AIX Java Advisory : java_jul2014_advisory.asc

critical Nessus Plugin ID 77333

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote AIX host has a version of Java SDK installed that is affected by multiple vulnerabilities.

Description

The version of Java SDK installed on the remote host is affected by the following vulnerabilities :

 - A privilege escalation vulnerability in IBM Java Virtual Machine allows remote attackers to execute code to increase access in the context of a security manager.
 (CVE-2014-3086)

 - Data integrity vulnerabilities exist in Oracle Java within the the Deployment subcomponent. (CVE-2014-4208, CVE-2014-4220, CVE-2014-4265)

 - An information disclosure vulnerability in Oracle Java's JMX subcomponent allows a remote attacker to view or edit the SubjectDelegator class. (CVE-2014-4209)

 - A vulnerability in Oracle Java allows a remote attacker to bypass security features via flaws in 'Proxy.java' in the Libraries subcomponent. (CVE-2014-4218)

 - A vulnerability in Oracle Java allows remote code execution via a flaw in the Hotspot subcomponent, returning incomplete objects. (CVE-2014-4219)

 - An information disclosure vulnerability in Oracle Java's Libraries subcomponent allows a remote attacker to view sensitive information. (CVE-2014-4221)

 - Vulnerabilities in Oracle Java allow remote code execution via flaws in the Deployment subcomponent.
 (CVE-2014-4227)

 - There are information disclosure vulnerabilities in the Security subcomponent of Oracle Java that can allow remote attackers to gain sensitive information, including information about used keys. (CVE-2014-4244, CVE-2014-4252, CVE-2014-4263)

 - A vulnerability in Oracle Java allows remote code execution via a memory corruption flaw in the Libraries subcomponent. (CVE-2014-4262)

 - A data integrity vulnerability exists in Oracle Java within the Serviceability subcomponent due to incorrect function return values. (CVE-2014-4266)

 - An information disclosure vulnerability in Oracle Java's Swing subcomponent allows a remote attacker to view restricted file contents. (CVE-2014-4268)

Solution

Fixes are available by version and can be downloaded from the AIX website.

See Also

http://www.nessus.org/u?0cd279e0

http://www.nessus.org/u?aacaab25

http://www.nessus.org/u?70623e16

http://www.nessus.org/u?1d08dc51

http://www.nessus.org/u?4ca2561a

http://www.nessus.org/u?a624fae8

http://www.nessus.org/u?aa3fc787

http://www.nessus.org/u?e42e2673

http://www.nessus.org/u?ae6bb0ba

http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels

Plugin Details

Severity: Critical

ID: 77333

File Name: aix_java_jul2014_advisory.nasl

Version: 1.11

Type: local

Published: 8/22/2014

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:ibm:aix, cpe:/a:oracle:java

Required KB Items: Host/AIX/lslpp, Host/local_checks_enabled, Host/AIX/version

Exploit Ease: No known exploits are available

Patch Publication Date: 8/18/2014

Vulnerability Publication Date: 2/6/2014

Reference Information

CVE: CVE-2014-3086, CVE-2014-4208, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4266, CVE-2014-4268

BID: 68571, 68576, 68580, 68583, 68596, 68599, 68603, 68615, 68620, 68624, 68632, 68636, 68639, 68642, 69183