AIX Java Advisory : java_jul2014_advisory.asc

critical Nessus Plugin ID 77333
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote AIX host has a version of Java SDK installed that is affected by multiple vulnerabilities.

Description

The version of Java SDK installed on the remote host is affected by the following vulnerabilities :

- A privilege escalation vulnerability in IBM Java Virtual Machine allows remote attackers to execute code to increase access in the context of a security manager.
(CVE-2014-3086)

- Data integrity vulnerabilities exist in Oracle Java within the the Deployment subcomponent. (CVE-2014-4208, CVE-2014-4220, CVE-2014-4265)

- An information disclosure vulnerability in Oracle Java's JMX subcomponent allows a remote attacker to view or edit the SubjectDelegator class. (CVE-2014-4209)

- A vulnerability in Oracle Java allows a remote attacker to bypass security features via flaws in 'Proxy.java' in the Libraries subcomponent. (CVE-2014-4218)

- A vulnerability in Oracle Java allows remote code execution via a flaw in the Hotspot subcomponent, returning incomplete objects. (CVE-2014-4219)

- An information disclosure vulnerability in Oracle Java's Libraries subcomponent allows a remote attacker to view sensitive information. (CVE-2014-4221)

- Vulnerabilities in Oracle Java allow remote code execution via flaws in the Deployment subcomponent.
(CVE-2014-4227)

- There are information disclosure vulnerabilities in the Security subcomponent of Oracle Java that can allow remote attackers to gain sensitive information, including information about used keys. (CVE-2014-4244, CVE-2014-4252, CVE-2014-4263)

- A vulnerability in Oracle Java allows remote code execution via a memory corruption flaw in the Libraries subcomponent. (CVE-2014-4262)

- A data integrity vulnerability exists in Oracle Java within the Serviceability subcomponent due to incorrect function return values. (CVE-2014-4266)

- An information disclosure vulnerability in Oracle Java's Swing subcomponent allows a remote attacker to view restricted file contents. (CVE-2014-4268)

Solution

Fixes are available by version and can be downloaded from the AIX website.

See Also

http://www.nessus.org/u?0cd279e0

http://www.nessus.org/u?aacaab25

http://www.nessus.org/u?70623e16

http://www.nessus.org/u?1d08dc51

http://www.nessus.org/u?4ca2561a

http://www.nessus.org/u?a624fae8

http://www.nessus.org/u?aa3fc787

http://www.nessus.org/u?e42e2673

http://www.nessus.org/u?ae6bb0ba

http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels

Plugin Details

Severity: Critical

ID: 77333

File Name: aix_java_jul2014_advisory.nasl

Version: 1.11

Type: local

Published: 8/22/2014

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:ibm:aix, cpe:/a:oracle:java

Required KB Items: Host/AIX/lslpp, Host/local_checks_enabled, Host/AIX/version

Exploit Ease: No known exploits are available

Patch Publication Date: 8/18/2014

Vulnerability Publication Date: 2/6/2014

Reference Information

CVE: CVE-2014-3086, CVE-2014-4208, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4266, CVE-2014-4268

BID: 68571, 68576, 68580, 68583, 68596, 68599, 68603, 68615, 68620, 68624, 68632, 68636, 68639, 68642, 69183