SynopsisThe remote AIX host has a version of Java SDK installed that is affected by multiple vulnerabilities.
DescriptionThe version of Java SDK installed on the remote host is affected by the following vulnerabilities :
- A privilege escalation vulnerability in IBM Java Virtual Machine allows remote attackers to execute code to increase access in the context of a security manager.
- Data integrity vulnerabilities exist in Oracle Java within the the Deployment subcomponent. (CVE-2014-4208, CVE-2014-4220, CVE-2014-4265)
- An information disclosure vulnerability in Oracle Java's JMX subcomponent allows a remote attacker to view or edit the SubjectDelegator class. (CVE-2014-4209)
- A vulnerability in Oracle Java allows a remote attacker to bypass security features via flaws in 'Proxy.java' in the Libraries subcomponent. (CVE-2014-4218)
- A vulnerability in Oracle Java allows remote code execution via a flaw in the Hotspot subcomponent, returning incomplete objects. (CVE-2014-4219)
- An information disclosure vulnerability in Oracle Java's Libraries subcomponent allows a remote attacker to view sensitive information. (CVE-2014-4221)
- Vulnerabilities in Oracle Java allow remote code execution via flaws in the Deployment subcomponent.
- There are information disclosure vulnerabilities in the Security subcomponent of Oracle Java that can allow remote attackers to gain sensitive information, including information about used keys. (CVE-2014-4244, CVE-2014-4252, CVE-2014-4263)
- A vulnerability in Oracle Java allows remote code execution via a memory corruption flaw in the Libraries subcomponent. (CVE-2014-4262)
- A data integrity vulnerability exists in Oracle Java within the Serviceability subcomponent due to incorrect function return values. (CVE-2014-4266)
- An information disclosure vulnerability in Oracle Java's Swing subcomponent allows a remote attacker to view restricted file contents. (CVE-2014-4268)
SolutionFixes are available by version and can be downloaded from the AIX website.
File Name: aix_java_jul2014_advisory.nasl
Temporal Vector: E:ND/RL:OF/RC:C
CPE: cpe:/o:ibm:aix, cpe:/a:oracle:java
Required KB Items: Host/AIX/lslpp, Host/local_checks_enabled, Host/AIX/version
Exploit Ease: No known exploits are available
Patch Publication Date: 8/18/2014
Vulnerability Publication Date: 2/6/2014
CVE: CVE-2014-3086, CVE-2014-4208, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4266, CVE-2014-4268
BID: 68571, 68576, 68580, 68583, 68596, 68599, 68603, 68615, 68620, 68624, 68632, 68636, 68639, 68642, 69183