Executive Summary

Summary
Title HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Unauthorized Disclosure
Informations
Name HPSBUX02856 SSRT101104 First vendor Publication 2013-03-21
Vendor HP Last vendor Modification 2013-03-21
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Potential security vulnerabilities have been identified with HP-UX OpenSSL. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or allow unauthorized disclosure of information.

Original Source

Url : http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03710522

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18302
 
Oval ID: oval:org.mitre.oval:def:18302
Title: USN-1732-1 -- openssl vulnerabilities
Description: Several security issues were fixed in OpenSSL.
Family: unix Class: patch
Reference(s): USN-1732-1
CVE-2012-2686
CVE-2013-0166
CVE-2013-0169
Version: 7
Platform(s): Ubuntu 12.10
Ubuntu 12.04
Ubuntu 11.10
Ubuntu 10.04
Ubuntu 8.04
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18565
 
Oval ID: oval:org.mitre.oval:def:18565
Title: DSA-2621-1 openssl - several vulnerabilities
Description: Multiple vulnerabilities have been found in OpenSSL.
Family: unix Class: patch
Reference(s): DSA-2621-1
CVE-2013-0166
CVE-2013-0169
Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18754
 
Oval ID: oval:org.mitre.oval:def:18754
Title: HP-UX Apache Web Server, Remote Denial of Service (DoS)
Description: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0166
Version: 6
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18841
 
Oval ID: oval:org.mitre.oval:def:18841
Title: HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Unauthorized Disclosure
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0169
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19016
 
Oval ID: oval:org.mitre.oval:def:19016
Title: OpenSSL vulnerability before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d in VisualSVN Server (CVE-2013-0169)
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: windows Class: vulnerability
Reference(s): CVE-2013-0169
Version: 6
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): VisualSVN Server
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19081
 
Oval ID: oval:org.mitre.oval:def:19081
Title: OpenSSL vulnerability before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d in VisualSVN Server (CVE-2013-0166)
Description: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
Family: windows Class: vulnerability
Reference(s): CVE-2013-0166
Version: 6
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): VisualSVN Server
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19360
 
Oval ID: oval:org.mitre.oval:def:19360
Title: Multiple OpenSSL vulnerabilities
Description: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0166
Version: 5
Platform(s): IBM AIX 5.3
IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19424
 
Oval ID: oval:org.mitre.oval:def:19424
Title: HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0169
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19428
 
Oval ID: oval:org.mitre.oval:def:19428
Title: HP-UX Apache Web Server, Remote Denial of Service (DoS)
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0169
Version: 7
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19487
 
Oval ID: oval:org.mitre.oval:def:19487
Title: HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Unauthorized Disclosure
Description: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0166
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19540
 
Oval ID: oval:org.mitre.oval:def:19540
Title: HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0169
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19608
 
Oval ID: oval:org.mitre.oval:def:19608
Title: Multiple OpenSSL vulnerabilities
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0169
Version: 5
Platform(s): IBM AIX 5.3
IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20686
 
Oval ID: oval:org.mitre.oval:def:20686
Title: VMware vSphere, ESX and ESXi updates to third party libraries
Description: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0166
Version: 4
Platform(s): VMWare ESX Server 4.1
VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20786
 
Oval ID: oval:org.mitre.oval:def:20786
Title: VMware vSphere, ESX and ESXi updates to third party libraries
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: unix Class: vulnerability
Reference(s): CVE-2013-0169
Version: 4
Platform(s): VMWare ESX Server 4.1
VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21079
 
Oval ID: oval:org.mitre.oval:def:21079
Title: RHSA-2013:0587: openssl security update (Moderate)
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: unix Class: patch
Reference(s): RHSA-2013:0587-01
CESA-2013:0587
CVE-2012-4929
CVE-2013-0166
CVE-2013-0169
Version: 45
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23489
 
Oval ID: oval:org.mitre.oval:def:23489
Title: DEPRECATED: ELSA-2013:0587: openssl security update (Moderate)
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: unix Class: patch
Reference(s): ELSA-2013:0587-01
CVE-2012-4929
CVE-2013-0166
CVE-2013-0169
Version: 18
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23909
 
Oval ID: oval:org.mitre.oval:def:23909
Title: ELSA-2013:0587: openssl security update (Moderate)
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: unix Class: patch
Reference(s): ELSA-2013:0587-01
CVE-2012-4929
CVE-2013-0166
CVE-2013-0169
Version: 17
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24405
 
Oval ID: oval:org.mitre.oval:def:24405
Title: Vulnerability in the TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: windows Class: vulnerability
Reference(s): CVE-2013-0169
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24756
 
Oval ID: oval:org.mitre.oval:def:24756
Title: OpenSSL vulnerability before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d, allows remote OCSP servers to cause a denial of service
Description: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
Family: windows Class: vulnerability
Reference(s): CVE-2013-0166
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24938
 
Oval ID: oval:org.mitre.oval:def:24938
Title: OpenSSL vulnerability before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d, allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks
Description: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Family: windows Class: vulnerability
Reference(s): CVE-2013-0169
Version: 4
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25236
 
Oval ID: oval:org.mitre.oval:def:25236
Title: SUSE-SU-2013:0701-2 -- Security update for java-1_6_0-ibm
Description: IBM Java 6 was updated to SR13 FP1, fixing bugs and security issues.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0701-2
CVE-2013-0485
CVE-2013-0809
CVE-2013-1493
CVE-2013-0169
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 10
Product(s): java-1_6_0-ibm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25357
 
Oval ID: oval:org.mitre.oval:def:25357
Title: SUSE-SU-2013:0549-3 -- Security update for OpenSSL
Description: OpenSSL has been updated to fix several security issues: * CVE-2012-4929: Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable "OPENSSL_NO_DEFAULT_ZLIB" to "no" enables compression again. * CVE-2013-0169: Timing attacks against TLS could be used by physically local attackers to gain access to transmitted plain text or private keymaterial. This issue is also known as the "Lucky-13" issue. * CVE-2013-0166: A OCSP invalid key denial of service issue was fixed.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0549-3
CVE-2012-4929
CVE-2013-0169
CVE-2013-0166
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25811
 
Oval ID: oval:org.mitre.oval:def:25811
Title: SUSE-SU-2013:0701-1 -- Security update for java-1_7_0-ibm
Description: IBM Java 7 was updated to SR4-FP1, fixing bugs and security issues.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0701-1
CVE-2013-0485
CVE-2013-0809
CVE-2013-1493
CVE-2013-0169
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): java-1_7_0-ibm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25849
 
Oval ID: oval:org.mitre.oval:def:25849
Title: SUSE-SU-2013:0549-2 -- Security update for OpenSSL
Description: OpenSSL has been updated to fix several security issues: * CVE-2012-4929: Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable "OPENSSL_NO_DEFAULT_ZLIB" to "no" enables compression again. * CVE-2013-0169: Timing attacks against TLS could be used by physically local attackers to gain access to transmitted plain text or private keymaterial. This issue is also known as the "Lucky-13" issue. * CVE-2013-0166: A OCSP invalid key denial of service issue was fixed.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0549-2
CVE-2012-4929
CVE-2013-0169
CVE-2013-0166
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25900
 
Oval ID: oval:org.mitre.oval:def:25900
Title: SUSE-SU-2013:0554-1 -- Security update for OpenSSL
Description: OpenSSL has been updated to fix several security issues: * CVE-2012-4929: Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable "OPENSSL_NO_DEFAULT_ZLIB" to "no" enables compression again. Please note that openssl on SUSE Linux Enterprise 10 is not built with compression support. * CVE-2013-0169: Timing attacks against TLS could be used by physically local attackers to gain access to transmitted plain text or private keymaterial. This issue is also known as the "Lucky-13" issue. * CVE-2013-0166: A OCSP invalid key denial of service issue was fixed.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0554-1
CVE-2012-4929
CVE-2013-0169
CVE-2013-0166
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 10
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26011
 
Oval ID: oval:org.mitre.oval:def:26011
Title: SUSE-SU-2013:0549-1 -- Security update for OpenSSL
Description: OpenSSL has been updated to fix several security issues: * CVE-2012-4929: Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable "OPENSSL_NO_DEFAULT_ZLIB" to "no" enables compression again. * CVE-2013-0169: Timing attacks against TLS could be used by physically local attackers to gain access to transmitted plain text or private keymaterial. This issue is also known as the "Lucky-13" issue. * CVE-2013-0166: A OCSP invalid key denial of service issue was fixed.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0549-1
CVE-2012-4929
CVE-2013-0169
CVE-2013-0166
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26214
 
Oval ID: oval:org.mitre.oval:def:26214
Title: SUSE-SU-2013:0328-1 -- Security update for Java
Description: java-1_6_0-openjdk has been updated to IcedTea 1.12.3 (bnc#804654) which contains security and bugfixes: * Security fixes o S8006446: Restrict MBeanServer access (CVE-2013-1486) o S8006777: Improve TLS handling of invalid messages Lucky 13 (CVE-2013-0169) o S8007688: Blacklist known bad certificate (issued by DigiCert) * Backports o S8007393: Possible race condition after JDK-6664509 o S8007611: logging behavior in applet changed * Bug fixes o PR1319: Support GIF lib v5.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0328-1
CVE-2013-1486
CVE-2013-0169
Version: 3
Platform(s): SUSE Linux Enterprise Desktop 11
Product(s): Java
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27551
 
Oval ID: oval:org.mitre.oval:def:27551
Title: DEPRECATED: ELSA-2013-0275 -- java-1.7.0-openjdk security update (important)
Description: [1.7.0.9-2.3.7.1.0.2.el6_3] - Increase release number and rebuild. [1.7.0.9-2.3.7.1.0.1.el6_3] - Update DISTRO_NAME in specfile [1.7.0.9-2.3.7.1.el6_3] - Updated main source tarball - Resolves: rhbz#911529 [1.7.0.9-2.3.7.0.el6_3] - Removed patch1000 sec-2013-02-01-8005615.patch - Removed patch1001 sec-2013-02-01-8005615-sync_with_jdk7u.patch - Removed patch1010 sec-2013-02-01-7201064.patch - Removed testing - mauve was outdated and - jtreg was icedtea relict - Updated to icedtea 2.3.7 - Added java -Xshare:dump to post (see 513605) fo jitarchs - Resolves: rhbz#911529
Family: unix Class: patch
Reference(s): ELSA-2013-0275
CVE-2013-1485
CVE-2013-1484
CVE-2013-1486
CVE-2013-0169
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): java-1.7.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27605
 
Oval ID: oval:org.mitre.oval:def:27605
Title: DEPRECATED: ELSA-2013-0587 -- openssl security update (moderate)
Description: [1.0.0-27.2] - fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589) - fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052) - enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB environment variable is set (fixes CVE-2012-4929 #857051) - use __secure_getenv() everywhere instead of getenv() (#839735)
Family: unix Class: patch
Reference(s): ELSA-2013-0587
CVE-2013-0166
CVE-2012-4929
CVE-2013-0169
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): openssl
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 322
Application 47
Application 22
Application 3

Information Assurance Vulnerability Management (IAVM)

Date Description
2013-10-17 IAVM : 2013-A-0199 - Multiple Vulnerabilities in Oracle Fusion Middleware
Severity : Category I - VMSKEY : V0040786
2013-09-19 IAVM : 2013-A-0181 - Multiple Vulnerabilities in Junos Pulse Secure Access Service (IVE)
Severity : Category I - VMSKEY : V0040371
2013-09-19 IAVM : 2013-A-0180 - Multiple Vulnerabilities in Juniper Networks Junos Pulse Access Service Acces...
Severity : Category I - VMSKEY : V0040372
2013-09-19 IAVM : 2013-A-0179 - Apple Mac OS X Security Update 2013-004
Severity : Category I - VMSKEY : V0040373
2013-04-11 IAVM : 2013-A-0077 - Multiple Vulnerabilities in OpenSSL
Severity : Category I - VMSKEY : V0037605

Snort® IPS/IDS

Date Description
2014-01-10 SSLv3 plaintext recovery attempt
RuleID : 25828 - Revision : 4 - Type : SERVER-OTHER
2014-01-10 TLSv1.2 plaintext recovery attempt
RuleID : 25827 - Revision : 4 - Type : SERVER-OTHER
2014-01-10 TLSv1.1 plaintext recovery attempt
RuleID : 25826 - Revision : 4 - Type : SERVER-OTHER
2014-01-10 TLSv1.0 plaintext recovery attempt
RuleID : 25825 - Revision : 4 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date Description
2018-09-27 Name : The remote Debian host is missing a security update.
File : debian_DLA-1518.nasl - Type : ACT_GATHER_INFO
2016-11-21 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL93600123.nasl - Type : ACT_GATHER_INFO
2016-03-04 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-294.nasl - Type : ACT_GATHER_INFO
2016-03-04 Name : The remote VMware ESX / ESXi host is missing a security-related patch.
File : vmware_esx_VMSA-2013-0009_remote.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_gnutls_20130924.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_nss_20140809.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_openssl_20130716.nasl - Type : ACT_GATHER_INFO
2015-01-13 Name : The remote host has a library installed that is affected by an information di...
File : tivoli_directory_svr_swg21638270.nasl - Type : ACT_GATHER_INFO
2014-12-22 Name : The remote device is affected by multiple vulnerabilities.
File : juniper_space_jsa10659.nasl - Type : ACT_GATHER_INFO
2014-12-05 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_compat-openssl097g-141202.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2014-0007.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2014-0008.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2013-0636.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1455.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1456.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0416.nasl - Type : ACT_GATHER_INFO
2014-10-10 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL14190.nasl - Type : ACT_GATHER_INFO
2014-10-10 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL14261.nasl - Type : ACT_GATHER_INFO
2014-10-10 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL15630.nasl - Type : ACT_GATHER_INFO
2014-10-10 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL15637.nasl - Type : ACT_GATHER_INFO
2014-08-22 Name : The remote host is affected by multiple vulnerabilities.
File : juniper_nsm_jsa10642.nasl - Type : ACT_GATHER_INFO
2014-08-11 Name : The remote backup service is affected by multiple vulnerabilities.
File : ibm_tsm_server_5_5_x.nasl - Type : ACT_GATHER_INFO
2014-08-11 Name : The remote backup service is affected by multiple vulnerabilities.
File : ibm_tsm_server_6_1_x.nasl - Type : ACT_GATHER_INFO
2014-08-11 Name : The remote backup service is affected by multiple vulnerabilities.
File : ibm_tsm_server_6_2_6_0.nasl - Type : ACT_GATHER_INFO
2014-08-11 Name : The remote backup service is affected by an information disclosure vulnerabil...
File : ibm_tsm_server_6_3_4_200.nasl - Type : ACT_GATHER_INFO
2014-07-14 Name : The remote mail server is affected by an information disclosure vulnerability.
File : ipswitch_imail_12_3.nasl - Type : ACT_GATHER_INFO
2014-06-30 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201406-32.nasl - Type : ACT_GATHER_INFO
2014-06-18 Name : The remote database server is affected by multiple vulnerabilities.
File : db2_101fp3a.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-153.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-154.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-164.nasl - Type : ACT_GATHER_INFO
2014-04-16 Name : The remote AIX host is running a vulnerable version of OpenSSL.
File : aix_openssl_advisory5.nasl - Type : ACT_GATHER_INFO
2014-01-27 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201401-30.nasl - Type : ACT_GATHER_INFO
2014-01-20 Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities.
File : vmware_esxi_5_1_build_1483097_remote.nasl - Type : ACT_GATHER_INFO
2013-12-18 Name : The remote database server is affected by multiple vulnerabilities.
File : db2_97fp9.nasl - Type : ACT_GATHER_INFO
2013-12-03 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201312-03.nasl - Type : ACT_GATHER_INFO
2013-11-13 Name : The remote VMware ESXi 5.0 host is affected by multiple security vulnerabilit...
File : vmware_esxi_5_0_build_1311177_remote.nasl - Type : ACT_GATHER_INFO
2013-10-18 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201310-10.nasl - Type : ACT_GATHER_INFO
2013-10-16 Name : The remote database server is affected by multiple vulnerabilities.
File : oracle_rdbms_cpu_oct_2013.nasl - Type : ACT_GATHER_INFO
2013-09-20 Name : The remote application server may be affected by multiple vulnerabilities.
File : websphere_6_1_0_47.nasl - Type : ACT_GATHER_INFO
2013-09-19 Name : The remote device is missing a vendor-supplied security patch.
File : junos_pulse_jsa10591.nasl - Type : ACT_GATHER_INFO
2013-09-13 Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_10_8_5.nasl - Type : ACT_GATHER_INFO
2013-09-13 Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2013-004.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2013-162.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2013-163.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2013-171.nasl - Type : ACT_GATHER_INFO
2013-08-23 Name : The remote application server may be affected by multiple vulnerabilities.
File : websphere_8_0_0_7.nasl - Type : ACT_GATHER_INFO
2013-08-02 Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2013-0009.nasl - Type : ACT_GATHER_INFO
2013-07-23 Name : The remote application server may be affected by multiple vulnerabilities.
File : websphere_8_5_5.nasl - Type : ACT_GATHER_INFO
2013-07-19 Name : The remote application server is potentially affected by multiple vulnerabili...
File : websphere_7_0_0_29.nasl - Type : ACT_GATHER_INFO
2013-07-16 Name : The remote device is missing a vendor-supplied security patch.
File : juniper_jsa10575.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-0273.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-0274.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-0275.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-0587.nasl - Type : ACT_GATHER_INFO
2013-07-10 Name : The remote host has a library installed that is affected by an information di...
File : ibm_gskit_swg21638270.nasl - Type : ACT_GATHER_INFO
2013-06-24 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2013-0833.nasl - Type : ACT_GATHER_INFO
2013-06-06 Name : The remote web server contains an application that is affected by multiple vu...
File : splunk_503.nasl - Type : ACT_GATHER_INFO
2013-05-23 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0855.nasl - Type : ACT_GATHER_INFO
2013-05-15 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0822.nasl - Type : ACT_GATHER_INFO
2013-05-15 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0823.nasl - Type : ACT_GATHER_INFO
2013-05-10 Name : The remote application server may be affected by multiple vulnerabilities.
File : websphere_8_0_0_6.nasl - Type : ACT_GATHER_INFO
2013-05-10 Name : The remote application server may be affected by multiple vulnerabilities.
File : websphere_8_5_0_2.nasl - Type : ACT_GATHER_INFO
2013-04-30 Name : The remote host is affected by multiple vulnerabilities.
File : ibm_tem_8_2_1372.nasl - Type : ACT_GATHER_INFO
2013-04-24 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_java-1_6_0-ibm-130416.nasl - Type : ACT_GATHER_INFO
2013-04-24 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_java-1_6_0-ibm-8544.nasl - Type : ACT_GATHER_INFO
2013-04-20 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-050.nasl - Type : ACT_GATHER_INFO
2013-04-20 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-052.nasl - Type : ACT_GATHER_INFO
2013-04-20 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-095.nasl - Type : ACT_GATHER_INFO
2013-04-19 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_java-1_7_0-ibm-130415.nasl - Type : ACT_GATHER_INFO
2013-04-08 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_69bfc8529bd011e2a7be8c705af55518.nasl - Type : ACT_GATHER_INFO
2013-04-03 Name : The remote Fedora host is missing a security update.
File : fedora_2013-4403.nasl - Type : ACT_GATHER_INFO
2013-03-28 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libopenssl-devel-130325.nasl - Type : ACT_GATHER_INFO
2013-03-28 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_openssl-8517.nasl - Type : ACT_GATHER_INFO
2013-03-26 Name : The remote Windows host contains a program that is affected by multiple vulne...
File : stunnel_4_55.nasl - Type : ACT_GATHER_INFO
2013-03-26 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1732-3.nasl - Type : ACT_GATHER_INFO
2013-03-08 Name : The remote Fedora host is missing a security update.
File : fedora_2013-2793.nasl - Type : ACT_GATHER_INFO
2013-03-07 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-0587.nasl - Type : ACT_GATHER_INFO
2013-03-05 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0587.nasl - Type : ACT_GATHER_INFO
2013-03-05 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130304_openssl_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2013-03-04 Name : The remote Fedora host is missing a security update.
File : fedora_2013-2834.nasl - Type : ACT_GATHER_INFO
2013-03-01 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1732-2.nasl - Type : ACT_GATHER_INFO
2013-02-27 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-0274.nasl - Type : ACT_GATHER_INFO
2013-02-24 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-014.nasl - Type : ACT_GATHER_INFO
2013-02-24 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_java-1_6_0-openjdk-130221.nasl - Type : ACT_GATHER_INFO
2013-02-22 Name : The remote Unix host contains a programming platform that is potentially affe...
File : oracle_java_cpu_feb_2013_1_unix.nasl - Type : ACT_GATHER_INFO
2013-02-22 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1732-1.nasl - Type : ACT_GATHER_INFO
2013-02-22 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1735-1.nasl - Type : ACT_GATHER_INFO
2013-02-21 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-0273.nasl - Type : ACT_GATHER_INFO
2013-02-21 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-0275.nasl - Type : ACT_GATHER_INFO
2013-02-21 Name : The remote Windows host contains a programming platform that is potentially a...
File : oracle_java_cpu_feb_2013_1.nasl - Type : ACT_GATHER_INFO
2013-02-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0273.nasl - Type : ACT_GATHER_INFO
2013-02-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0274.nasl - Type : ACT_GATHER_INFO
2013-02-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0275.nasl - Type : ACT_GATHER_INFO
2013-02-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0531.nasl - Type : ACT_GATHER_INFO
2013-02-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0532.nasl - Type : ACT_GATHER_INFO
2013-02-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2621.nasl - Type : ACT_GATHER_INFO
2013-02-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2622.nasl - Type : ACT_GATHER_INFO
2013-02-13 Name : The remote service may be affected by an information disclosure vulnerability.
File : openssl_1_0_1e.nasl - Type : ACT_GATHER_INFO
2013-02-11 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2013-040-01.nasl - Type : ACT_GATHER_INFO
2013-02-09 Name : The remote host may be affected by multiple vulnerabilities.
File : openssl_0_9_8y.nasl - Type : ACT_GATHER_INFO
2013-02-09 Name : The remote host may be affected by multiple vulnerabilities.
File : openssl_1_0_0k.nasl - Type : ACT_GATHER_INFO
2013-02-09 Name : The remote host may be affected by multiple vulnerabilities.
File : openssl_1_0_1d.nasl - Type : ACT_GATHER_INFO
2013-02-07 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_00b0d8cd709711e298d9003067c2616f.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-03-22 17:17:31
  • First insertion