AIX Java Advisory : java_jul2014_advisory.asc

Critical Nessus Plugin ID 77333

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote AIX host has a version of Java SDK installed that is affected by multiple vulnerabilities.

Description

The version of Java SDK installed on the remote host is affected by the following vulnerabilities :

 - A privilege escalation vulnerability in IBM Java Virtual Machine allows remote attackers to execute code to increase access in the context of a security manager.
 (CVE-2014-3086)

 - Data integrity vulnerabilities exist in Oracle Java within the the Deployment subcomponent. (CVE-2014-4208, CVE-2014-4220, CVE-2014-4265)

 - An information disclosure vulnerability in Oracle Java's JMX subcomponent allows a remote attacker to view or edit the SubjectDelegator class. (CVE-2014-4209)

 - A vulnerability in Oracle Java allows a remote attacker to bypass security features via flaws in 'Proxy.java' in the Libraries subcomponent. (CVE-2014-4218)

 - A vulnerability in Oracle Java allows remote code execution via a flaw in the Hotspot subcomponent, returning incomplete objects. (CVE-2014-4219)

 - An information disclosure vulnerability in Oracle Java's Libraries subcomponent allows a remote attacker to view sensitive information. (CVE-2014-4221)

 - Vulnerabilities in Oracle Java allow remote code execution via flaws in the Deployment subcomponent.
 (CVE-2014-4227)

 - There are information disclosure vulnerabilities in the Security subcomponent of Oracle Java that can allow remote attackers to gain sensitive information, including information about used keys. (CVE-2014-4244, CVE-2014-4252, CVE-2014-4263)

 - A vulnerability in Oracle Java allows remote code execution via a memory corruption flaw in the Libraries subcomponent. (CVE-2014-4262)

 - A data integrity vulnerability exists in Oracle Java within the Serviceability subcomponent due to incorrect function return values. (CVE-2014-4266)

 - An information disclosure vulnerability in Oracle Java's Swing subcomponent allows a remote attacker to view restricted file contents. (CVE-2014-4268)

Solution

Fixes are available by version and can be downloaded from the AIX website.

See Also

http://www.nessus.org/u?0cd279e0

http://www.nessus.org/u?aacaab25

http://www.nessus.org/u?70623e16

http://www.nessus.org/u?1d08dc51

http://www.nessus.org/u?4ca2561a

http://www.nessus.org/u?a624fae8

http://www.nessus.org/u?aa3fc787

http://www.nessus.org/u?e42e2673

http://www.nessus.org/u?ae6bb0ba

http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels

Plugin Details

Severity: Critical

ID: 77333

File Name: aix_java_jul2014_advisory.nasl

Version: 1.10

Type: local

Published: 2014/08/22

Updated: 2018/07/17

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 6.7

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:ibm:aix, cpe:/a:oracle:java

Required KB Items: Host/AIX/lslpp, Host/local_checks_enabled, Host/AIX/version

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/08/18

Vulnerability Publication Date: 2014/02/06

Reference Information

CVE: CVE-2014-3086, CVE-2014-4208, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4266, CVE-2014-4268

BID: 68571, 68576, 68580, 68583, 68596, 68599, 68603, 68615, 68620, 68624, 68632, 68636, 68639, 68642, 69183