New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 9.8
SynopsisThe remote AIX host has a version of Java SDK installed that is affected by multiple vulnerabilities.
DescriptionThe version of Java SDK installed on the remote host is affected by the following vulnerabilities :
- A privilege escalation vulnerability in the IBM Java SDK allows a local attacker to inject arbitrary code into the shared classes cache due to a flaw in the default configuration for the shared classes feature. Other users are able to execute the injected code, which can allow the attacker to gain elevated privileges.
- Oracle Java contains the flaw related to SSLv3 CBC-mode ciphers known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A man-in-the-middle attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566)
- Vulnerabilities in Oracle Java allow remote code execution via flaws in the Deployment subcomponent.
(CVE-2014-4288, CVE-2014-6492, CVE-2014-6493, CVE-2014-6503, CVE-2014-6532)
- A session hijacking vulnerability exists in Oracle Java due to a flaw related to handling of server certificate changes during SSL/TLS renegotiation. This allows an attacker to intercept communication between a client and server to hijack a mutually authenticated session.
- Privilege escalation vulnerabilities exist in Oracle Java within the the Deployment subcomponent.
- Data integrity vulnerabilities exist in Oracle Java within the the Deployment subcomponent. (CVE-2014-6476, CVE-2014-6515, CVE-2014-6527)
- A privilege escalation vulnerability exists in Oracle Java in the resource bundle handling code of the 'LogRecord::readObject' function within the file 'share/classes/java/util/logging/LogRecord.java', which allows an attacker to bypass certain sandbox restrictions. (CVE-2014-6502)
- A privilege escalation vulnerability exists in Oracle Java within the property processing and name handling code of 'share/classes/java/util/ResourceBundle.java', which allows an attacker to bypass certain sandbox restrictions. (CVE-2014-6506)
- Oracle Java contains an unspecified vulnerability in the 2D subcomponent. (CVE-2014-6511)
- An information disclosure vulnerability exists in Oracle Java due to a flaw related to the wrapping of datagram sockets in the DatagramSocket implementation. This issue may cause packets to be read that originate from other sources than the connected, thus allowing a remote attacker to carry out IP spoofing. (CVE-2014-6512)
- A flaw exists in the way splash images are handled by 'windows/native/sun/awt/splashscreen/splashscreen_sys.c' which allows remote code execution. (CVE-2014-6513)
- A privilege escalation vulnerability exists in Oracle Java in 'share/classes/java/util/logging/Logger.java' because it fails to check permissions in certain cases, allowing an attacker to bypass sandbox restrictions and view or edit logs. (CVE-2014-6531)
- A flaw related to input cipher streams within the file 'share/classes/javax/crypto/CipherInputStream.java' can allow a remote attacker to affect the data integrity.
SolutionFixes are available by version and can be downloaded from the IBM AIX website.