Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title IcedTea JDK: Multiple vulnerabilities
Informations
Name GLSA-201406-32 First vendor Publication 2014-06-29
Vendor Gentoo Last vendor Modification 2014-06-29
Severity (Vendor) High Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been found in the IcedTea JDK, the worst of which could lead to arbitrary code execution.

Background

IcedTea is a distribution of the Java OpenJDK source code built with free build tools.

Description

Multiple vulnerabilities have been discovered in the IcedTea JDK.
Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact.

Workaround

There is no known workaround at this time.

Resolution

All IcedTea JDK users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-6.1.13.3"

References

[ 1 ] CVE-2009-3555 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555
[ 2 ] CVE-2010-2548 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2548
[ 3 ] CVE-2010-2783 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2783
[ 4 ] CVE-2010-3541 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3541
[ 5 ] CVE-2010-3548 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3548
[ 6 ] CVE-2010-3549 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3549
[ 7 ] CVE-2010-3551 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3551
[ 8 ] CVE-2010-3553 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3553
[ 9 ] CVE-2010-3554 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3554
[ 10 ] CVE-2010-3557 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3557
[ 11 ] CVE-2010-3561 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3561
[ 12 ] CVE-2010-3562 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3562
[ 13 ] CVE-2010-3564 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3564
[ 14 ] CVE-2010-3565 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3565
[ 15 ] CVE-2010-3566 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3566
[ 16 ] CVE-2010-3567 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3567
[ 17 ] CVE-2010-3568 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3568
[ 18 ] CVE-2010-3569 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3569
[ 19 ] CVE-2010-3573 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3573
[ 20 ] CVE-2010-3574 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3574
[ 21 ] CVE-2010-3860 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3860
[ 22 ] CVE-2010-4351 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4351
[ 23 ] CVE-2010-4448 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448
[ 24 ] CVE-2010-4450 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450
[ 25 ] CVE-2010-4465 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465
[ 26 ] CVE-2010-4467 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467
[ 27 ] CVE-2010-4469 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469
[ 28 ] CVE-2010-4470 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470
[ 29 ] CVE-2010-4471 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471
[ 30 ] CVE-2010-4472 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472
[ 31 ] CVE-2010-4476 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476
[ 32 ] CVE-2011-0025 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0025
[ 33 ] CVE-2011-0706 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0706
[ 34 ] CVE-2011-0815 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815
[ 35 ] CVE-2011-0822 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0822
[ 36 ] CVE-2011-0862 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862
[ 37 ] CVE-2011-0864 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864
[ 38 ] CVE-2011-0865 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865
[ 39 ] CVE-2011-0868 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868
[ 40 ] CVE-2011-0869 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869
[ 41 ] CVE-2011-0870 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0870
[ 42 ] CVE-2011-0871 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871
[ 43 ] CVE-2011-0872 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872
[ 44 ] CVE-2011-3389 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 45 ] CVE-2011-3521 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521
[ 46 ] CVE-2011-3544 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544
[ 47 ] CVE-2011-3547 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547
[ 48 ] CVE-2011-3548 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548
[ 49 ] CVE-2011-3551 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551
[ 50 ] CVE-2011-3552 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552
[ 51 ] CVE-2011-3553 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553
[ 52 ] CVE-2011-3554 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554
[ 53 ] CVE-2011-3556 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556
[ 54 ] CVE-2011-3557 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557
[ 55 ] CVE-2011-3558 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558
[ 56 ] CVE-2011-3560 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560
[ 57 ] CVE-2011-3563 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3563
[ 58 ] CVE-2011-3571 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3571
[ 59 ] CVE-2011-5035 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5035
[ 60 ] CVE-2012-0497 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0497
[ 61 ] CVE-2012-0501 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0501
[ 62 ] CVE-2012-0502 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0502
[ 63 ] CVE-2012-0503 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0503
[ 64 ] CVE-2012-0505 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0505
[ 65 ] CVE-2012-0506 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0506
[ 66 ] CVE-2012-0547 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547
[ 67 ] CVE-2012-1711 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711
[ 68 ] CVE-2012-1713 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713
[ 69 ] CVE-2012-1716 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716
[ 70 ] CVE-2012-1717 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717
[ 71 ] CVE-2012-1718 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718
[ 72 ] CVE-2012-1719 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719
[ 73 ] CVE-2012-1723 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723
[ 74 ] CVE-2012-1724 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724
[ 75 ] CVE-2012-1725 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725
[ 76 ] CVE-2012-1726 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726
[ 77 ] CVE-2012-3216 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3216
[ 78 ] CVE-2012-3422 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3422
[ 79 ] CVE-2012-3423 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3423
[ 80 ] CVE-2012-4416 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4416
[ 81 ] CVE-2012-4540 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4540
[ 82 ] CVE-2012-5068 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5068
[ 83 ] CVE-2012-5069 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5069
[ 84 ] CVE-2012-5070 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5070
[ 85 ] CVE-2012-5071 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5071
[ 86 ] CVE-2012-5072 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5072
[ 87 ] CVE-2012-5073 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5073
[ 88 ] CVE-2012-5074 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5074
[ 89 ] CVE-2012-5075 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5075
[ 90 ] CVE-2012-5076 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5076
[ 91 ] CVE-2012-5077 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5077
[ 92 ] CVE-2012-5081 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5081
[ 93 ] CVE-2012-5084 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5084
[ 94 ] CVE-2012-5085 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5085
[ 95 ] CVE-2012-5086 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5086
[ 96 ] CVE-2012-5087 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5087
[ 97 ] CVE-2012-5089 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5089
[ 98 ] CVE-2012-5979 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5979
[ 99 ] CVE-2013-0169 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169
[ 100 ] CVE-2013-0401 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401
[ 101 ] CVE-2013-0424 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0424
[ 102 ] CVE-2013-0425 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0425
[ 103 ] CVE-2013-0426 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0426
[ 104 ] CVE-2013-0427 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0427
[ 105 ] CVE-2013-0428 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0428
[ 106 ] CVE-2013-0429 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0429
[ 107 ] CVE-2013-0431 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0431
[ 108 ] CVE-2013-0432 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0432
[ 109 ] CVE-2013-0433 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0433
[ 110 ] CVE-2013-0434 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0434
[ 111 ] CVE-2013-0435 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0435
[ 112 ] CVE-2013-0440 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0440
[ 113 ] CVE-2013-0441 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0441
[ 114 ] CVE-2013-0442 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0442
[ 115 ] CVE-2013-0443 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0443
[ 116 ] CVE-2013-0444 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0444
[ 117 ] CVE-2013-0450 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0450
[ 118 ] CVE-2013-0809 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809
[ 119 ] CVE-2013-1475 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1475
[ 120 ] CVE-2013-1476 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1476
[ 121 ] CVE-2013-1478 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1478
[ 122 ] CVE-2013-1480 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1480
[ 123 ] CVE-2013-1484 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484
[ 124 ] CVE-2013-1485 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485
[ 125 ] CVE-2013-1486 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486
[ 126 ] CVE-2013-1488 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488
[ 127 ] CVE-2013-1493 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493
[ 128 ] CVE-2013-1500 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1500
[ 129 ] CVE-2013-1518 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518
[ 130 ] CVE-2013-1537 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537
[ 131 ] CVE-2013-1557 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557
[ 132 ] CVE-2013-1569 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569
[ 133 ] CVE-2013-1571 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571
[ 134 ] CVE-2013-2383 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383
[ 135 ] CVE-2013-2384 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384
[ 136 ] CVE-2013-2407 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2407
[ 137 ] CVE-2013-2412 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2412
[ 138 ] CVE-2013-2415 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415
[ 139 ] CVE-2013-2417 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417
[ 140 ] CVE-2013-2419 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419
[ 141 ] CVE-2013-2420 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420
[ 142 ] CVE-2013-2421 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421
[ 143 ] CVE-2013-2422 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422
[ 144 ] CVE-2013-2423 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423
[ 145 ] CVE-2013-2424 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424
[ 146 ] CVE-2013-2426 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426
[ 147 ] CVE-2013-2429 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429
[ 148 ] CVE-2013-2430 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430
[ 149 ] CVE-2013-2431 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431
[ 150 ] CVE-2013-2436 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436
[ 151 ] CVE-2013-2443 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2443
[ 152 ] CVE-2013-2444 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2444
[ 153 ] CVE-2013-2445 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2445
[ 154 ] CVE-2013-2446 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2446
[ 155 ] CVE-2013-2447 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2447
[ 156 ] CVE-2013-2448 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2448
[ 157 ] CVE-2013-2449 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2449
[ 158 ] CVE-2013-2450 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2450
[ 159 ] CVE-2013-2451 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2451
[ 160 ] CVE-2013-2452 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2452
[ 161 ] CVE-2013-2453 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2453
[ 162 ] CVE-2013-2454 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2454
[ 163 ] CVE-2013-2455 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2455
[ 164 ] CVE-2013-2456 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2456
[ 165 ] CVE-2013-2457 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2457
[ 166 ] CVE-2013-2458 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2458
[ 167 ] CVE-2013-2459 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2459
[ 168 ] CVE-2013-2460 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2460
[ 169 ] CVE-2013-2461 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2461
[ 170 ] CVE-2013-2463 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2463
[ 171 ] CVE-2013-2465 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2465
[ 172 ] CVE-2013-2469 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2469
[ 173 ] CVE-2013-2470 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2470
[ 174 ] CVE-2013-2471 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2471
[ 175 ] CVE-2013-2472 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2472
[ 176 ] CVE-2013-2473 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2473
[ 177 ] CVE-2013-3829 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3829
[ 178 ] CVE-2013-4002 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4002
[ 179 ] CVE-2013-5772 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5772
[ 180 ] CVE-2013-5774 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5774
[ 181 ] CVE-2013-5778 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5778
[ 182 ] CVE-2013-5780 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5780
[ 183 ] CVE-2013-5782 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5782
[ 184 ] CVE-2013-5783 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5783
[ 185 ] CVE-2013-5784 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5784
[ 186 ] CVE-2013-5790 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5790
[ 187 ] CVE-2013-5797 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5797
[ 188 ] CVE-2013-5800 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5800
[ 189 ] CVE-2013-5802 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5802
[ 190 ] CVE-2013-5803 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5803
[ 191 ] CVE-2013-5804 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5804
[ 192 ] CVE-2013-5805 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5805
[ 193 ] CVE-2013-5806 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5806
[ 194 ] CVE-2013-5809 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5809
[ 195 ] CVE-2013-5814 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5814
[ 196 ] CVE-2013-5817 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5817
[ 197 ] CVE-2013-5820 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5820
[ 198 ] CVE-2013-5823 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5823
[ 199 ] CVE-2013-5825 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5825
[ 200 ] CVE-2013-5829 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5829
[ 201 ] CVE-2013-5830 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5830
[ 202 ] CVE-2013-5840 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5840
[ 203 ] CVE-2013-5842 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5842
[ 204 ] CVE-2013-5849 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5849
[ 205 ] CVE-2013-5850 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5850
[ 206 ] CVE-2013-5851 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5851
[ 207 ] CVE-2013-6629 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6629
[ 208 ] CVE-2013-6954 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6954
[ 209 ] CVE-2014-0429 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0429
[ 210 ] CVE-2014-0446 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0446
[ 211 ] CVE-2014-0451 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0451
[ 212 ] CVE-2014-0452 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0452
[ 213 ] CVE-2014-0453 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0453
[ 214 ] CVE-2014-0456 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0456
[ 215 ] CVE-2014-0457 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0457
[ 216 ] CVE-2014-0458 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0458
[ 217 ] CVE-2014-0459 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0459
[ 218 ] CVE-2014-0460 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0460
[ 219 ] CVE-2014-0461 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0461
[ 220 ] CVE-2014-1876 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1876
[ 221 ] CVE-2014-2397 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2397
[ 222 ] CVE-2014-2398 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2398
[ 223 ] CVE-2014-2403 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2403
[ 224 ] CVE-2014-2412 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2412
[ 225 ] CVE-2014-2414 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2414
[ 226 ] CVE-2014-2421 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2421
[ 227 ] CVE-2014-2423 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2423
[ 228 ] CVE-2014-2427 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2427

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201406-32.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201406-32.xml

CWE : Common Weakness Enumeration

% Id Name
18 % CWE-200 Information Exposure
18 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
18 % CWE-20 Improper Input Validation
12 % CWE-310 Cryptographic Issues
12 % CWE-264 Permissions, Privileges, and Access Controls
12 % CWE-94 Failure to Control Generation of Code ('Code Injection')
6 % CWE-189 Numeric Errors (CWE/SANS Top 25)
6 % CWE-59 Improper Link Resolution Before File Access ('Link Following')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10088
 
Oval ID: oval:org.mitre.oval:def:10088
Title: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Description: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family: unix Class: vulnerability
Reference(s): CVE-2009-3555
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11268
 
Oval ID: oval:org.mitre.oval:def:11268
Title: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to the modification of "behavior and state of certain JDK classes" and "mutable static."
Family: windows Class: vulnerability
Reference(s): CVE-2010-3557
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11330
 
Oval ID: oval:org.mitre.oval:def:11330
Title: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3551
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11559
 
Oval ID: oval:org.mitre.oval:def:11559
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is an HTTP request splitting vulnerability involving the handling of the chunked transfer encoding method by the HttpURLConnection class.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3549
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11560
 
Oval ID: oval:org.mitre.oval:def:11560
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that leads to a buffer overflow via a crafted devs (device information) tag structure in a color profile.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3566
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11578
 
Oval ID: oval:org.mitre.oval:def:11578
Title: Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects OpenSSL
Description: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family: unix Class: vulnerability
Reference(s): CVE-2009-3555
Version: 3
Platform(s): Sun Solaris 10
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11617
 
Oval ID: oval:org.mitre.oval:def:11617
Title: AIX OpenSSL session renegotiation vulnerability
Description: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family: unix Class: vulnerability
Reference(s): CVE-2009-3555
Version: 3
Platform(s): IBM AIX 5.2
IBM AIX 5.3
IBM AIX 6.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11649
 
Oval ID: oval:org.mitre.oval:def:11649
Title: DEPRECATED: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to unsafe reflection involving the UIDefault.ProxyLazyValue class.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3553
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11714
 
Oval ID: oval:org.mitre.oval:def:11714
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, and 5.0 Update 25 and earlier versions
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to a calculation error in right-to-left text character counts for the ICU OpenType font rendering implementation, which triggers an out-of-bounds memory access.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3567
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11798
 
Oval ID: oval:org.mitre.oval:def:11798
Title: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to unsafe reflection involving the UIDefault.ProxyLazyValue class.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3553
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11876
 
Oval ID: oval:org.mitre.oval:def:11876
Title: DEPRECATED: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, and 5.0 Update 25 and earlier versions
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to a calculation error in right-to-left text character counts for the ICU OpenType font rendering implementation, which triggers an out-of-bounds memory access.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3567
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11893
 
Oval ID: oval:org.mitre.oval:def:11893
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a double free vulnerability in IndexColorModel that allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3562
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11930
 
Oval ID: oval:org.mitre.oval:def:11930
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to the modification of "behavior and state of certain JDK classes" and "mutable static."
Family: unix Class: vulnerability
Reference(s): CVE-2010-3557
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11990
 
Oval ID: oval:org.mitre.oval:def:11990
Title: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and earlier versions
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3573
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12029
 
Oval ID: oval:org.mitre.oval:def:12029
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a race condition related to deserialization.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3568
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12040
 
Oval ID: oval:org.mitre.oval:def:12040
Title: DEPRECATED: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 and earlier versions
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that leads to a buffer overflow via a crafted devs (device information) tag structure in a color profile.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3566
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12089
 
Oval ID: oval:org.mitre.oval:def:12089
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to 2D. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the exposure of system properties via vectors related to Font.createFont and exception text.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4471
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12153
 
Oval ID: oval:org.mitre.oval:def:12153
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to a calculation error in right-to-left text character counts for the ICU OpenType font rendering implementation, which triggers an out-of-bounds memory access.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3567
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12180
 
Oval ID: oval:org.mitre.oval:def:12180
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that triggers memory corruption via large values in a subsample of a JPEG image, related to JPEGImageWriter.writeImage in the imageio API.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3565
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12189
 
Oval ID: oval:org.mitre.oval:def:12189
Title: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to "permissions granted to certain system objects."
Family: windows Class: vulnerability
Reference(s): CVE-2010-3554
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12200
 
Oval ID: oval:org.mitre.oval:def:12200
Title: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 and earlier versions
Description: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this involves the use of the privileged accept method in the ServerSocket class, which does not limit which hosts can connect and allows remote attackers to bypass intended network access restrictions.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3561
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12206
 
Oval ID: oval:org.mitre.oval:def:12206
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a race condition related to deserialization.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3568
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12220
 
Oval ID: oval:org.mitre.oval:def:12220
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3573
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12225
 
Oval ID: oval:org.mitre.oval:def:12225
Title: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 and earlier versions
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that leads to a buffer overflow via a crafted devs (device information) tag structure in a color profile.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3566
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12226
 
Oval ID: oval:org.mitre.oval:def:12226
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to execute arbitrary code by causing the defaultReadObject method in the Serialization API to set a volatile field multiple times.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3569
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12229
 
Oval ID: oval:org.mitre.oval:def:12229
Title: DEPRECATED: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that HttpURLConnection does not properly check for the allowHttpTrace permission, which allows untrusted code to perform HTTP TRACE requests.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3574
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12234
 
Oval ID: oval:org.mitre.oval:def:12234
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to execute arbitrary code by causing the defaultReadObject method in the Serialization API to set a volatile field multiple times.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3569
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12269
 
Oval ID: oval:org.mitre.oval:def:12269
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 10 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4467
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12274
 
Oval ID: oval:org.mitre.oval:def:12274
Title: DEPRECATED: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and earlier versions
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3573
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12294
 
Oval ID: oval:org.mitre.oval:def:12294
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that triggers memory corruption via large values in a subsample of a JPEG image, related to JPEGImageWriter.writeImage in the imageio API.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3565
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12328
 
Oval ID: oval:org.mitre.oval:def:12328
Title: DEPRECATED: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a double free vulnerability in IndexColorModel that allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3562
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12367
 
Oval ID: oval:org.mitre.oval:def:12367
Title: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that HttpURLConnection does not properly check for the allowHttpTrace permission, which allows untrusted code to perform HTTP TRACE requests.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3574
Version: 11
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12398
 
Oval ID: oval:org.mitre.oval:def:12398
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Oracle Communications Messaging Server (Sun Java System Messaging Server) component in Oracle Sun Products Suite 7.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Webmail. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that the Kerberos implementation does not properly check AP-REQ requests, which allows attackers to cause a denial of service in the JVM. NOTE: CVE has not investigated the apparent discrepancy between the two vendors regarding the consequences of this issue.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3564
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12420
 
Oval ID: oval:org.mitre.oval:def:12420
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux; and 1.4.2_29 and earlier for Solaris and Linux allows local standalone applications to affect confidentiality, integrity, and availability via unknown vectors related to Launcher. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is an untrusted search path vulnerability involving an empty LD_LIBRARY_PATH environment variable.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4450
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12426
 
Oval ID: oval:org.mitre.oval:def:12426
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Java Naming and Directory Interface (JNDI) component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to determine internal IP addresses or "otherwise-protected internal network names."
Family: unix Class: vulnerability
Reference(s): CVE-2010-3548
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12437
 
Oval ID: oval:org.mitre.oval:def:12437
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this involves the use of the privileged accept method in the ServerSocket class, which does not limit which hosts can connect and allows remote attackers to bypass intended network access restrictions.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3561
Version: 13
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12449
 
Oval ID: oval:org.mitre.oval:def:12449
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to "permissions granted to certain system objects."
Family: unix Class: vulnerability
Reference(s): CVE-2010-3554
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12450
 
Oval ID: oval:org.mitre.oval:def:12450
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a double free vulnerability in IndexColorModel that allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3562
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12458
 
Oval ID: oval:org.mitre.oval:def:12458
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3551
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12459
 
Oval ID: oval:org.mitre.oval:def:12459
Title: DEPRECATED: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 and earlier versions
Description: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this involves the use of the privileged accept method in the ServerSocket class, which does not limit which hosts can connect and allows remote attackers to bypass intended network access restrictions.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3561
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12462
 
Oval ID: oval:org.mitre.oval:def:12462
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that HttpURLConnection does not properly check for the allowHttpTrace permission, which allows untrusted code to perform HTTP TRACE requests.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3574
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12484
 
Oval ID: oval:org.mitre.oval:def:12484
Title: DEPRECATED: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to execute arbitrary code by causing the defaultReadObject method in the Serialization API to set a volatile field multiple times.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3569
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12488
 
Oval ID: oval:org.mitre.oval:def:12488
Title: DEPRECATED: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3551
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12491
 
Oval ID: oval:org.mitre.oval:def:12491
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3541
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12493
 
Oval ID: oval:org.mitre.oval:def:12493
Title: USN-1024-1 -- openjdk-6 vulnerability
Description: It was discovered that certain system property information was being leaked, which could allow an attacker to obtain sensitive information.
Family: unix Class: patch
Reference(s): USN-1024-1
CVE-2010-3860
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 10.10
Ubuntu 9.10
Ubuntu 10.04
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12518
 
Oval ID: oval:org.mitre.oval:def:12518
Title: DEPRECATED: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to the modification of "behavior and state of certain JDK classes" and "mutable static."
Family: windows Class: vulnerability
Reference(s): CVE-2010-3557
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12531
 
Oval ID: oval:org.mitre.oval:def:12531
Title: DEPRECATED: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a race condition related to deserialization.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3568
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12545
 
Oval ID: oval:org.mitre.oval:def:12545
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities.
Description: Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to unsafe reflection involving the UIDefault.ProxyLazyValue class.
Family: unix Class: vulnerability
Reference(s): CVE-2010-3553
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12571
 
Oval ID: oval:org.mitre.oval:def:12571
Title: DEPRECATED: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 and earlier versions
Description: Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that triggers memory corruption via large values in a subsample of a JPEG image, related to JPEGImageWriter.writeImage in the imageio API.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3565
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12597
 
Oval ID: oval:org.mitre.oval:def:12597
Title: DEPRECATED: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 and earlier versions
Description: Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to "permissions granted to certain system objects."
Family: windows Class: vulnerability
Reference(s): CVE-2010-3554
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Oracle Java SE
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12662
 
Oval ID: oval:org.mitre.oval:def:12662
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
Description: The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4476
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12745
 
Oval ID: oval:org.mitre.oval:def:12745
Title: HP-UX Apache Web Server, Remote Information Disclosure, Cross-Site Scripting (XSS), Denial of Service (DoS)
Description: The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4476
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12833
 
Oval ID: oval:org.mitre.oval:def:12833
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is heap corruption related to the Verifier and "backward jsrs."
Family: unix Class: vulnerability
Reference(s): CVE-2010-4469
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12879
 
Oval ID: oval:org.mitre.oval:def:12879
Title: DSA-2161-1 openjdk-6 -- denial of service
Description: It was discovered that the floating point parser in OpenJDK, an implementation of the Java platform, can enter an infinite loop when processing certain input strings. Such input strings represent valid numbers and can be contained in data supplied by an attacker over the network, leading to a denial-of-service attack.
Family: unix Class: patch
Reference(s): DSA-2161-1
CVE-2010-4476
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12887
 
Oval ID: oval:org.mitre.oval:def:12887
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows remote attackers to affect availability via unknown vectors related to JAXP and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to "Features set on SchemaFactory not inherited by Validator."
Family: unix Class: vulnerability
Reference(s): CVE-2010-4470
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12903
 
Oval ID: oval:org.mitre.oval:def:12903
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect availability, related to XML Digital Signature and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves the replacement of the "XML DSig Transform or C14N algorithm implementations."
Family: unix Class: vulnerability
Reference(s): CVE-2010-4472
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12906
 
Oval ID: oval:org.mitre.oval:def:12906
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Networking. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves "DNS cache poisoning by untrusted applets."
Family: unix Class: vulnerability
Reference(s): CVE-2010-4448
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12925
 
Oval ID: oval:org.mitre.oval:def:12925
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the lack of framework support by AWT event dispatch, and/or "clipboard access in Applets."
Family: unix Class: vulnerability
Reference(s): CVE-2010-4465
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13035
 
Oval ID: oval:org.mitre.oval:def:13035
Title: USN-971-1 -- openjdk-6 vulnerabilities
Description: It was discovered that the IcedTea plugin did not correctly check certain accesses. If a user or automated system were tricked into running a specially crafted Java applet, a remote attacker could read arbitrary files with user privileges, leading to a loss of privacy
Family: unix Class: patch
Reference(s): USN-971-1
CVE-2010-2548
CVE-2010-2783
Version: 5
Platform(s): Ubuntu 10.04
Ubuntu 9.04
Ubuntu 9.10
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13043
 
Oval ID: oval:org.mitre.oval:def:13043
Title: DSA-2224-1 openjdk-6 -- several
Description: Several security vulnerabilities were discovered in OpenJDK, an implementation of the Java platform. CVE-2010-4351 The JNLP SecurityManager returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creating instances of ClassLoader. CVE-2010-4448 Malicious applets can perform DNS cache poisoning. CVE-2010-4450 An empty LD_LIBRARY_PATH environment variable results in a misconstructed library search path, resulting in code execution from possibly untrusted sources. CVE-2010-4465 Malicious applets can extend their privileges by abusing Swing timers. CVE-2010-4469 The Hotspot just-in-time compiler miscompiles crafted byte sequences, resulting in heap corruption. CVE-2010-4470 JAXP can be exploited by untrusted code to elevate privileges. CVE-2010-4471 Java2D can be exploited by untrusted code to elevate privileges. CVE-2010-4472 Untrusted code can replace the XML DSIG implementation. CVE-2011-0025 Signatures on JAR files are not properly verified, which allows remote attackers to trick users into executing code that appears to come from a trusted source. CVE-2011-0706 The JNLPClassLoader class allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of "an inappropriate security descriptor In addition, this security update contains stability fixes, such as switching to the recommended Hotspot version for this particular version of OpenJDK.
Family: unix Class: patch
Reference(s): DSA-2224-1
CVE-2010-4351
CVE-2010-4448
CVE-2010-4450
CVE-2010-4465
CVE-2010-4469
CVE-2010-4470
CVE-2010-4471
CVE-2010-4472
CVE-2011-0025
CVE-2011-0706
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13085
 
Oval ID: oval:org.mitre.oval:def:13085
Title: USN-927-1 -- nss vulnerability
Description: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user�s session. This update adds support for the new new renegotiation extension and will use it when the server supports it.
Family: unix Class: patch
Reference(s): USN-927-1
CVE-2009-3555
Version: 5
Platform(s): Ubuntu 9.10
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13241
 
Oval ID: oval:org.mitre.oval:def:13241
Title: USN-1079-1 -- openjdk-6 vulnerabilities
Description: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. Konstantin Preißer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor
Family: unix Class: patch
Reference(s): USN-1079-1
CVE-2010-4448
CVE-2010-4450
CVE-2010-4465
CVE-2010-4469
CVE-2010-4470
CVE-2010-4471
CVE-2010-4472
CVE-2010-4476
CVE-2011-0706
Version: 5
Platform(s): Ubuntu 10.10
Ubuntu 9.10
Ubuntu 10.04
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13305
 
Oval ID: oval:org.mitre.oval:def:13305
Title: USN-1010-1 -- openjdk-6, openjdk-6b18 vulnerabilities
Description: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user�s session. USN-923-1 disabled SSL/TLS renegotiation by default; this update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, and thus supports secure renegotiation between updated clients and servers. It was discovered that the HttpURLConnection class did not validate request headers set by java applets, which could allow an attacker to trigger actions otherwise not allowed to HTTP clients. It was discovered that JNDI could leak information that would allow an attacker to access information about otherwise-protected internal network names. It was discovered that HttpURLConnection improperly handled the "chunked" transfer encoding method, which could allow attackers to conduct HTTP response splitting attacks. It was discovered that the NetworkInterface class improperly checked the network "connect" permissions for local network addresses. This could allow an attacker to read local network addresses. It was discovered that UIDefault.ProxyLazyValue had unsafe reflection usage, allowing an attacker to create objects. It was discovered that multiple flaws in the CORBA reflection implementation could allow an attacker to execute arbitrary code by misusing permissions granted to certain system objects. It was discovered that unspecified flaws in the Swing library could allow untrusted applications to modify the behavior and state of certain JDK classes. It was discovered that the privileged accept method of the ServerSocket class in the CORBA implementation allowed it to receive connections from any host, instead of just the host of the current connection. An attacker could use this flaw to bypass restrictions defined by network permissions. It was discovered that there exists a double free in java�s indexColorModel that could allow an attacker to cause an applet or application to crash, or possibly execute arbitrary code with the privilege of the user running the java applet or application. It was discovered that the Kerberos implementation improperly checked AP-REQ requests, which could allow an attacker to cause a denial of service against the receiving JVM. It was discovered that improper checks of unspecified image metadata in JPEGImageWriter.writeImage of the imageio API could allow an attacker to execute arbitrary code with the privileges of the user running a java applet or application. It was discovered that an unspecified vulnerability in the ICC profile handling code could allow an attacker to execute arbitrary code with the privileges of the user running a java applet or application. It was discovered that a miscalculation in the OpenType font rendering implementation would allow out-of-bounds memory access. This could allow an attacker to execute arbitrary code with the privileges of the user running a java application. It was discovered that an unspecified race condition in the way objects were deserialized could allow an attacker to cause an applet or application to misuse the privileges of the user running the java applet or application. It was discovered that the defaultReadObject of the Serialization API could be tricked into setting a volatile field multiple times. This could allow an attacker to execute arbitrary code with the privileges of the user running a java applet or application. It was discovered that the HttpURLConnection class did not validate request headers set by java applets, which could allow an attacker to trigger actions otherwise not allowed to HTTP clients. It was discovered that the HttpURLConnection class improperly checked whether the calling code was granted the "allowHttpTrace" permission, allowing an attacker to create HTTP TRACE requests
Family: unix Class: patch
Reference(s): USN-1010-1
CVE-2009-3555
CVE-2010-3541
CVE-2010-3548
CVE-2010-3549
CVE-2010-3551
CVE-2010-3553
CVE-2010-3554
CVE-2010-3557
CVE-2010-3561
CVE-2010-3562
CVE-2010-3564
CVE-2010-3565
CVE-2010-3566
CVE-2010-3567
CVE-2010-3568
CVE-2010-3569
CVE-2010-3573
CVE-2010-3574
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 10.10
Ubuntu 9.10
Ubuntu 10.04
Product(s): openjdk-6
openjdk-6b18
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13317
 
Oval ID: oval:org.mitre.oval:def:13317
Title: Multiple unspecified vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Description: Multiple unspecified vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Family: windows Class: vulnerability
Reference(s): CVE-2011-0862
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13374
 
Oval ID: oval:org.mitre.oval:def:13374
Title: USN-1055-1 -- openjdk-6, openjdk-6b18 vulnerabilities
Description: It was discovered that IcedTea for Java did not properly verify signatures when handling multiply signed or partially signed JAR files, allowing an attacker to cause code to execute that appeared to come from a verified source. USN 1052-1 fixed a vulnerability in OpenJDK for Ubuntu 9.10 and Ubuntu 10.04 LTS on all architectures, and Ubuntu 10.10 for all architectures except for the armel architecture. This update provides the corresponding update for Ubuntu 10.10 on the armel architecture. Original advisory details: It was discovered that the JNLP SecurityManager in IcedTea for Java OpenJDK in some instances failed to properly apply the intended scurity policy in its checkPermission method. This could allow an attacker to execute code with privileges that should have been prevented
Family: unix Class: patch
Reference(s): USN-1055-1
CVE-2011-0025
CVE-2010-4351
Version: 5
Platform(s): Ubuntu 10.10
Ubuntu 9.10
Ubuntu 10.04
Product(s): openjdk-6
openjdk-6b18
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13407
 
Oval ID: oval:org.mitre.oval:def:13407
Title: USN-1079-3 -- openjdk-6b18 vulnerabilities
Description: USN-1079-2 fixed vulnerabilities in OpenJDK 6 for armel architectures in Ubuntu 9.10 and Ubuntu 10.04 LTS. This update fixes vulnerabilities in OpenJDK 6 for armel architectures for Ubuntu 10.10. Original advisory details: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. Konstantin Preißer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor
Family: unix Class: patch
Reference(s): USN-1079-3
CVE-2010-4448
CVE-2010-4450
CVE-2010-4465
CVE-2010-4469
CVE-2010-4470
CVE-2010-4471
CVE-2010-4472
CVE-2010-4476
CVE-2011-0706
Version: 5
Platform(s): Ubuntu 10.10
Product(s): openjdk-6b18
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13410
 
Oval ID: oval:org.mitre.oval:def:13410
Title: USN-1052-1 -- openjdk-6, openjdk-6b18 vulnerability
Description: It was discovered that the JNLP SecurityManager in IcedTea for Java OpenJDK in some instances failed to properly apply the intended scurity policy in its checkPermission method. This could allow an attacker execute code with privileges that should have been prevented
Family: unix Class: patch
Reference(s): USN-1052-1
CVE-2010-4351
Version: 5
Platform(s): Ubuntu 10.10
Ubuntu 9.10
Ubuntu 10.04
Product(s): openjdk-6
openjdk-6b18
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13424
 
Oval ID: oval:org.mitre.oval:def:13424
Title: USN-990-1 -- openssl vulnerability
Description: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user�s session. This update adds backported support for the new RFC5746 renegotiation extension and will use it when both the client and the server support it. ATTENTION: After applying this update, a patched server will allow both patched and unpatched clients to connect, but unpatched clients will not be able to renegotiate
Family: unix Class: patch
Reference(s): USN-990-1
CVE-2009-3555
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 10.04
Ubuntu 9.10
Ubuntu 6.06
Ubuntu 9.04
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13440
 
Oval ID: oval:org.mitre.oval:def:13440
Title: USN-927-4 -- nss vulnerability
Description: USN-927-1 fixed vulnerabilities in nss in Ubuntu 9.10. This update provides the corresponding updates for Ubuntu 8.04 LTS. Original advisory details: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user�s session. This update adds support for the new new renegotiation extension and will use it when the server supports it.
Family: unix Class: patch
Reference(s): USN-927-4
CVE-2009-3555
Version: 5
Platform(s): Ubuntu 8.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13475
 
Oval ID: oval:org.mitre.oval:def:13475
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3558
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13529
 
Oval ID: oval:org.mitre.oval:def:13529
Title: USN-990-2 -- apache2 vulnerability
Description: USN-860-1 introduced a partial workaround to Apache that disabled client initiated TLS renegotiation in order to mitigate CVE-2009-3555. USN-990-1 introduced the new RFC5746 renegotiation extension in openssl, and completely resolves the issue. After updating openssl, an Apache server will allow both patched and unpatched web browsers to connect, but unpatched browsers will not be able to renegotiate. This update introduces the new SSLInsecureRenegotiation directive for Apache that may be used to re-enable insecure renegotiations with unpatched web browsers. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user�s session. This update adds backported support for the new RFC5746 renegotiation extension and will use it when both the client and the server support it.
Family: unix Class: patch
Reference(s): USN-990-2
CVE-2009-3555
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 10.04
Ubuntu 9.10
Ubuntu 6.06
Ubuntu 9.04
Product(s): apache2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13532
 
Oval ID: oval:org.mitre.oval:def:13532
Title: USN-927-6 -- nss vulnerability
Description: USN-927-1 fixed vulnerabilities in NSS on Ubuntu 9.10. This update provides the corresponding updates for Ubuntu 9.04. Original advisory details: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user�s session. This update adds support for the new new renegotiation extension and will use it when the server supports it.
Family: unix Class: patch
Reference(s): USN-927-6
CVE-2009-3555
Version: 5
Platform(s): Ubuntu 9.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13623
 
Oval ID: oval:org.mitre.oval:def:13623
Title: DSA-1934-1 apache2 -- multiple issues
Description: A design flaw has been found in the TLS and SSL protocol that allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection. The attack is related to the way how TLS and SSL handle session renegotiations. CVE-2009-3555 has been assigned to this vulnerability. As a partial mitigation against this attack, this apache2 update disables client-initiated renegotiations. This should fix the vulnerability for the majority of Apache configurations in use. NOTE: This is not a complete fix for the problem. The attack is still possible in configurations where the server initiates the renegotiation. This is the case for the following configurations: - - The "SSLVerifyClient" directive is used in a Directory or Location context. - - The "SSLCipherSuite" directive is used in a Directory or Location context. As a workaround, you may rearrange your configuration in a way that SSLVerifyClient and SSLCipherSuite are only used on the server or virtual host level. A complete fix for the problem will require a protocol change. Further information will be included in a separate announcement about this issue. In addition, this update fixes the following issues in Apache's mod_proxy_ftp: CVE-2009-3094: Insufficient input validation in the mod_proxy_ftp module allowed remote FTP servers to cause a denial of service via a malformed reply to an EPSV command. CVE-2009-3095: Insufficient input validation in the mod_proxy_ftp module allowed remote authenticated attackers to bypass intended access restrictions and send arbitrary FTP commands to an FTP server. For the stable distribution, these problems have been fixed in version 2.2.9-10+lenny6. This version also includes some non-security bug fixes that were scheduled for inclusion in the next stable point release. The oldstable distribution, these problems have been fixed in version 2.2.3-4+etch11. For the testing distribution and the unstable distribution, these problems will be fixed in version 2.2.14-2. This advisory also provides updated apache2-mpm-itk packages which have been recompiled against the new apache2 packages. Updated apache2-mpm-itk packages for the armel architecture are not included yet. They will be released as soon as they become available. We recommend that you upgrade your apache2 and apache2-mpm-itk packages.
Family: unix Class: patch
Reference(s): DSA-1934-1
CVE-2009-3094
CVE-2009-3095
CVE-2009-3555
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
Product(s): apache2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13639
 
Oval ID: oval:org.mitre.oval:def:13639
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is heap corruption related to the Verifier and "backward jsrs."
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is heap corruption related to the Verifier and "backward jsrs."
Family: windows Class: vulnerability
Reference(s): CVE-2010-4469
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13662
 
Oval ID: oval:org.mitre.oval:def:13662
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3521
Version: 10
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13733
 
Oval ID: oval:org.mitre.oval:def:13733
Title: USN-1079-2 -- openjdk-6b18 vulnerabilities
Description: USN-1079-1 fixed vulnerabilities in OpenJDK 6 for non-armel architectures. This update provides the corresponding updates for OpenJDK 6 for use with the armel architectures. In order to build the armel OpenJDK 6 update for Ubuntu 10.04 LTS, it was necessary to rebuild binutils and gcj-4.4 from Ubuntu 10.04 LTS updates. Original advisory details: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. Konstantin Preißer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor
Family: unix Class: patch
Reference(s): USN-1079-2
CVE-2010-4448
CVE-2010-4450
CVE-2010-4465
CVE-2010-4469
CVE-2010-4470
CVE-2010-4471
CVE-2010-4472
CVE-2010-4476
CVE-2011-0706
Version: 5
Platform(s): Ubuntu 9.10
Ubuntu 10.04
Product(s): openjdk-6b18
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13947
 
Oval ID: oval:org.mitre.oval:def:13947
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3544
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13976
 
Oval ID: oval:org.mitre.oval:def:13976
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Serialization.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Serialization.
Family: windows Class: vulnerability
Reference(s): CVE-2012-0505
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14034
 
Oval ID: oval:org.mitre.oval:def:14034
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the lack of framework support by AWT event dispatch, and/or "clipboard access in Applets."
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the lack of framework support by AWT event dispatch, and/or "clipboard access in Applets."
Family: windows Class: vulnerability
Reference(s): CVE-2010-4465
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14045
 
Oval ID: oval:org.mitre.oval:def:14045
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Networking. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves "DNS cache poisoning by untrusted applets."
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Networking. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves "DNS cache poisoning by untrusted applets."
Family: windows Class: vulnerability
Reference(s): CVE-2010-4448
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14076
 
Oval ID: oval:org.mitre.oval:def:14076
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows remote attackers to affect availability via unknown vectors related to JAXP and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to "Features set on SchemaFactory not inherited by Validator."
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows remote attackers to affect availability via unknown vectors related to JAXP and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to "Features set on SchemaFactory not inherited by Validator."
Family: windows Class: vulnerability
Reference(s): CVE-2010-4470
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14081
 
Oval ID: oval:org.mitre.oval:def:14081
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Deserialization.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Deserialization.
Family: windows Class: vulnerability
Reference(s): CVE-2011-0865
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14082
 
Oval ID: oval:org.mitre.oval:def:14082
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to CORBA.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to CORBA.
Family: windows Class: vulnerability
Reference(s): CVE-2012-0506
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14112
 
Oval ID: oval:org.mitre.oval:def:14112
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing.
Family: windows Class: vulnerability
Reference(s): CVE-2011-0871
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14114
 
Oval ID: oval:org.mitre.oval:def:14114
Title: USN-1154-1 -- openjdk-6, openjdk-6b18 vulnerabilities
Description: openjdk-6: Open Source Java implementation - openjdk-6b18: Open Source Java implementation Multiple OpenJDK 6 vulnerabilities have been fixed.
Family: unix Class: patch
Reference(s): USN-1154-1
CVE-2011-0815
CVE-2011-0822
CVE-2011-0862
CVE-2011-0864
CVE-2011-0865
CVE-2011-0867
CVE-2011-0868
CVE-2011-0869
CVE-2011-0870
CVE-2011-0871
CVE-2011-0872
Version: 5
Platform(s): Ubuntu 11.04
Ubuntu 10.04
Ubuntu 10.10
Product(s): openjdk-6
openjdk-6b18
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14117
 
Oval ID: oval:org.mitre.oval:def:14117
Title: The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of "an inappropriate security descriptor."
Description: The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of "an inappropriate security descriptor."
Family: windows Class: vulnerability
Reference(s): CVE-2011-0706
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14118
 
Oval ID: oval:org.mitre.oval:def:14118
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect availability, related to XML Digital Signature and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves the replacement of the "XML DSig Transform or C14N algorithm implementations."
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect availability, related to XML Digital Signature and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves the replacement of the "XML DSig Transform or C14N algorithm implementations."
Family: windows Class: vulnerability
Reference(s): CVE-2010-4472
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14135
 
Oval ID: oval:org.mitre.oval:def:14135
Title: DEPRECATED: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux; and 1.4.2_29 and earlier for Solaris and Linux allows local standalone applications to affect confidentiality, integrity, and availability via unknown vectors related to Launcher. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is an untrusted search path vulnerability involving an empty LD_LIBRARY_PATH environment variable.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux; and 1.4.2_29 and earlier for Solaris and Linux allows local standalone applications to affect confidentiality, integrity, and availability via unknown vectors related to Launcher. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is an untrusted search path vulnerability involving an empty LD_LIBRARY_PATH environment variable.
Family: windows Class: vulnerability
Reference(s): CVE-2010-4450
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14225
 
Oval ID: oval:org.mitre.oval:def:14225
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot.
Family: windows Class: vulnerability
Reference(s): CVE-2011-0864
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14241
 
Oval ID: oval:org.mitre.oval:def:14241
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect availability via unknown vectors related to NIO.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect availability via unknown vectors related to NIO.
Family: windows Class: vulnerability
Reference(s): CVE-2011-0872
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14264
 
Oval ID: oval:org.mitre.oval:def:14264
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D.
Family: windows Class: vulnerability
Reference(s): CVE-2011-0868
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14311
 
Oval ID: oval:org.mitre.oval:def:14311
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote authenticated users to affect confidentiality, related to JAXWS.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote authenticated users to affect confidentiality, related to JAXWS.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3553
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14316
 
Oval ID: oval:org.mitre.oval:def:14316
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3556
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14318
 
Oval ID: oval:org.mitre.oval:def:14318
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3551
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14328
 
Oval ID: oval:org.mitre.oval:def:14328
Title: The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
Description: The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
Family: windows Class: vulnerability
Reference(s): CVE-2010-4476
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14335
 
Oval ID: oval:org.mitre.oval:def:14335
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to AWT.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to AWT.
Family: windows Class: vulnerability
Reference(s): CVE-2011-0815
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14338
 
Oval ID: oval:org.mitre.oval:def:14338
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to SAAJ.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to SAAJ.
Family: windows Class: vulnerability
Reference(s): CVE-2011-0869
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14339
 
Oval ID: oval:org.mitre.oval:def:14339
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3547
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14340
 
Oval ID: oval:org.mitre.oval:def:14340
Title: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is an HTTP request splitting vulnerability involving the handling of the chunked transfer encoding method by the HttpURLConnection class.
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is an HTTP request splitting vulnerability involving the handling of the chunked transfer encoding method by the HttpURLConnection class.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3549
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14354
 
Oval ID: oval:org.mitre.oval:def:14354
Title: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.
Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.
Family: windows Class: vulnerability
Reference(s): CVE-2010-3541
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14373
 
Oval ID: oval:org.mitre.oval:def:14373
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3557
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14384
 
Oval ID: oval:org.mitre.oval:def:14384
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 10 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 10 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
Family: windows Class: vulnerability
Reference(s): CVE-2010-4467
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14394
 
Oval ID: oval:org.mitre.oval:def:14394
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3560
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14417
 
Oval ID: oval:org.mitre.oval:def:14417
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to 2D. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the exposure of system properties via vectors related to Font.createFont and exception text.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to 2D. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the exposure of system properties via vectors related to Font.createFont and exception text.
Family: windows Class: vulnerability
Reference(s): CVE-2010-4471
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14463
 
Oval ID: oval:org.mitre.oval:def:14463
Title: HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Deserialization.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0865
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14465
 
Oval ID: oval:org.mitre.oval:def:14465
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote attackers to affect integrity via unknown vectors related to Networking.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote attackers to affect integrity via unknown vectors related to Networking.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3552
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14475
 
Oval ID: oval:org.mitre.oval:def:14475
Title: Unspecified vulnerability in the Java Naming and Directory Interface (JNDI) component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to determine internal IP addresses or "otherwise-protected internal network names."
Description: Unspecified vulnerability in the Java Naming and Directory Interface (JNDI) component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to determine internal IP addresses or "otherwise-protected internal network names."
Family: windows Class: vulnerability
Reference(s): CVE-2010-3548
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14492
 
Oval ID: oval:org.mitre.oval:def:14492
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3548
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Development Kit
Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14524
 
Oval ID: oval:org.mitre.oval:def:14524
Title: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors.
Description: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3554
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14541
 
Oval ID: oval:org.mitre.oval:def:14541
Title: HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Multiple unspecified vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0862
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14589
 
Oval ID: oval:org.mitre.oval:def:14589
Title: HP-UX Apache Running Tomcat Servlet Engine, Remote Information Disclosure, Authentication Bypass, Cross-Site Scripting (XSS), Unauthorized Access, Denial of Service (DoS)
Description: The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4476
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14632
 
Oval ID: oval:org.mitre.oval:def:14632
Title: HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0864
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14644
 
Oval ID: oval:org.mitre.oval:def:14644
Title: HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to SAAJ.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0869
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14752
 
Oval ID: oval:org.mitre.oval:def:14752
Title: SSL and TLS Protocols Vulnerability
Description: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3389
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows 7
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14772
 
Oval ID: oval:org.mitre.oval:def:14772
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, and 6 Update 30 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, and 6 Update 30 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Family: windows Class: vulnerability
Reference(s): CVE-2012-0497
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14813
 
Oval ID: oval:org.mitre.oval:def:14813
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to I18n.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to I18n.
Family: windows Class: vulnerability
Reference(s): CVE-2012-0503
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14827
 
Oval ID: oval:org.mitre.oval:def:14827
Title: HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect confidentiality via unknown vectors related to 2D.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0868
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14896
 
Oval ID: oval:org.mitre.oval:def:14896
Title: HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and 1.4.2_31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to AWT.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0815
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14900
 
Oval ID: oval:org.mitre.oval:def:14900
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and availability, related to AWT.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and availability, related to AWT.
Family: windows Class: vulnerability
Reference(s): CVE-2012-0502
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14915
 
Oval ID: oval:org.mitre.oval:def:14915
Title: HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect availability via unknown vectors related to NIO.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0872
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14942
 
Oval ID: oval:org.mitre.oval:def:14942
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote attackers to affect confidentiality and availability via unknown vectors related to Sound.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote attackers to affect confidentiality and availability via unknown vectors related to Sound.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3563
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15069
 
Oval ID: oval:org.mitre.oval:def:15069
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect availability via unknown vectors.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect availability via unknown vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2012-0501
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15238
 
Oval ID: oval:org.mitre.oval:def:15238
Title: DSA-2311-1 openjdk-6 -- several
Description: Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java SE platform. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-0862 Integer overflow errors in the JPEG and font parser allow untrusted code to elevate its privileges. CVE-2011-0864 Hotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code to crash the virtual machine. CVE-2011-0865 A race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact. CVE-2011-0867 Untrusted code could access information about network interfaces which was not intended to be public. CVE-2011-0868 A float-to-long conversion could overflow, allowing untrusted code to crash the virtual machine. CVE-2011-0869 Untrusted code could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection. CVE-2011-0871 Untrusted code could elevate its privileges through the Swing MediaTracker code. In addition, this update removes support for the Zero/Shark and Cacao Hotspot variants from the i386 and amd64 due to stability issues. These Hotspot variants are included in the openjdk-6-jre-zero and icedtea-6-jre-cacao packages, and these packages must be removed during this update.
Family: unix Class: patch
Reference(s): DSA-2311-1
CVE-2011-0862
CVE-2011-0864
CVE-2011-0865
CVE-2011-0867
CVE-2011-0868
CVE-2011-0869
CVE-2011-0871
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15241
 
Oval ID: oval:org.mitre.oval:def:15241
Title: DSA-2368-1 lighttpd -- multiple
Description: Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint. CVE-2011-4362 Xi Wang discovered that the base64 decoding routine which is used to decode user input during an HTTP authentication, suffers of a signedness issue when processing user input. As a result it is possible to force lighttpd to perform an out-of-bounds read which results in Denial of Service conditions. CVE-2011-3389 When using CBC ciphers on an SSL enabled virtual host to communicate with certain client, a so called "BEAST" attack allows man-in-the-middle attackers to obtain plaintext HTTP traffic via a blockwise chosen-boundary attack on an HTTPS session. Technically this is no lighttpd vulnerability. However, lighttpd offers a workaround to mitigate this problem by providing a possibility to disable CBC ciphers. This updates includes this option by default. System administrators are advised to read the NEWS file of this update.
Family: unix Class: patch
Reference(s): DSA-2368-1
CVE-2011-4362
CVE-2011-3389
Version: 7
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): lighttpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15281
 
Oval ID: oval:org.mitre.oval:def:15281
Title: DSA-2356-1 openjdk-6 -- several
Description: Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform: CVE-2011-3389 The TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode. CVE-2011-3521 The CORBA implementation contains a deserialization vulnerability in the IIOP implementation, allowing untrusted Java code to elevate its privileges. CVE-2011-3544 The Java scripting engine lacks necessary security manager checks, allowing untrusted Java code to elevate its privileges. CVE-2011-3547 The skip method in java.io.InputStream uses a shared buffer, allowing untrusted Java code to access data that is skipped by other code. CVE-2011-3548 The java.awt.AWTKeyStroke class contains a flaw which allows untrusted Java code to elevate its privileges. CVE-2011-3551 The Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code to elevate its privileges. CVE-2011-3552 Malicous Java code can use up an excessive amount of UDP ports, leading to a denial of service. CVE-2011-3553 JAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information. CVE-2011-3554 JAR files in pack200 format are not properly checked for errors, potentially leading to arbitrary code execution when unpacking crafted pack200 files. CVE-2011-3556 The RMI Registry server lacks access restrictions on certain methods, allowing a remote client to execute arbitary code. CVE-2011-3557 The RMI Registry server fails to properly restrict privileges of untrusted Java code, allowing RMI clients to elevate their privileges on the RMI Registry server. CVE-2011-3560 The com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory method, allowing untrusted Java code to bypass security policy restrictions.
Family: unix Class: patch
Reference(s): DSA-2356-1
CVE-2011-3389
CVE-2011-3521
CVE-2011-3544
CVE-2011-3547
CVE-2011-3548
CVE-2011-3551
CVE-2011-3552
CVE-2011-3553
CVE-2011-3554
CVE-2011-3556
CVE-2011-3557
CVE-2011-3560
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15316
 
Oval ID: oval:org.mitre.oval:def:15316
Title: USN-1263-1 -- IcedTea-Web, OpenJDK 6 vulnerabilities
Description: icedtea-web: A web browser plugin to execute Java applets - openjdk-6: Open Source Java implementation - openjdk-6b18: Open Source Java implementation Multiple OpenJDK 6 and IcedTea-Web vulnerabilities have been fixed.
Family: unix Class: patch
Reference(s): USN-1263-1
CVE-2011-3377
CVE-2011-3389
CVE-2011-3521
CVE-2011-3544
CVE-2011-3547
CVE-2011-3548
CVE-2011-3551
CVE-2011-3552
CVE-2011-3553
CVE-2011-3554
CVE-2011-3556
CVE-2011-3557
CVE-2011-3558
CVE-2011-3560
Version: 5
Platform(s): Ubuntu 11.04
Ubuntu 11.10
Ubuntu 10.04
Ubuntu 10.10
Product(s): IcedTea-Web
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15328
 
Oval ID: oval:org.mitre.oval:def:15328
Title: USN-1263-2 -- OpenJDK 6 regression
Description: openjdk-6: Open Source Java implementation - openjdk-6b18: Open Source Java implementation Details: USN-1263-1 fixed vulnerabilities in OpenJDK 6. The upstream patch for the chosen plaintext attack on the block-wise AES encryption algorithm introduced a regression that caused TLS/SSL connections to fail when using certain algorithms. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-1263-1 caused a regression when using OpenJDK 6�s SSL/TLS implementation.
Family: unix Class: patch
Reference(s): USN-1263-2
CVE-2011-3389
CVE-2011-3377
CVE-2011-3521
CVE-2011-3544
CVE-2011-3547
CVE-2011-3548
CVE-2011-3551
CVE-2011-3552
CVE-2011-3553
CVE-2011-3554
CVE-2011-3556
CVE-2011-3557
CVE-2011-3558
CVE-2011-3560
Version: 5
Platform(s): Ubuntu 11.04
Ubuntu 11.10
Ubuntu 10.04
Ubuntu 10.10
Product(s): OpenJDK
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15374
 
Oval ID: oval:org.mitre.oval:def:15374
Title: DSA-2358-1 openjdk-6 -- several
Description: Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform. This combines the two previous openjdk-6 advisories, DSA-2311-1 and DSA-2356-1. CVE-2011-0862 Integer overflow errors in the JPEG and font parser allow untrusted code to elevate its privileges. CVE-2011-0864 Hotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code to crash the virtual machine. CVE-2011-0865 A race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact. CVE-2011-0867 Untrusted code could access information about network interfaces which was not intended to be public. CVE-2011-0868 A float-to-long conversion could overflow, allowing untrusted code to crash the virtual machine. CVE-2011-0869 Untrusted code could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection. CVE-2011-0871 Untrusted code could elevate its privileges through the Swing MediaTracker code. CVE-2011-3389 The TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode. CVE-2011-3521 The CORBA implementation contains a deserialization vulnerability in the IIOP implementation, allowing untrusted Java code to elevate its privileges. CVE-2011-3544 The Java scripting engine lacks necessary security manager checks, allowing untrusted Java code to elevate its privileges. CVE-2011-3547 The skip method in java.io.InputStream uses a shared buffer, allowing untrusted Java code to access data that is skipped by other code. CVE-2011-3548 The java.awt.AWTKeyStroke class contains a flaw which allows untrusted Java code to elevate its privileges. CVE-2011-3551 The Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code to elevate its privileges. CVE-2011-3552 Malicous Java code can use up an excessive amount of UDP ports, leading to a denial of service. CVE-2011-3553 JAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information. CVE-2011-3554 JAR files in pack200 format are not properly checked for errors, potentially leading to arbitrary code execution when unpacking crafted pack200 files. CVE-2011-3556 The RMI Registry server lacks access restrictions on certain methods, allowing a remote client to execute arbitary code. CVE-2011-3557 The RMI Registry server fails to properly restrict privileges of untrusted Java code, allowing RMI clients to elevate their privileges on the RMI Registry server. CVE-2011-3560 The com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory method, allowing untrusted Java code to bypass security policy restrictions.
Family: unix Class: patch
Reference(s): DSA-2358-1
CVE-2011-0862
CVE-2011-0864
CVE-2011-0865
CVE-2011-0867
CVE-2011-0868
CVE-2011-0869
CVE-2011-0871
CVE-2011-3389
CVE-2011-3521
CVE-2011-3544
CVE-2011-3547
CVE-2011-3548
CVE-2011-3551
CVE-2011-3552
CVE-2011-3553
CVE-2011-3554
CVE-2011-3556
CVE-2011-3557
CVE-2011-3560
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15708
 
Oval ID: oval:org.mitre.oval:def:15708
Title: Vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; JavaFX 2.2.7 and earlier; and OpenJDK 6 and 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "JPEGImageReader state corruption" when using native code.
Family: windows Class: vulnerability
Reference(s): CVE-2013-2430
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
JavaFX
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15733
 
Oval ID: oval:org.mitre.oval:def:15733
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: 2D) 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient validation of raster parameters" that can trigger an integer overflow and memory corruption.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient validation of raster parameters" that can trigger an integer overflow and memory corruption.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1478
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15832
 
Oval ID: oval:org.mitre.oval:def:15832
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: JSSE) 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect validation of Diffie-Hellman keys, which allows remote attackers to conduct a "small subgroup attack" to force the use of weak session keys or obtain sensitive information about the private key.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect validation of Diffie-Hellman keys, which allows remote attackers to conduct a "small subgroup attack" to force the use of weak session keys or obtain sensitive information about the private key.
Family: windows Class: vulnerability
Reference(s): CVE-2013-0443
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15888
 
Oval ID: oval:org.mitre.oval:def:15888
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: Libraries) 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0428. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect "access control checks" in the logging API that allow remote attackers to bypass Java sandbox restrictions.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0428. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect "access control checks" in the logging API that allow remote attackers to bypass Java sandbox restrictions.
Family: windows Class: vulnerability
Reference(s): CVE-2013-0426
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15923
 
Oval ID: oval:org.mitre.oval:def:15923
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: Security) 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect availability via unknown vectors related to Security.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect availability via unknown vectors related to Security.
Family: windows Class: vulnerability
Reference(s): CVE-2012-1718
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15996
 
Oval ID: oval:org.mitre.oval:def:15996
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: CORBA) 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to CORBA.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to CORBA.
Family: windows Class: vulnerability
Reference(s): CVE-2012-1711
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:16011
 
Oval ID: oval:org.mitre.oval:def:16011
Title: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JAX-WS) 7 Update 17 and before. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows local users to affect confidentiality via vectors related to JAX-WS. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "processing of MTOM attachments" and the creation of temporary files with weak permissions.
Family: windows Class: vulnerability
Reference(s): CVE-2013-2415
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:16013
 
Oval ID: oval:org.mitre.oval:def:16013
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: Libraries) 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, allows remote attackers to affect integrity via unknown vectors related to Libraries. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to interrupt certain threads that should not be interrupted.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect integrity via unknown vectors related to Libraries. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to interrupt certain threads that should not be interrupted.
Family: windows Class: vulnerability
Reference(s): CVE-2013-0427
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:16035
 
Oval ID: oval:org.mitre.oval:def:16035
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: AWT) 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an improper check of "privileges of the code" that bypasses the sandbox.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an improper check of "privileges of the code" that bypasses the sandbox.
Family: windows Class: vulnerability
Reference(s): CVE-2013-0442
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:16043
 
Oval ID: oval:org.mitre.oval:def:16043
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE.
Family: windows Class: vulnerability
Reference(s): CVE-2012-5081
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:16045
 
Oval ID: oval:org.mitre.oval:def:16045
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: AWT) 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient validation of raster parameters" in awt_parseImage.c, which triggers memory corruption.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient validation of raster parameters" in awt_parseImage.c, which triggers memory corruption.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1480
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis: