AIX Java Advisory : java_jul2014_advisory.asc

Critical Nessus Plugin ID 77333

Synopsis

The remote AIX host has a version of Java SDK installed that is affected by multiple vulnerabilities.

Description

The version of Java SDK installed on the remote host is affected by the following vulnerabilities :

- A privilege escalation vulnerability in IBM Java Virtual Machine allows remote attackers to execute code to increase access in the context of a security manager.
(CVE-2014-3086)

- Data integrity vulnerabilities exist in Oracle Java within the the Deployment subcomponent. (CVE-2014-4208, CVE-2014-4220, CVE-2014-4265)

- An information disclosure vulnerability in Oracle Java's JMX subcomponent allows a remote attacker to view or edit the SubjectDelegator class. (CVE-2014-4209)

- A vulnerability in Oracle Java allows a remote attacker to bypass security features via flaws in 'Proxy.java' in the Libraries subcomponent. (CVE-2014-4218)

- A vulnerability in Oracle Java allows remote code execution via a flaw in the Hotspot subcomponent, returning incomplete objects. (CVE-2014-4219)

- An information disclosure vulnerability in Oracle Java's Libraries subcomponent allows a remote attacker to view sensitive information. (CVE-2014-4221)

- Vulnerabilities in Oracle Java allow remote code execution via flaws in the Deployment subcomponent.
(CVE-2014-4227)

- There are information disclosure vulnerabilities in the Security subcomponent of Oracle Java that can allow remote attackers to gain sensitive information, including information about used keys. (CVE-2014-4244, CVE-2014-4252, CVE-2014-4263)

- A vulnerability in Oracle Java allows remote code execution via a memory corruption flaw in the Libraries subcomponent. (CVE-2014-4262)

- A data integrity vulnerability exists in Oracle Java within the Serviceability subcomponent due to incorrect function return values. (CVE-2014-4266)

- An information disclosure vulnerability in Oracle Java's Swing subcomponent allows a remote attacker to view restricted file contents. (CVE-2014-4268)

Solution

Fixes are available by version and can be downloaded from the AIX website.

See Also

http://www.nessus.org/u?0cd279e0

http://www.nessus.org/u?aacaab25

http://www.nessus.org/u?70623e16

http://www.nessus.org/u?1d08dc51

http://www.nessus.org/u?4ca2561a

http://www.nessus.org/u?a624fae8

http://www.nessus.org/u?aa3fc787

http://www.nessus.org/u?e42e2673

http://www.nessus.org/u?ae6bb0ba

http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels

Plugin Details

Severity: Critical

ID: 77333

File Name: aix_java_jul2014_advisory.nasl

Version: $Revision: 1.7 $

Type: local

Published: 2014/08/22

Modified: 2016/04/01

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:ibm:aix, cpe:/a:oracle:java

Required KB Items: Host/AIX/lslpp, Host/local_checks_enabled, Host/AIX/version

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/08/18

Vulnerability Publication Date: 2014/02/06

Reference Information

CVE: CVE-2014-3086, CVE-2014-4208, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4266, CVE-2014-4268

BID: 68571, 68576, 68580, 68583, 68596, 68599, 68603, 68615, 68620, 68624, 68632, 68636, 68639, 68642, 69183

OSVDB: 109124, 109125, 109131, 109132, 109133, 109134, 109135, 109136, 109137, 109138, 109140, 109141, 109142, 109143, 109856