EulerOS 2.0 SP1 : java-1.7.0-openjdk (EulerOS-SA-2016-1015)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote EulerOS host is missing multiple security updates.

Description :

According to the versions of the java-1.7.0-openjdk packages
installed, the EulerOS installation on the remote host is affected by
the following vulnerabilities :

- Multiple flaws were discovered in the Serialization and
Hotspot components in OpenJDK. An untrusted Java
application or applet could use these flaws to
completely bypass Java sandbox
restrictions.(CVE-2016-0686, CVE-2016-0687)

- It was discovered that the RMI server implementation in
the JMX component in OpenJDK did not restrict which
classes can be deserialized when deserializing
authentication credentials. A remote, unauthenticated
attacker able to connect to a JMX port could possibly
use this flaw to trigger deserialization flaws.
(CVE-2016-3427)

- It was discovered that the JAXP component in OpenJDK
failed to properly handle Unicode surrogate pairs used
as part of the XML attribute values. Specially crafted
XML input could cause a Java application to use an
excessive amount of memory when parsed.(CVE-2016-3425)

- It was discovered that the Security component in
OpenJDK failed to check the digest algorithm strength
when generating DSA signatures.The use of a digest
weaker than the key strength could lead to the
generation of signatures that were weaker than
expected.(CVE-2016-0695)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://www.nessus.org/u?81d30f5a

Solution :

Update the affected java-1.7.0-openjdk packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Huawei Local Security Checks

Nessus Plugin ID: 99778 ()

Bugtraq ID:

CVE ID: CVE-2016-0686
CVE-2016-0687
CVE-2016-0695
CVE-2016-3425
CVE-2016-3427

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now