Oracle JRockit R27.8.4 / R28.3.4 Multiple Vulnerabilities (January 2015 CPU) (POODLE)

Medium Nessus Plugin ID 80890

Synopsis

The remote Windows host contains a programming platform that is affected by multiple vulnerabilities.

Description

The remote host has a version of Oracle JRockit that is affected by multiple vulnerabilities in the following components :

- Hotspot
- JSSE
- Security

Note that CVE-2014-3566 is an error related to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A man-in-the-middle attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. This is also known as the 'POODLE' issue.

Solution

Upgrade to version R27.8.5 / R28.3.5 or later as referenced in the January 2015 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?75c6cafb

https://www.imperialviolet.org/2014/10/14/poodle.html

https://www.openssl.org/~bodo/ssl-poodle.pdf

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Plugin Details

Severity: Medium

ID: 80890

File Name: oracle_jrockit_cpu_jan_2015.nasl

Version: 1.10

Type: local

Agent: windows

Family: Windows

Published: 2015/01/21

Updated: 2018/11/15

Dependencies: 69304

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5.4

Temporal Score: 4.2

Vector: CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:jrockit

Required KB Items: installed_sw/Oracle JRockit

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/01/20

Vulnerability Publication Date: 2015/01/20

Reference Information

CVE: CVE-2014-3566, CVE-2014-6593, CVE-2015-0383, CVE-2015-0410

BID: 70574, 72155, 72165, 72169

CERT: 577193