized
Operating System takeover including arbitrary code
execution.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=937828
https://bugzilla.opensuse.org/show_bug.cgi?id=938248

Solution :

Update the affected java-1_8_0-openjdk packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true