Detections
Analytics
RHEL 7 : java-1.8.0-ibm (RHSA-2018:2568)
critical Nessus Plugin ID 112131
Language:
Synopsis
The remote Red Hat host is missing one or more security updates for java-1.8.0-ibm.Description
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2568 advisory.IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR5-FP20.
Security Fix(es):
* IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539)
* openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
* openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* IBM JDK: DoS in the java.math component (CVE-2018-1517)
* IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656)
* Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940)
* OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952)
* Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973)
* OpenSSL: Double-free in DSA code (CVE-2016-0705)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-0705. Upstream acknowledges Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the RHEL java-1.8.0-ibm package based on the guidance in RHSA-2018:2568.See Also
http://www.nessus.org/u?3597c568
https://access.redhat.com/errata/RHSA-2018:2568
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1310596
https://bugzilla.redhat.com/show_bug.cgi?id=1416856
https://bugzilla.redhat.com/show_bug.cgi?id=1509169
https://bugzilla.redhat.com/show_bug.cgi?id=1600925
https://bugzilla.redhat.com/show_bug.cgi?id=1602145
https://bugzilla.redhat.com/show_bug.cgi?id=1602146
https://bugzilla.redhat.com/show_bug.cgi?id=1618767
Plugin Details
Severity: Critical
ID: 112131
File Name: redhat-RHSA-2018-2568.nasl
Version: 1.8
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 8/28/2018
Updated: 11/5/2024
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
Vendor
Vendor Severity: Important
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2016-0705
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm, p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc, p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src, p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin, p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Ease: No known exploits are available
Patch Publication Date: 8/27/2018
Vulnerability Publication Date: 3/3/2016
Reference Information
CVE: CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-12539, CVE-2018-1517, CVE-2018-1656, CVE-2018-2940, CVE-2018-2952, CVE-2018-2973