Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title - VMware vSphere product updates address security vulnerabilities
Informations
Name VMSA-2014-0012 First vendor Publication 2014-12-04
Vendor VMware Last vendor Modification 2015-01-27
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

a. VMware vCSA cross-site scripting vulnerability

VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page.

VMware would like to thank Tanya Secker of Trustwave SpiderLabs for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3797 to this issue.

b. vCenter Server certificate validation issue

vCenter Server does not properly validate the presented certificate when establishing a connection to a CIM Server residing on an ESXi host. This may allow for a Man-in-the-middle attack against the CIM service.

VMware would like to thank The Google Security Team for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-8371 to this issue.

c. Update to ESXi libxml2 package

libxml2 is updated to address multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-2877 and CVE-2014-0191 to these issues.

d. Update to ESXi Curl package

Curl is updated to address multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0015 and CVE-2014-0138 to these issues.

e. Update to ESXi Python package

Python is updated to address multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-1752 and CVE-2013-4238 to these issues.

f. vCenter and Update Manager, Oracle JRE 1.6 Update 81

Oracle has documented the CVE identifiers that are addressed in JRE 1.6.0 update 81 in the Oracle Java SE Critical Patch Update Advisory of July 2014. The References section provides a link to this advisory.

Original Source

Url : http://www.vmware.com/security/advisories/VMSA-2014-0012.html

CWE : Common Weakness Enumeration

% Id Name
26 % CWE-20 Improper Input Validation
18 % CWE-310 Cryptographic Issues
13 % CWE-189 Numeric Errors (CWE/SANS Top 25)
10 % CWE-264 Permissions, Privileges, and Access Controls
10 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
5 % CWE-362 Race Condition
5 % CWE-326 Inadequate Encryption Strength
5 % CWE-287 Improper Authentication
5 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
3 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:16887
 
Oval ID: oval:org.mitre.oval:def:16887
Title: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier; the Oracle JRockit component in Oracle Fusion Middleware R27.7.5 and earlier and R28.2.7 and earlier; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June and July 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass verification of XML signatures via vectors related to a "Missing check for [a] valid DOMCanonicalizationMethod canonicalization algorithm."
Family: windows Class: vulnerability
Reference(s): CVE-2013-2461
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18127
 
Oval ID: oval:org.mitre.oval:def:18127
Title: USN-1763-1 -- nss vulnerability
Description: NSS could be made to expose sensitive information over the network.
Family: unix Class: patch
Reference(s): USN-1763-1
CVE-2013-1620
Version: 7
Platform(s): Ubuntu 12.10
Ubuntu 12.04
Ubuntu 11.10
Ubuntu 10.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18320
 
Oval ID: oval:org.mitre.oval:def:18320
Title: USN-1904-2 -- libxml2 regression
Description: USN-1904-1 introduced a regression in libxml2.
Family: unix Class: patch
Reference(s): USN-1904-2
CVE-2013-0339
CVE-2013-2877
Version: 7
Platform(s): Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18347
 
Oval ID: oval:org.mitre.oval:def:18347
Title: USN-1904-1 -- libxml2 vulnerabilities
Description: Several security issues were fixed in libxml2.
Family: unix Class: patch
Reference(s): USN-1904-1
CVE-2013-0339
CVE-2013-2877
Version: 7
Platform(s): Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18405
 
Oval ID: oval:org.mitre.oval:def:18405
Title: USN-1983-1 -- python2.7 vulnerabilities
Description: Several security issues were fixed in Python.
Family: unix Class: patch
Reference(s): USN-1983-1
CVE-2013-2099
CVE-2013-4238
Version: 5
Platform(s): Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Product(s): python2.7
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18739
 
Oval ID: oval:org.mitre.oval:def:18739
Title: USN-1984-1 -- python3.2 vulnerabilities
Description: Several security issues were fixed in Python.
Family: unix Class: patch
Reference(s): USN-1984-1
CVE-2013-2099
CVE-2013-4238
Version: 5
Platform(s): Ubuntu 12.10
Ubuntu 12.04
Product(s): python3.2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19140
 
Oval ID: oval:org.mitre.oval:def:19140
Title: DSA-2800-1 nss - buffer overflow
Description: Andrew Tinits reported a potentially exploitable buffer overflow in the Mozilla Network Security Service library (nss). With a specially crafted request a remote attacker could cause a denial of service or possibly execute arbitrary code.
Family: unix Class: patch
Reference(s): DSA-2800-1
CVE-2013-5605
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19254
 
Oval ID: oval:org.mitre.oval:def:19254
Title: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.
Description: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1739
Version: 15
Platform(s): Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla SeaMonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19336
 
Oval ID: oval:org.mitre.oval:def:19336
Title: USN-1982-1 -- python2.6 vulnerability
Description: Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet.
Family: unix Class: patch
Reference(s): USN-1982-1
CVE-2013-4238
Version: 5
Platform(s): Ubuntu 10.04
Product(s): python2.6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19393
 
Oval ID: oval:org.mitre.oval:def:19393
Title: CERT_VerifyCert can SECSuccess for bad certificates
Description: The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.
Family: windows Class: vulnerability
Reference(s): CVE-2013-5606
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19404
 
Oval ID: oval:org.mitre.oval:def:19404
Title: USN-1985-1 -- python3.3 vulnerabilities
Description: Several security issues were fixed in Python.
Family: unix Class: patch
Reference(s): USN-1985-1
CVE-2013-2099
CVE-2013-4238
Version: 5
Platform(s): Ubuntu 13.04
Ubuntu 12.10
Product(s): python3.3
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19523
 
Oval ID: oval:org.mitre.oval:def:19523
Title: DSA-2790-1 nss - uninitialised memory read
Description: A flaw was found in the way the Mozilla Network Security Service library (nss) read uninitialised data when there was a decryption failure. A remote attacker could use this flaw to cause a denial of service (application crash) for applications linked with the nss library.
Family: unix Class: patch
Reference(s): DSA-2790-1
CVE-2013-1739
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19530
 
Oval ID: oval:org.mitre.oval:def:19530
Title: Integer truncation in certificate parsing
Description: Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1741
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19565
 
Oval ID: oval:org.mitre.oval:def:19565
Title: HP-UX Running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier; the Oracle JRockit component in Oracle Fusion Middleware R27.7.5 and earlier and R28.2.7 and earlier; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June and July 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass verification of XML signatures via vectors related to a "Missing check for [a] valid DOMCanonicalizationMethod canonicalization algorithm."
Family: unix Class: vulnerability
Reference(s): CVE-2013-2461
Version: 12
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19582
 
Oval ID: oval:org.mitre.oval:def:19582
Title: HP-UX Running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier; the Oracle JRockit component in Oracle Fusion Middleware R27.7.5 and earlier and R28.2.7 and earlier; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June and July 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass verification of XML signatures via vectors related to a "Missing check for [a] valid DOMCanonicalizationMethod canonicalization algorithm."
Family: unix Class: vulnerability
Reference(s): CVE-2013-2461
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19731
 
Oval ID: oval:org.mitre.oval:def:19731
Title: Null Cipher buffer overflow
Description: Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets.
Family: windows Class: vulnerability
Reference(s): CVE-2013-5605
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19770
 
Oval ID: oval:org.mitre.oval:def:19770
Title: USN-2030-1 -- nss vulnerabilities
Description: Several security issues were fixed in NSS.
Family: unix Class: patch
Reference(s): USN-2030-1
CVE-2013-1739
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19833
 
Oval ID: oval:org.mitre.oval:def:19833
Title: USN-2028-1 -- libxml-security-java vulnerability
Description: Apache XML Security for Java could be tricked into validating spoofed signatures.
Family: unix Class: patch
Reference(s): USN-2028-1
CVE-2013-2172
Version: 5
Platform(s): Ubuntu 10.04
Product(s): libxml-security-java
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20088
 
Oval ID: oval:org.mitre.oval:def:20088
Title: DSA-2779-1 libxml2 - denial of service
Description: Aki Helin of OUSPG discovered many out-of-bounds read issues in libxml2, the GNOME project's XML parser library, which can lead to denial of service issues when handling XML documents that end abruptly.
Family: unix Class: patch
Reference(s): DSA-2779-1
CVE-2013-2877
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20626
 
Oval ID: oval:org.mitre.oval:def:20626
Title: RHSA-2013:1582: python security, bug fix, and enhancement update (Moderate)
Description: The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Family: unix Class: patch
Reference(s): RHSA-2013:1582-02
CESA-2013:1582
CVE-2013-4238
Version: 4
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): python
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21084
 
Oval ID: oval:org.mitre.oval:def:21084
Title: RHSA-2013:1135: nss and nspr security, bug fix, and enhancement update (Moderate)
Description: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Family: unix Class: patch
Reference(s): RHSA-2013:1135-00
CESA-2013:1135
CVE-2013-0791
CVE-2013-1620
Version: 31
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): nspr
nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21177
 
Oval ID: oval:org.mitre.oval:def:21177
Title: RHSA-2013:1144: nss, nss-util, nss-softokn, and nspr security update (Moderate)
Description: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Family: unix Class: patch
Reference(s): RHSA-2013:1144-00
CESA-2013:1144
CVE-2013-0791
CVE-2013-1620
Version: 31
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): nspr
nss
nss-softokn
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21330
 
Oval ID: oval:org.mitre.oval:def:21330
Title: DSA-2833-1 openssl - several
Description: Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support was susceptible to denial of service and retransmission of DTLS messages was fixed. In addition this update disables the insecure Dual_EC_DRBG algorithm (which was unused anyway, see<a href="http://marc.info/?l=openssl-announce&amp;m=138747119822324&amp;w=2">http://marc.info/?l=openssl-announce&amp;m=138747119822324&amp;w=2</a> for further information) and no longer uses the RdRand feature available on some Intel CPUs as a sole source of entropy unless explicitly requested.
Family: unix Class: patch
Reference(s): DSA-2833-1
CVE-2013-6449
CVE-2013-6450
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21337
 
Oval ID: oval:org.mitre.oval:def:21337
Title: USN-2079-1 -- openssl vulnerabilities
Description: Several security issues were fixed in OpenSSL.
Family: unix Class: patch
Reference(s): USN-2079-1
CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22018
 
Oval ID: oval:org.mitre.oval:def:22018
Title: RHSA-2014:0015: openssl security update (Important)
Description: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Family: unix Class: patch
Reference(s): RHSA-2014:0015-00
CESA-2014:0015
CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
Version: 44
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22111
 
Oval ID: oval:org.mitre.oval:def:22111
Title: DSA-2856-1 libcommons-fileupload-java - CVE-2014-0050
Description: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition.
Family: unix Class: patch
Reference(s): DSA-2856-1
CVE-2014-0050
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): libcommons-fileupload-java
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22174
 
Oval ID: oval:org.mitre.oval:def:22174
Title: AIX OpenSSH Vulnerability
Description: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
Family: unix Class: vulnerability
Reference(s): CVE-2013-6449
Version: 4
Platform(s): IBM AIX 5.3
IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22180
 
Oval ID: oval:org.mitre.oval:def:22180
Title: Unspecified vulnerability in the Network Layer component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Description: Unspecified vulnerability in the Network Layer component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3, and 12.1.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2013-3774
Version: 4
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Oracle Database Server
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22209
 
Oval ID: oval:org.mitre.oval:def:22209
Title: USN-2097-1 -- curl vulnerability
Description: libcurl could be made to expose sensitive information.
Family: unix Class: patch
Reference(s): USN-2097-1
CVE-2014-0015
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22401
 
Oval ID: oval:org.mitre.oval:def:22401
Title: USN-2088-1 -- nss vulnerability
Description: NSS could be made to expose sensitive information over the network.
Family: unix Class: patch
Reference(s): USN-2088-1
CVE-2013-1740
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22411
 
Oval ID: oval:org.mitre.oval:def:22411
Title: Unspecified vulnerability in the XML Parser component in Oracle Database Server 11.2.0.2 and 11.2.0.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
Description: Unspecified vulnerability in the XML Parser component in Oracle Database Server 11.2.0.2, 11.2.0.3, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
Family: windows Class: vulnerability
Reference(s): CVE-2013-3751
Version: 4
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Oracle Database Server
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22425
 
Oval ID: oval:org.mitre.oval:def:22425
Title: DSA-2849-1 curl - information disclosure
Description: Paras Sethia discovered that libcurl, a client-side URL transfer library, would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user.
Family: unix Class: patch
Reference(s): DSA-2849-1
CVE-2014-0015
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22486
 
Oval ID: oval:org.mitre.oval:def:22486
Title: DSA-2858-1 iceweasel - several
Description: Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, too-verbose error messages and missing permission checks may lead to the execution of arbitrary code, the bypass of security checks or information disclosure. This update also addresses security issues in the bundled version of the NSS crypto library.
Family: unix Class: patch
Reference(s): DSA-2858-1
CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
CVE-2014-1490
CVE-2014-1491
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): iceweasel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22518
 
Oval ID: oval:org.mitre.oval:def:22518
Title: AIX OpenSSH Vulnerability
Description: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Family: unix Class: vulnerability
Reference(s): CVE-2013-6450
Version: 4
Platform(s): IBM AIX 5.3
IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22788
 
Oval ID: oval:org.mitre.oval:def:22788
Title: ELSA-2013:1135: nss and nspr security, bug fix, and enhancement update (Moderate)
Description: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Family: unix Class: patch
Reference(s): ELSA-2013:1135-00
CVE-2013-0791
CVE-2013-1620
Version: 13
Platform(s): Oracle Linux 5
Product(s): nspr
nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23810
 
Oval ID: oval:org.mitre.oval:def:23810
Title: USN-2152-1 -- apache2 vulnerabilities
Description: Apache HTTP server could be made to crash if it received specially crafted network traffic.
Family: unix Class: patch
Reference(s): USN-2152-1
CVE-2013-6438
CVE-2014-0098
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): apache2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23812
 
Oval ID: oval:org.mitre.oval:def:23812
Title: DEPRECATED: ELSA-2014:0376: openssl security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys. (CVE-2014-0160) Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Neel Mehta of Google Security as the original reporter. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): ELSA-2014:0376-00
CVE-2014-0160
Version: 4
Platform(s): Oracle Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23996
 
Oval ID: oval:org.mitre.oval:def:23996
Title: Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24 does not properly restrict public values in Diffie-Hellman key exchanges
Description: Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1491
Version: 12
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24046
 
Oval ID: oval:org.mitre.oval:def:24046
Title: DEPRECATED: ELSA-2014:0246: gnutls security update (Important)
Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. (CVE-2014-0092) The CVE-2014-0092 issue was discovered by Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team. Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.
Family: unix Class: patch
Reference(s): ELSA-2014:0246-01
CVE-2014-0096
Version: 6
Platform(s): Oracle Linux 6
Product(s): gnutls
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24049
 
Oval ID: oval:org.mitre.oval:def:24049
Title: RHSA-2014:0626: openssl097a and openssl098e security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): RHSA-2014:0626-00
CESA-2014:0626
CVE-2014-0224
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): openssl097a
openssl098e
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24067
 
Oval ID: oval:org.mitre.oval:def:24067
Title: RHSA-2014:0370: httpd security update (Moderate)
Description: The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
Family: unix Class: patch
Reference(s): RHSA-2014:0370-00
CESA-2014:0370
CVE-2013-6438
CVE-2014-0098
Version: 5
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24101
 
Oval ID: oval:org.mitre.oval:def:24101
Title: Apache HTTP vulnerability before 2.2.27 or before 2.4.8 in VisualSVN Server (CVE-2014-0098)
Description: The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
Family: windows Class: vulnerability
Reference(s): CVE-2014-0098
Version: 5
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): VisualSVN Server
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24119
 
Oval ID: oval:org.mitre.oval:def:24119
Title: ELSA-2013:1144: nss, nss-util, nss-softokn, and nspr security update (Moderate)
Description: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Family: unix Class: patch
Reference(s): ELSA-2013:1144-00
CVE-2013-0791
CVE-2013-1620
Version: 13
Platform(s): Oracle Linux 6
Product(s): nspr
nss
nss-softokn
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24135
 
Oval ID: oval:org.mitre.oval:def:24135
Title: AIX OpenSSL DTLS invalid fragment vulnerability
Description: The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
Family: unix Class: vulnerability
Reference(s): CVE-2014-0195
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24168
 
Oval ID: oval:org.mitre.oval:def:24168
Title: Vulnerability in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f, might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash)
Description: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Family: windows Class: vulnerability
Reference(s): CVE-2013-6450
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24182
 
Oval ID: oval:org.mitre.oval:def:24182
Title: ELSA-2014:0015: openssl security update (Important)
Description: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Family: unix Class: patch
Reference(s): ELSA-2014:0015-00
CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
Version: 17
Platform(s): Oracle Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24190
 
Oval ID: oval:org.mitre.oval:def:24190
Title: ELSA-2013:1582: python security, bug fix, and enhancement update (Moderate)
Description: The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Family: unix Class: patch
Reference(s): ELSA-2013:1582-02
CVE-2013-4238
Version: 6
Platform(s): Oracle Linux 6
Product(s): python
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24194
 
Oval ID: oval:org.mitre.oval:def:24194
Title: Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket
Description: Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1490
Version: 12
Platform(s): Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Product(s): Mozilla Firefox
Mozilla Firefox ESR
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24241
 
Oval ID: oval:org.mitre.oval:def:24241
Title: The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read
Description: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Family: windows Class: vulnerability
Reference(s): CVE-2014-0160
Version: 10
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows Server 2012
Microsoft Windows 8.1
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24283
 
Oval ID: oval:org.mitre.oval:def:24283
Title: Apache HTTP vulnerability before 2.2.27 or before 2.4.8 in VisualSVN Server (CVE-2013-6438)
Description: The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.
Family: windows Class: vulnerability
Reference(s): CVE-2013-6438
Version: 5
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): VisualSVN Server
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24301
 
Oval ID: oval:org.mitre.oval:def:24301
Title: Vulnerability in OpenSSL 0.9.8 - 0.9.8za, 1.0.0 - 1.0.0m and 1.0.1 - 1.0.1h, allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash)
Description: The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
Family: windows Class: vulnerability
Reference(s): CVE-2014-0195
Version: 4
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24324
 
Oval ID: oval:org.mitre.oval:def:24324
Title: ELSA-2014:0376: openssl security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys. (CVE-2014-0160) Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Neel Mehta of Google Security as the original reporter. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): ELSA-2014:0376-00
CESA-2014:0160
CVE-2014-0160
Version: 9
Platform(s): Oracle Linux 6
CentOS Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24331
 
Oval ID: oval:org.mitre.oval:def:24331
Title: ELSA-2014:0369: httpd security update (Moderate)
Description: The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. It was found that the mod_dav module did not correctly strip leading white space from certain elements in a parsed XML. In certain httpd configurations that use the mod_dav module (for example when using the mod_dav_svn module), a remote attacker could send a specially crafted DAV request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2013-6438) A buffer over-read flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled (on Red Hat Enterprise Linux it is disabled by default), a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed cookie header. (CVE-2014-0098) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.
Family: unix Class: patch
Reference(s): ELSA-2014:0369-00
CVE-2013-6438
CVE-2014-0098
Version: 6
Platform(s): Oracle Linux 5
Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24367
 
Oval ID: oval:org.mitre.oval:def:24367
Title: USN-2130-1 -- tomcat6, tomcat7 vulnerabilities
Description: Several security issues were fixed in Tomcat.
Family: unix Class: patch
Reference(s): USN-2130-1
CVE-2013-4286
CVE-2013-4322
CVE-2014-0033
CVE-2014-0050
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): tomcat7
tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24397
 
Oval ID: oval:org.mitre.oval:def:24397
Title: Vulnerability in OpenSSL through 1.0.1g, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error)
Description: Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
Family: windows Class: vulnerability
Reference(s): CVE-2010-5298
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24407
 
Oval ID: oval:org.mitre.oval:def:24407
Title: RHSA-2014:0513: libxml2 security update (Moderate)
Description: The libxml2 library is a development toolbox providing the implementation of various XML standards. It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. (CVE-2014-0191) An out-of-bounds read flaw was found in the way libxml2 detected the end of an XML file. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to crash. (CVE-2013-2877) The CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat. All libxml2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0513-00
CESA-2014:0513
CVE-2013-2877
CVE-2014-0191
Version: 3
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24427
 
Oval ID: oval:org.mitre.oval:def:24427
Title: RHSA-2014:0827: tomcat security update (Moderate)
Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources. (CVE-2014-0075) It was found that Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a Tomcat server located behind a reverse proxy that processed the content length header correctly. (CVE-2014-0099) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. All Tomcat 7 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0827-00
CVE-2014-0075
CVE-2014-0096
CVE-2014-0099
Version: 4
Platform(s): Red Hat Enterprise Linux 7
CentOS Linux 7
Product(s): tomcat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24440
 
Oval ID: oval:org.mitre.oval:def:24440
Title: RHSA-2014:0889: java-1.7.0-openjdk security update (Critical)
Description: The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-4216, CVE-2014-4219) A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine. (CVE-2014-2490) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-4223, CVE-2014-4262, CVE-2014-2483) Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4221, CVE-2014-4252, CVE-2014-4266) It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys. (CVE-2014-4244) The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key. (CVE-2014-4263) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0889-00
CESA-2014:0889
CVE-2014-2483
CVE-2014-2490
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4221
CVE-2014-4223
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4266
Version: 3
Platform(s): Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
CentOS Linux 6
CentOS Linux 7
Product(s): java-1.7.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24448
 
Oval ID: oval:org.mitre.oval:def:24448
Title: USN-2232-1 -- openssl vulnerabilities
Description: Several security issues were fixed in OpenSSL.
Family: unix Class: patch
Reference(s): USN-2232-1
CVE-2014-0195
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 13.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24484
 
Oval ID: oval:org.mitre.oval:def:24484
Title: USN-2159-1 -- nss vulnerability
Description: NSS could be made to expose sensitive information over the network.
Family: unix Class: patch
Reference(s): USN-2159-1
CVE-2014-1492
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24488
 
Oval ID: oval:org.mitre.oval:def:24488
Title: RHSA-2014:0429: tomcat6 security update (Moderate)
Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286) It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322) A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050) All Tomcat users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0429-00
CESA-2014:0429
CVE-2013-4286
CVE-2013-4322
CVE-2014-0050
Version: 5
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24492
 
Oval ID: oval:org.mitre.oval:def:24492
Title: Remote Unauthorized Access or Disclosure of Information
Description: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Family: unix Class: vulnerability
Reference(s): CVE-2014-0224
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24499
 
Oval ID: oval:org.mitre.oval:def:24499
Title: RHSA-2014:0369: httpd security update (Moderate)
Description: The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
Family: unix Class: patch
Reference(s): RHSA-2014:0369-00
CESA-2014:0369
CVE-2013-6438
CVE-2014-0098
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24541
 
Oval ID: oval:org.mitre.oval:def:24541
Title: Incorrect IDNA domain name matching for wildcard certificates
Description: The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1492
Version: 11
Platform(s): Microsoft Windows Server 2012 R2
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows 8
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Product(s): Mozilla Firefox
Mozilla SeaMonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24542
 
Oval ID: oval:org.mitre.oval:def:24542
Title: ELSA-2014:0370: httpd security update (Moderate)
Description: The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. It was found that the mod_dav module did not correctly strip leading white space from certain elements in a parsed XML. In certain httpd configurations that use the mod_dav module (for example when using the mod_dav_svn module), a remote attacker could send a specially crafted DAV request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2013-6438) A buffer over-read flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled (on Red Hat Enterprise Linux it is disabled by default), a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed cookie header. (CVE-2014-0098) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.
Family: unix Class: patch
Reference(s): ELSA-2014:0370-00
CVE-2013-6438
CVE-2014-0098
Version: 6
Platform(s): Oracle Linux 6
Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24593
 
Oval ID: oval:org.mitre.oval:def:24593
Title: Remote Unauthorized Access
Description: The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
Family: unix Class: vulnerability
Reference(s): CVE-2014-0195
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24603
 
Oval ID: oval:org.mitre.oval:def:24603
Title: Vulnerability in OpenSSL 0.9.8 - 0.9.8za, 1.0.0 - 1.0.0m and 1.0.1 - 1.0.1h, allows remote attackers to cause a denial of service (recursion and client crash)
Description: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
Family: windows Class: vulnerability
Reference(s): CVE-2014-0221
Version: 4
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24614
 
Oval ID: oval:org.mitre.oval:def:24614
Title: DEPRECATED: RHSA-2014:0889: java-1.7.0-openjdk security update (Critical)
Description: The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-4216, CVE-2014-4219) A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine. (CVE-2014-2490) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-4223, CVE-2014-4262, CVE-2014-2483) Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4221, CVE-2014-4252, CVE-2014-4266) It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys. (CVE-2014-4244) The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key. (CVE-2014-4263) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0889-00
CESA-2014:0889
CVE-2014-2483
CVE-2014-2490
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4221
CVE-2014-4223
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4266
Version: 4
Platform(s): Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
CentOS Linux 6
CentOS Linux 7
Product(s): java-1.7.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24628
 
Oval ID: oval:org.mitre.oval:def:24628
Title: USN-2232-3 -- openssl regression
Description: USN-2232-1 introduced a regression in OpenSSL.
Family: unix Class: patch
Reference(s): USN-2232-3
CVE-2014-0224
CVE-2014-0195
CVE-2014-0221
CVE-2014-3470
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 13.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24638
 
Oval ID: oval:org.mitre.oval:def:24638
Title: Race condition in the ssl3_read_bytes function in s3_pkt.c in
Description: Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
Family: unix Class: vulnerability
Reference(s): CVE-2010-5298
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24694
 
Oval ID: oval:org.mitre.oval:def:24694
Title: DSA-2980-1 -- openjdk-6 - security update
Description: Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the executionof arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.
Family: unix Class: patch
Reference(s): DSA-2980-1
CVE-2014-2490
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4266
CVE-2014-4268
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24718
 
Oval ID: oval:org.mitre.oval:def:24718
Title: RHSA-2014:0376: openssl security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys. (CVE-2014-0160) Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Neel Mehta of Google Security as the original reporter. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): RHSA-2014:0376-00
CVE-2014-0160
CESA-2014:0376
Version: 9
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24729
 
Oval ID: oval:org.mitre.oval:def:24729
Title: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity (CVE-2014-4208)
Description: Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4220.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4208
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24735
 
Oval ID: oval:org.mitre.oval:def:24735
Title: RHSA-2014:0474: struts security update (Important)
Description: Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114) All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0474-00
CESA-2014:0474
CVE-2014-0114
Version: 3
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): struts
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24737
 
Oval ID: oval:org.mitre.oval:def:24737
Title: USN-2192-1 -- openssl vulnerabilities
Description: OpenSSL could be made to crash if it received specially crafted network traffic.
Family: unix Class: patch
Reference(s): USN-2192-1
CVE-2010-5298
CVE-2014-0198
Version: 4
Platform(s): Ubuntu 14.04
Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24762
 
Oval ID: oval:org.mitre.oval:def:24762
Title: USN-2214-1 -- libxml2 vulnerability
Description: libxml2 could be made to consume resources if it processed a specially crafted file.
Family: unix Class: patch
Reference(s): USN-2214-1
CVE-2014-0191
Version: 5
Platform(s): Ubuntu 14.04
Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24771
 
Oval ID: oval:org.mitre.oval:def:24771
Title: AIX OpenSSL SSL/TLS Man In The Middle (MITM) vulnerability
Description: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Family: unix Class: vulnerability
Reference(s): CVE-2014-0224
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24772
 
Oval ID: oval:org.mitre.oval:def:24772
Title: RHSA-2014:0624: openssl security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): RHSA-2014:0624-00
CESA-2014:0624
CVE-2014-0224
Version: 3
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24780
 
Oval ID: oval:org.mitre.oval:def:24780
Title: AIX OpenSSL Anonymous ECDH denial of service
Description: The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
Family: unix Class: vulnerability
Reference(s): CVE-2014-3470
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24797
 
Oval ID: oval:org.mitre.oval:def:24797
Title: USN-2211-1 -- libxfont vulnerabilities
Description: Several security issues were fixed in libXfont.
Family: unix Class: patch
Reference(s): USN-2211-1
CVE-2014-0209
CVE-2014-0210
CVE-2014-0211
Version: 5
Platform(s): Ubuntu 14.04
Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): libxfont
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24802
 
Oval ID: oval:org.mitre.oval:def:24802
Title: RHSA-2014:0561: curl security and bug fix update (Moderate)
Description: cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that libcurl could incorrectly reuse existing connections for requests that should have used different or no authentication credentials, when using one of the following protocols: HTTP(S) with NTLM authentication, LDAP(S), SCP, or SFTP. If an application using the libcurl library connected to a remote server with certain authentication credentials, this flaw could cause other requests to use those same credentials. (CVE-2014-0015, CVE-2014-0138) Red Hat would like to thank the cURL project for reporting these issues. Upstream acknowledges Paras Sethia as the original reporter of CVE-2014-0015 and Yehezkel Horowitz for discovering the security impact of this issue, and Steve Holme as the original reporter of CVE-2014-0138. This update also fixes the following bugs: * Previously, the libcurl library was closing a network socket without first terminating the SSL connection using the socket. This resulted in a write after close and consequent leakage of memory dynamically allocated by the SSL library. An upstream patch has been applied on libcurl to fix this bug. As a result, the write after close no longer happens, and the SSL library no longer leaks memory. (BZ#1092479) * Previously, the libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on libcurl's multi API. To fix this bug, the non-blocking SSL handshake has been implemented by libcurl. With this update, libcurl's multi API immediately returns the control back to the application whenever it cannot read/write data from/to the underlying network socket. (BZ#1092480) * Previously, the curl package could not be rebuilt from sources due to an expired cookie in the upstream test-suite, which runs during the build. An upstream patch has been applied to postpone the expiration date of the cookie, which makes it possible to rebuild the package from sources again. (BZ#1092486) * Previously, the libcurl library attempted to authenticate using Kerberos whenever such an authentication method was offered by the server. This caused problems when the server offered multiple authentication methods and Kerberos was not the selected one. An upstream patch has been applied on libcurl to fix this bug. Now libcurl no longer uses Kerberos authentication if another authentication method is selected. (BZ#1096797) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications that use libcurl have to be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0561-00
CESA-2014:0561
CVE-2014-0015
CVE-2014-0138
Version: 3
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24806
 
Oval ID: oval:org.mitre.oval:def:24806
Title: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability (CVE-2014-4262)
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4262
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24827
 
Oval ID: oval:org.mitre.oval:def:24827
Title: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality (CVE-2014-4268)
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4268
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24828
 
Oval ID: oval:org.mitre.oval:def:24828
Title: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity (CVE-2014-4218)
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4218
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24833
 
Oval ID: oval:org.mitre.oval:def:24833
Title: DSA-2940-1 libstruts1.2-java - security update
Description: The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method.
Family: unix Class: patch
Reference(s): DSA-2940-1
CVE-2014-0114
Version: 3
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): libstruts1.2-java
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24843
 
Oval ID: oval:org.mitre.oval:def:24843
Title: ELSA-2014:0429: tomcat6 security update (Moderate)
Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286) It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322) A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050) All Tomcat users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): ELSA-2014:0429-00
CVE-2013-4286
CVE-2013-4322
CVE-2014-0050
Version: 5
Platform(s): Oracle Linux 6
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24865
 
Oval ID: oval:org.mitre.oval:def:24865
Title: Unspecified vulnerability in the Oracle VM VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.14 allows local users to affect confidentiality, integrity, and availability
Description: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.14 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2487.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4261
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): VirtualBox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24873
 
Oval ID: oval:org.mitre.oval:def:24873
Title: Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (CVE-2014-4223)
Description: Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-2483.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4223
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24874
 
Oval ID: oval:org.mitre.oval:def:24874
Title: DSA-2927-1 libxfont - security update
Description: Ilja van Sprundel of IOActive discovered several security issues in theX.Org libXfont library, which may allow a local, authenticated user to attempt to raise privileges; or a remote attacker who can control the font server to attempt to execute code with the privileges of the X server.
Family: unix Class: patch
Reference(s): DSA-2927-1
CVE-2014-0209
CVE-2014-0210
CVE-2014-0211
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): libxfont
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24883
 
Oval ID: oval:org.mitre.oval:def:24883
Title: RHSA-2014:0865: tomcat6 security and bug fix update (Moderate)
Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources. (CVE-2014-0075) It was found that Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a Tomcat server located behind a reverse proxy that processed the content length header correctly. (CVE-2014-0099) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. This update also fixes the following bugs: * The patch that resolved the CVE-2014-0050 issue contained redundant code. This update removes the redundant code. (BZ#1094528) * The patch that resolved the CVE-2013-4322 issue contained an invalid check that triggered a java.io.EOFException while reading trailer headers for chunked requests. This update fixes the check and the aforementioned exception is no longer triggered in the described scenario. (BZ#1095602) All Tomcat 6 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0865-00
CESA-2014:0865
CVE-2014-0075
CVE-2014-0096
CVE-2014-0099
Version: 3
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24892
 
Oval ID: oval:org.mitre.oval:def:24892
Title: RHSA-2014:0625: openssl security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 A buffer overflow flaw was found in the way OpenSSL handled invalid DTLS packet fragments. A remote attacker could possibly use this flaw to execute arbitrary code on a DTLS client or server. (CVE-2014-0195) Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic. (CVE-2010-5298, CVE-2014-0198) A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash. (CVE-2014-0221) A NULL pointer dereference flaw was found in the way OpenSSL performed anonymous Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially crafted handshake packet could cause a TLS/SSL client that has the anonymous ECDH cipher suite enabled to crash. (CVE-2014-3470) Red Hat would like to thank the OpenSSL project for reporting these issues. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of CVE-2014-0224, Jüri Aedla as the original reporter of CVE-2014-0195, Imre Rad of Search-Lab as the original reporter of CVE-2014-0221, and Felix Gröbert and Ivan Fratrić of Google as the original reporters of CVE-2014-3470. All OpenSSL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): RHSA-2014:0625-00
CESA-2014:0625
CVE-2010-5298
CVE-2014-0195
CVE-2014-0198
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
Version: 3
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24907
 
Oval ID: oval:org.mitre.oval:def:24907
Title: DSA-2978-1 -- libxml2 - security update
Description: Daniel P. Berrange discovered a denial of service vulnerability in libxml2 entity substitution.
Family: unix Class: patch
Reference(s): DSA-2978-1
CVE-2014-0191
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24927
 
Oval ID: oval:org.mitre.oval:def:24927
Title: Unspecified vulnerability in the Oracle VM VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.14 allows local users to affect confidentiality
Description: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.14, when running on Windows, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-4261.
Family: windows Class: vulnerability
Reference(s): CVE-2014-2487
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): VirtualBox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24939
 
Oval ID: oval:org.mitre.oval:def:24939
Title: ELSA-2014:0474: struts security update (Important)
Description: Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114) All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): ELSA-2014:0474-00
CVE-2014-0114
Version: 4
Platform(s): Oracle Linux 5
Product(s): struts
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24955
 
Oval ID: oval:org.mitre.oval:def:24955
Title: Vulnerability in OpenSSL 0.9.8 - 0.9.8za, 1.0.0 - 1.0.0m and 1.0.1 - 1.0.1h, allows remote attackers to cause a denial of service
Description: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Family: windows Class: vulnerability
Reference(s): CVE-2014-0224
Version: 7
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24964
 
Oval ID: oval:org.mitre.oval:def:24964
Title: DEPRECATED: RHSA-2014:0890: java-1.7.0-openjdk security update (Important)
Description: The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-4216, CVE-2014-4219) A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine. (CVE-2014-2490) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-4223, CVE-2014-4262, CVE-2014-2483) Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4221, CVE-2014-4252, CVE-2014-4266) It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys. (CVE-2014-4244) The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key. (CVE-2014-4263) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0890-00
CESA-2014:0890
CVE-2014-2483
CVE-2014-2490
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4221
CVE-2014-4223
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4266
Version: 4
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): java-1.7.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24977
 
Oval ID: oval:org.mitre.oval:def:24977
Title: AIX OpenSSL DTLS recursion flaw
Description: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
Family: unix Class: vulnerability
Reference(s): CVE-2014-0221
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24979
 
Oval ID: oval:org.mitre.oval:def:24979
Title: Unspecified vulnerability in the Oracle VM VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability
Description: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core.
Family: windows Class: vulnerability
Reference(s): CVE-2014-2477
Version: 4
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): VirtualBox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24985
 
Oval ID: oval:org.mitre.oval:def:24985
Title: Unspecified vulnerability in Oracle Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (CVE-2014-2483)
Description: Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-4223. NOTE: the previous information is from the July 2014 CPU. Oracle has not commented on another vendor's claim that the issue is related to improper restriction of the "use of privileged annotations."
Family: windows Class: vulnerability
Reference(s): CVE-2014-2483
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24987
 
Oval ID: oval:org.mitre.oval:def:24987
Title: Unspecified vulnerability in the Oracle VM VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality
Description: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality via unknown vectors related to Core.
Family: windows Class: vulnerability
Reference(s): CVE-2014-2488
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): VirtualBox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24994
 
Oval ID: oval:org.mitre.oval:def:24994
Title: Remote Denial of Service (DoS)
Description: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
Family: unix Class: vulnerability
Reference(s): CVE-2014-0221
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25001
 
Oval ID: oval:org.mitre.oval:def:25001
Title: Vulnerability in OpenSSL before 1.0.2, obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash)
Description: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
Family: windows Class: vulnerability
Reference(s): CVE-2013-6449
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25006
 
Oval ID: oval:org.mitre.oval:def:25006
Title: Unspecified vulnerability in the Oracle VM VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability
Description: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core.
Family: windows Class: vulnerability
Reference(s): CVE-2014-2486
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): VirtualBox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25010
 
Oval ID: oval:org.mitre.oval:def:25010
Title: RHSA-2014:0680: openssl098e security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): RHSA-2014:0680-00
CVE-2014-0224
Version: 4
Platform(s): Red Hat Enterprise Linux 7
CentOS Linux 7
Product(s): openssl098e
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25013
 
Oval ID: oval:org.mitre.oval:def:25013
Title: DEPRECATED: RHSA-2014:0865: tomcat6 security and bug fix update (Moderate)
Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources. (CVE-2014-0075) It was found that Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a Tomcat server located behind a reverse proxy that processed the content length header correctly. (CVE-2014-0099) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. This update also fixes the following bugs: * The patch that resolved the CVE-2014-0050 issue contained redundant code. This update removes the redundant code. (BZ#1094528) * The patch that resolved the CVE-2013-4322 issue contained an invalid check that triggered a java.io.EOFException while reading trailer headers for chunked requests. This update fixes the check and the aforementioned exception is no longer triggered in the described scenario. (BZ#1095602) All Tomcat 6 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0865-00
CESA-2014:0865
CVE-2014-0075
CVE-2014-0096
CVE-2014-0099
Version: 4
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25014
 
Oval ID: oval:org.mitre.oval:def:25014
Title: RHSA-2014:0679: openssl security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 A buffer overflow flaw was found in the way OpenSSL handled invalid DTLS packet fragments. A remote attacker could possibly use this flaw to execute arbitrary code on a DTLS client or server. (CVE-2014-0195) Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic. (CVE-2010-5298, CVE-2014-0198) A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash. (CVE-2014-0221) A NULL pointer dereference flaw was found in the way OpenSSL performed anonymous Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially crafted handshake packet could cause a TLS/SSL client that has the anonymous ECDH cipher suite enabled to crash. (CVE-2014-3470) Red Hat would like to thank the OpenSSL project for reporting these issues. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of CVE-2014-0224, Jüri Aedla as the original reporter of CVE-2014-0195, Imre Rad of Search-Lab as the original reporter of CVE-2014-0221, and Felix Gröbert and Ivan Fratrić of Google as the original reporters of CVE-2014-3470. All OpenSSL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): RHSA-2014:0679-00
CVE-2010-5298
CVE-2014-0195
CVE-2014-0198
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
Version: 4
Platform(s): Red Hat Enterprise Linux 7
CentOS Linux 7
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25035
 
Oval ID: oval:org.mitre.oval:def:25035
Title: AIX OpenSSL SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
Description: The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.
Family: unix Class: vulnerability
Reference(s): CVE-2014-0198
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25039
 
Oval ID: oval:org.mitre.oval:def:25039
Title: Vulnerability in OpenSSL 0.9.8 - 0.9.8za, 1.0.0 - 1.0.0m and 1.0.1 - 1.0.1h, allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information
Description: The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
Family: windows Class: vulnerability
Reference(s): CVE-2014-3470
Version: 5
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25054
 
Oval ID: oval:org.mitre.oval:def:25054
Title: Unspecified vulnerability in the Oracle VM VirtualBox before 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability
Description: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.
Family: windows Class: vulnerability
Reference(s): CVE-2014-2489
Version: 4
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): VirtualBox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25058
 
Oval ID: oval:org.mitre.oval:def:25058
Title: Vulnerability in OpenSSL 1.x through 1.0.1g allows remote attackers to cause a denial of service
Description: The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.
Family: windows Class: vulnerability
Reference(s): CVE-2014-0198
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25066
 
Oval ID: oval:org.mitre.oval:def:25066
Title: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity (CVE-2014-4263)
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement."
Family: windows Class: vulnerability
Reference(s): CVE-2014-4263
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25082
 
Oval ID: oval:org.mitre.oval:def:25082
Title: USN-2232-2 -- openssl regression
Description: USN-2232-1 introduced a regression in OpenSSL.
Family: unix Class: patch
Reference(s): USN-2232-2
CVE-2014-0224
CVE-2014-0195
CVE-2014-0221
CVE-2014-3470
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 13.10
Ubuntu 12.04
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25085
 
Oval ID: oval:org.mitre.oval:def:25085
Title: Remote Code Execution or Unauthorized Accesss
Description: The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
Family: unix Class: vulnerability
Reference(s): CVE-2014-3470
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25092
 
Oval ID: oval:org.mitre.oval:def:25092
Title: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability (CVE-2014-4219)
Description: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4219
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25095
 
Oval ID: oval:org.mitre.oval:def:25095
Title: ELSA-2014:0624: openssl security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): ELSA-2014:0624-00
CVE-2014-0224
Version: 4
Platform(s): Oracle Linux 5
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25101
 
Oval ID: oval:org.mitre.oval:def:25101
Title: USN-2291-1 -- mysql-5.5 vulnerabilities
Description: Several security issues were fixed in MySQL.
Family: unix Class: patch
Reference(s): USN-2291-1
CVE-2014-2494
CVE-2014-4207
CVE-2014-4258
CVE-2014-4260
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Product(s): mysql-5.5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25104
 
Oval ID: oval:org.mitre.oval:def:25104
Title: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity (CVE-2014-4220)
Description: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4208.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4220
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25106
 
Oval ID: oval:org.mitre.oval:def:25106
Title: ELSA-2014:0626: openssl097a and openssl098e security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): ELSA-2014:0626-00
CVE-2014-0224
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): openssl097a
openssl098e
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25136
 
Oval ID: oval:org.mitre.oval:def:25136
Title: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity (CVE-2014-4209)
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4209
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25149
 
Oval ID: oval:org.mitre.oval:def:25149
Title: Unspecified vulnerability in Oracle Java SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability (CVE-2014-4247)
Description: Unspecified vulnerability in Oracle Java SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4247
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25154
 
Oval ID: oval:org.mitre.oval:def:25154
Title: Unspecified vulnerability in Oracle Java SE 7u60 and SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability
Description: Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Family: windows Class: vulnerability
Reference(s): CVE-2014-2490
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25160
 
Oval ID: oval:org.mitre.oval:def:25160
Title: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability (CVE-2014-4216)
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4216
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25171
 
Oval ID: oval:org.mitre.oval:def:25171
Title: ELSA-2014:0625: openssl security update (Important)
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 A buffer overflow flaw was found in the way OpenSSL handled invalid DTLS packet fragments. A remote attacker could possibly use this flaw to execute arbitrary code on a DTLS client or server. (CVE-2014-0195) Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic. (CVE-2010-5298, CVE-2014-0198) A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash. (CVE-2014-0221) A NULL pointer dereference flaw was found in the way OpenSSL performed anonymous Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially crafted handshake packet could cause a TLS/SSL client that has the anonymous ECDH cipher suite enabled to crash. (CVE-2014-3470) Red Hat would like to thank the OpenSSL project for reporting these issues. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of CVE-2014-0224, Juri Aedla as the original reporter of CVE-2014-0195, Imre Rad of Search-Lab as the original reporter of CVE-2014-0221, and Felix Grobert and Ivan Fratric of Google as the original reporters of CVE-2014-3470. All OpenSSL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted.
Family: unix Class: patch
Reference(s): ELSA-2014:0625-00
CVE-2010-5298
CVE-2014-0195
CVE-2014-0198
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
Version: 4
Platform(s): Oracle Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25175
 
Oval ID: oval:org.mitre.oval:def:25175
Title: ELSA-2014:0561: curl security and bug fix update (Moderate)
Description: cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that libcurl could incorrectly reuse existing connections for requests that should have used different or no authentication credentials, when using one of the following protocols: HTTP(S) with NTLM authentication, LDAP(S), SCP, or SFTP. If an application using the libcurl library connected to a remote server with certain authentication credentials, this flaw could cause other requests to use those same credentials. (CVE-2014-0015, CVE-2014-0138) Red Hat would like to thank the cURL project for reporting these issues. Upstream acknowledges Paras Sethia as the original reporter of CVE-2014-0015 and Yehezkel Horowitz for discovering the security impact of this issue, and Steve Holme as the original reporter of CVE-2014-0138. This update also fixes the following bugs: * Previously, the libcurl library was closing a network socket without first terminating the SSL connection using the socket. This resulted in a write after close and consequent leakage of memory dynamically allocated by the SSL library. An upstream patch has been applied on libcurl to fix this bug. As a result, the write after close no longer happens, and the SSL library no longer leaks memory. (BZ#1092479) * Previously, the libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on libcurl's multi API. To fix this bug, the non-blocking SSL handshake has been implemented by libcurl. With this update, libcurl's multi API immediately returns the control back to the application whenever it cannot read/write data from/to the underlying network socket. (BZ#1092480) * Previously, the curl package could not be rebuilt from sources due to an expired cookie in the upstream test-suite, which runs during the build. An upstream patch has been applied to postpone the expiration date of the cookie, which makes it possible to rebuild the package from sources again. (BZ#1092486) * Previously, the libcurl library attempted to authenticate using Kerberos whenever such an authentication method was offered by the server. This caused problems when the server offered multiple authentication methods and Kerberos was not the selected one. An upstream patch has been applied on libcurl to fix this bug. Now libcurl no longer uses Kerberos authentication if another authentication method is selected. (BZ#1096797) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications that use libcurl have to be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): ELSA-2014:0561-00
CVE-2014-0015
CVE-2014-0138
Version: 4
Platform(s): Oracle Linux 6
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25192
 
Oval ID: oval:org.mitre.oval:def:25192
Title: ELSA-2014:0513: libxml2 security update (Moderate)
Description: The libxml2 library is a development toolbox providing the implementation of various XML standards. It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. (CVE-2014-0191) An out-of-bounds read flaw was found in the way libxml2 detected the end of an XML file. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to crash. (CVE-2013-2877) The CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat. All libxml2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect.
Family: unix Class: patch
Reference(s): ELSA-2014:0513-00
CVE-2013-2877
CVE-2014-0191
Version: 4
Platform(s): Oracle Linux 6
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25202
 
Oval ID: oval:org.mitre.oval:def:25202
Title: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity (CVE-2014-4266)
Description: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Serviceability.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4266
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25203
 
Oval ID: oval:org.mitre.oval:def:25203
Title: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity (CVE-2014-4265)
Description: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4265
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25216
 
Oval ID: oval:org.mitre.oval:def:25216
Title: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect availability (CVE-2014-4264)
Description: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect availability via unknown vectors related to Security.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4264
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25224
 
Oval ID: oval:org.mitre.oval:def:25224
Title: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity (CVE-2014-4244)
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4244
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25235
 
Oval ID: oval:org.mitre.oval:def:25235
Title: Unspecified vulnerability in the Oracle VM VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability
Description: Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via vectors related to Graphics driver (WDDM) for Windows guests.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4228
Version: 4
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): VirtualBox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25249
 
Oval ID: oval:org.mitre.oval:def:25249
Title: RHSA-2014:0890: java-1.7.0-openjdk security update (Important)
Description: The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-4216, CVE-2014-4219) A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine. (CVE-2014-2490) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-4223, CVE-2014-4262, CVE-2014-2483) Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4221, CVE-2014-4252, CVE-2014-4266) It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys. (CVE-2014-4244) The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key. (CVE-2014-4263) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0890-00
CESA-2014:0890
CVE-2014-2483
CVE-2014-2490
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4221
CVE-2014-4223
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4266
Version: 3
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): java-1.7.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25250
 
Oval ID: oval:org.mitre.oval:def:25250
Title: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability (CVE-2014-4227)
Description: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4227
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25273
 
Oval ID: oval:org.mitre.oval:def:25273
Title: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality (CVE-2014-4252)
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4252
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25281
 
Oval ID: oval:org.mitre.oval:def:25281
Title: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect confidentiality (CVE-2014-4221)
Description: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Libraries.
Family: windows Class: vulnerability
Reference(s): CVE-2014-4221
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): Java Runtime Environment
Java Development Kit
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25291
 
Oval ID: oval:org.mitre.oval:def:25291
Title: SUSE-SU-2014:0759-1 -- Security update for OpenSSL
Description: OpenSSL was updated to fix several vulnerabilities: * SSL/TLS MITM vulnerability. (CVE-2014-0224) * DTLS recursion flaw. (CVE-2014-0221) * Anonymous ECDH denial of service. (CVE-2014-3470)
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0759-1
CVE-2014-0224
CVE-2014-0221
CVE-2014-3470
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25303
 
Oval ID: oval:org.mitre.oval:def:25303
Title: SUSE-SU-2014:0774-1 -- Security update for xorg-x11-libs
Description: xorg-x11-libs was patched to fix the following security issues: * Integer overflow of allocations in font metadata file parsing. (CVE-2014-0209) * libxfont not validating length fields when parsing xfs protocol replies. (CVE-2014-0210) * Integer overflows causing miscalculating memory needs for xfs replies. (CVE-2014-0211)
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0774-1
CVE-2014-0209
CVE-2014-0210
CVE-2014-0211
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): xorg-x11-libs
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25312
 
Oval ID: oval:org.mitre.oval:def:25312
Title: RHSA-2014:0902: java-1.7.0-oracle security update (Critical)
Description: Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2014-4219, CVE-2014-2490, CVE-2014-4216, CVE-2014-4223, CVE-2014-4262, CVE-2014-2483, CVE-2014-4209, CVE-2014-4218, CVE-2014-4252, CVE-2014-4266, CVE-2014-4221, CVE-2014-4244, CVE-2014-4263, CVE-2014-4227, CVE-2014-4265, CVE-2014-4220, CVE-2014-4208, CVE-2014-4264) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. Note: The way in which the Oracle Java SE packages are delivered has changed. They now reside in a separate channel/repository that requires action from the user to perform prior to getting updated packages. For information on subscribing to the new channel/repository please refer to: https://access.redhat.com/solutions/732883 All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 65 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0902-00
CVE-2014-2483
CVE-2014-2490
CVE-2014-4208
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4220
CVE-2014-4221
CVE-2014-4223
CVE-2014-4227
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4264
CVE-2014-4265
CVE-2014-4266
Version: 3
Platform(s): Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
Product(s): java-1.7.0-oracle
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25318
 
Oval ID: oval:org.mitre.oval:def:25318
Title: SUSE-SU-2014:0759-2 -- Security update for OpenSSL
Description: OpenSSL was updated to fix the following security vulnerabilities: * SSL/TLS MITM vulnerability. (CVE-2014-0224) * DTLS recursion flaw. (CVE-2014-0221) * Anonymous ECDH denial of service. (CVE-2014-3470)
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0759-2
CVE-2014-0224
CVE-2014-0221
CVE-2014-3470
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25341
 
Oval ID: oval:org.mitre.oval:def:25341
Title: SUSE-SU-2014:0665-2 -- Security update for Mozilla Firefox
Description: This Mozilla Firefox update provides several security and non-security fixes. Mozilla Firefox has been updated to the 24.5.0esr version, which fixes the following issues: * MFSA 2014-34/CVE-2014-1518 Miscellaneous memory safety hazards * MFSA 2014-37/CVE-2014-1523 Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 Buffer overflow when using non-XBL object as XBL * MFSA 2014-42/CVE-2014-1529 Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 Use-after-free in imgLoader while resizing images * MFSA 2014-46/CVE-2014-1532 Use-after-free in nsHostResolver Mozilla NSS has been updated to version 3.16 * required for Firefox 29 * CVE-2014-1492_ In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Update of root certificates.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0665-2
CVE-2014-1518
CVE-2014-1523
CVE-2014-1524
CVE-2014-1529
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
CVE-2014-1492
Version: 5
Platform(s): SUSE Linux Enterprise Server 10
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25349
 
Oval ID: oval:org.mitre.oval:def:25349
Title: SUSE-SU-2014:0727-1 -- Security update for Mozilla Firefox
Description: This Mozilla Firefox update provides several security and non-security fixes. MozillaFirefox has been updated to 24.5.0esr, which fixes the following issues: * MFSA 2014-34/CVE-2014-1518 Miscellaneous memory safety hazards * MFSA 2014-37/CVE-2014-1523 Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 Buffer overflow when using non-XBL object as XBL * MFSA 2014-42/CVE-2014-1529 Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 Use-after-free in imgLoader while resizing images * MFSA 2014-46/CVE-2014-1532 Use-after-free in nsHostResolver Mozilla NSS has been updated to 3.16 * required for Firefox 29 * CVE-2014-1492_ In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Update of root certificates.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0727-1
CVE-2014-1518
CVE-2014-1523
CVE-2014-1524
CVE-2014-1529
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
CVE-2014-1492
Version: 5
Platform(s): SUSE Linux Enterprise Server 10
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25350
 
Oval ID: oval:org.mitre.oval:def:25350
Title: SUSE-SU-2014:0171-1 -- Security update for curl
Description: This update fixes the re-use of wrong HTTP NTLM connections in libcurl. (CVE-2014-0015) Security Issue reference: * CVE-2014-0015 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 >
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0171-1
CVE-2014-0015
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25358
 
Oval ID: oval:org.mitre.oval:def:25358
Title: RHSA-2014:0907: java-1.6.0-openjdk security and bug fix update (Important)
Description: The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2014-4216, CVE-2014-4219) A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine. (CVE-2014-2490) An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2014-4262) Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4252, CVE-2014-4266) It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys. (CVE-2014-4244) The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key. (CVE-2014-4263) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. This update also fixes the following bug: * Prior to this update, an application accessing an unsynchronized HashMap could potentially enter an infinite loop and consume an excessive amount of CPU resources. This update resolves this issue. (BZ#1115580) All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0907-00
CESA-2014:0907
CVE-2014-2490
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4266
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
CentOS Linux 5
CentOS Linux 6
CentOS Linux 7
Product(s): java-1.6.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25377
 
Oval ID: oval:org.mitre.oval:def:25377
Title: SUSE-SU-2014:0175-1 -- Security update for curl
Description: This update fixes the re-use of wrong HTTP NTLM connections in libcurl. (CVE-2014-0015) Security Issue reference: * CVE-2014-0015 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 >
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0175-1
CVE-2014-0015
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25393
 
Oval ID: oval:org.mitre.oval:def:25393
Title: SUSE-SU-2014:0175-2 -- Security update for curl
Description: This update fixes the re-use of wrong HTTP NTLM connections in libcurl. (CVE-2014-0015) Security Issue reference: * CVE-2014-0015 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 >
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0175-2
CVE-2014-0015
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25428
 
Oval ID: oval:org.mitre.oval:def:25428
Title: RHSA-2014:0908: java-1.6.0-sun security update (Important)
Description: Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page, listed in the References section. (CVE-2014-4219, CVE-2014-4216, CVE-2014-4262, CVE-2014-4209, CVE-2014-4218, CVE-2014-4252, CVE-2014-4244, CVE-2014-4263, CVE-2014-4227, CVE-2014-4265) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. Note: The way in which the Oracle Java SE packages are delivered has changed. They now reside in a separate channel/repository that requires action from the user to perform prior to getting updated packages. For information on subscribing to the new channel/repository please refer to: https://access.redhat.com/solutions/732883 All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 81 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0908-00
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4227
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4265
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Product(s): java-1.6.0-sun
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25431
 
Oval ID: oval:org.mitre.oval:def:25431
Title: SUSE-SU-2014:0150-1 -- Security update for libxml2
Description: This update fixes a DoS vulnerability in libxml2. CVE-2013-2877 has been assigned to this issue. Security Issue reference: * CVE-2013-2877 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877 >
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0150-1
CVE-2013-2877
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25435
 
Oval ID: oval:org.mitre.oval:def:25435
Title: SUSE-SU-2013:1618-1 -- Security update for Python
Description: This python update fixes a certificate hostname issue. * bnc#834601: CVE-2013-4238: python: SSL module does not handle certificates that contain hostnames with NULL bytes Security Issue reference: * CVE-2013-4238 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238 >
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1618-1
CVE-2013-4238
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): Python
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25457
 
Oval ID: oval:org.mitre.oval:def:25457
Title: SUSE-SU-2013:1627-1 -- Security update for libxml2
Description: libxml2 has been updated to fix the following security issue: * CVE-2013-0338: libxml2 allowed context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1627-1
CVE-2013-0338
CVE-2013-0339
CVE-2012-5134
CVE-2012-2807
CVE-2011-3102
CVE-2012-0841
CVE-2011-3919
CVE-2013-2877
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25499
 
Oval ID: oval:org.mitre.oval:def:25499
Title: SUSE-SU-2014:0548-1 -- Security update for jakarta-commons-fileupload
Description: This update fixes a security issue with jakarta-commons-fileupload: * bnc#862781: denial of service due to too-small buffer size used (CVE-2014-0050) Security Issue reference: * CVE-2014-0050 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 >
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0548-1
CVE-2014-0050
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): jakarta-commons-fileupload
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25501
 
Oval ID: oval:org.mitre.oval:def:25501
Title: SUSE-SU-2014:0665-1 -- Security update for Mozilla Firefox
Description: This Mozilla Firefox and Mozilla NSS update fixes several security and non-security issues. Mozilla Firefox has been updated to 24.5.0esr which fixes the following issues: * MFSA 2014-34/CVE-2014-1518 Miscellaneous memory safety hazards * MFSA 2014-37/CVE-2014-1523 Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 Buffer overflow when using non-XBL object as XBL * MFSA 2014-42/CVE-2014-1529 Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 Use-after-free in imgLoader while resizing images * MFSA 2014-46/CVE-2014-1532 Use-after-free in nsHostResolver Mozilla NSS has been updated to 3.16 * required for Firefox 29 * CVE-2014-1492_ In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Update of root certificates.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0665-1
CVE-2014-1518
CVE-2014-1523
CVE-2014-1524
CVE-2014-1529
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
CVE-2014-1492
Version: 5
Platform(s): SUSE Linux Enterprise Server 11
Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25625
 
Oval ID: oval:org.mitre.oval:def:25625
Title: SUSE-SU-2013:1807-1 -- Security update for mozilla-nspr, mozilla-nss
Description: Mozilla NSPR and NSS were updated to fix various security bugs that could be used to crash the browser or potentially execute code.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1807-1
CVE-2013-5607
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 11
Product(s): mozilla-nspr
mozilla-nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25648
 
Oval ID: oval:org.mitre.oval:def:25648
Title: DSA-2987-1 -- openjdk-7 - security update
Description: Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service.
Family: unix Class: patch
Reference(s): DSA-2987-1
CVE-2014-2483
CVE-2014-2490
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4221
CVE-2014-4223
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4264
CVE-2014-4266
CVE-2014-4268
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): openjdk-7
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25679
 
Oval ID: oval:org.mitre.oval:def:25679
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4209
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25782
 
Oval ID: oval:org.mitre.oval:def:25782
Title: SUSE-SU-2013:1254-1 -- Security update for java-1_7_0-openjdk
Description: This update to icedtea-2.4.1 fixes various security issues.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1254-1
CVE-2013-2407
CVE-2013-2445
CVE-2013-2451
CVE-2013-2450
CVE-2013-2446
CVE-2013-2452
CVE-2013-1500
CVE-2013-2444
CVE-2013-2447
CVE-2013-2443
CVE-2013-2412
CVE-2013-2449
CVE-2013-2448
CVE-2013-2455
CVE-2013-2457
CVE-2013-2453
CVE-2013-2456
CVE-2013-2459
CVE-2013-2458
CVE-2013-2454
CVE-2013-2460
CVE-2013-2470
CVE-2013-2471
CVE-2013-2472
CVE-2013-2473
CVE-2013-1571
CVE-2013-2463
CVE-2013-2465
CVE-2013-2469
CVE-2013-2461
Version: 3
Platform(s): SUSE Linux Enterprise Desktop 11
Product(s): java-1_7_0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25803
 
Oval ID: oval:org.mitre.oval:def:25803
Title: USN-2232-4 -- openssl vulnerabilities
Description: USN-2232-1 introduced a regression in OpenSSL.
Family: unix Class: patch
Reference(s): USN-2232-4
CVE-2014-0195
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470
Version: 3
Platform(s): Ubuntu 10.04
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25891
 
Oval ID: oval:org.mitre.oval:def:25891
Title: USN-2312-1 -- openjdk-6 vulnerabilities
Description: Several security issues were fixed in OpenJDK 6.
Family: unix Class: patch
Reference(s): USN-2312-1
CVE-2014-2490
CVE-2014-4216
CVE-2014-4219
CVE-2014-4262
CVE-2014-4209
CVE-2014-4244
CVE-2014-4263
CVE-2014-4218
CVE-2014-4266
CVE-2014-4252
CVE-2014-4268
Version: 3
Platform(s): Ubuntu 12.04
Ubuntu 10.04
Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25952
 
Oval ID: oval:org.mitre.oval:def:25952
Title: SUSE-SU-2013:1238-1 -- Security update for java-1_6_0-openjdk
Description: java-1_6_0-openjdk has been updated to Icedtea6-1.12.6 version.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1238-1
CVE-2013-2407
CVE-2013-2445
CVE-2013-2451
CVE-2013-2450
CVE-2013-2446
CVE-2013-2452
CVE-2013-1500
CVE-2013-2444
CVE-2013-2447
CVE-2013-2443
CVE-2013-2412
CVE-2013-2448
CVE-2013-2455
CVE-2013-2457
CVE-2013-2453
CVE-2013-2456
CVE-2013-2459
CVE-2013-2470
CVE-2013-2471
CVE-2013-2472
CVE-2013-2473
CVE-2013-1571
CVE-2013-2463
CVE-2013-2465
CVE-2013-2469
CVE-2013-2461
Version: 3
Platform(s): SUSE Linux Enterprise Desktop 11
Product(s): java-1_6_0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25958
 
Oval ID: oval:org.mitre.oval:def:25958
Title: SUSE-SU-2014:0881-1 -- Security update for xorg-x11-libs
Description: This is a SUSE Linux Enterprise Server 11 SP1 LTSS roll up update of xorg-x11-libs, fixing security issues and some bugs.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0881-1
CVE-2013-1984
CVE-2013-1985
CVE-2013-1986
CVE-2013-1988
CVE-2013-1990
CVE-2013-1991
CVE-2013-1992
CVE-2013-1995
CVE-2013-1996
CVE-2013-1998
CVE-2013-1999
CVE-2013-2000
CVE-2013-2001
CVE-2013-2003
CVE-2013-2063
CVE-2013-6462
CVE-2014-0209
CVE-2014-0210
CVE-2014-0211
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): xorg-x11-libs
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25993
 
Oval ID: oval:org.mitre.oval:def:25993
Title: Critical Patch Update July 2014
Description: Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local users to affect availability via vectors related to CPU performance counters (CPC) drivers.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4215
Version: 3
Platform(s): Sun Solaris 10
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25998
 
Oval ID: oval:org.mitre.oval:def:25998
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4219
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26042
 
Oval ID: oval:org.mitre.oval:def:26042
Title: RHSA-2014:1041: java-1.7.0-ibm security update (Critical)
Description: IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-4208, CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265, CVE-2014-4266) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR7-FP1 release. All running instances of IBM Java must be restarted for the update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:1041-00
CVE-2014-4208
CVE-2014-4209
CVE-2014-4218
CVE-2014-4219
CVE-2014-4220
CVE-2014-4221
CVE-2014-4227
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4265
CVE-2014-4266
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Product(s): java-1.7.0-ibm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26063
 
Oval ID: oval:org.mitre.oval:def:26063
Title: USN-2302-1 -- tomcat6, tomcat7 vulnerabilities
Description: Several security issues were fixed in Tomcat.
Family: unix Class: patch
Reference(s): USN-2302-1
CVE-2014-0075
CVE-2014-0096
CVE-2014-0099
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Ubuntu 10.04
Product(s): tomcat7
tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26067
 
Oval ID: oval:org.mitre.oval:def:26067
Title: USN-2319-3 -- openjdk-7 update
Description: This update provides stability updates for OpenJDK 7.
Family: unix Class: patch
Reference(s): USN-2319-3
CVE-2014-2483
CVE-2014-2490
CVE-2014-4216
CVE-2014-4219
CVE-2014-4223
CVE-2014-4262
CVE-2014-4209
CVE-2014-4244
CVE-2014-4263
CVE-2014-4218
CVE-2014-4266
CVE-2014-4264
CVE-2014-4221
CVE-2014-4252
CVE-2014-4268
Version: 3
Platform(s): Ubuntu 14.04
Product(s): openjdk-7
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26076
 
Oval ID: oval:org.mitre.oval:def:26076
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect availability via unknown vectors related to Security.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4264
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26099
 
Oval ID: oval:org.mitre.oval:def:26099
Title: DSA-2985-1 -- mysql-5.5 - security update
Description: Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.38. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details.
Family: unix Class: patch
Reference(s): DSA-2985-1
CVE-2014-2494
CVE-2014-4207
CVE-2014-4258
CVE-2014-4260
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): mysql-5.5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26101
 
Oval ID: oval:org.mitre.oval:def:26101
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4218
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26123
 
Oval ID: oval:org.mitre.oval:def:26123
Title: AIX libxml2 vulnerability
Description: The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
Family: unix Class: vulnerability
Reference(s): CVE-2014-0191
Version: 6
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26141
 
Oval ID: oval:org.mitre.oval:def:26141
Title: DSA-2994-1 -- nss - security update
Description: Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library.
Family: unix Class: patch
Reference(s): DSA-2994-1
CVE-2013-1741
CVE-2013-5606
CVE-2014-1491
CVE-2014-1492
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26168
 
Oval ID: oval:org.mitre.oval:def:26168
Title: RHSA-2014:1073: nss, nss-util, nss-softokn security, bug fix, and enhancement update (Low)
Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, and other security standards.
Family: unix Class: patch
Reference(s): RHSA-2014:1073-00
CESA-2014:1073
CVE-2014-1492
Version: 3
Platform(s): Red Hat Enterprise Linux 7
CentOS Linux 7
Product(s): nss
nss-softokn
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26182
 
Oval ID: oval:org.mitre.oval:def:26182
Title: SUSE-SU-2014:0961-1 -- Security update for openjdk
Description: This Critical Patch Update contains 20 new security fixes for Oracle Java SE.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0961-1
CVE-2014-4227
CVE-2014-4219
CVE-2014-2490
CVE-2014-4216
CVE-2014-4247
CVE-2014-2483
CVE-2014-4223
CVE-2014-4262
CVE-2014-4209
CVE-2014-4265
CVE-2014-4220
CVE-2014-4218
CVE-2014-4252
CVE-2014-4266
CVE-2014-4268
CVE-2014-4264
CVE-2014-4221
CVE-2014-4244
CVE-2014-4263
CVE-2014-4208
Version: 3
Platform(s): SUSE Linux Enterprise Desktop 11
Product(s): openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26183
 
Oval ID: oval:org.mitre.oval:def:26183
Title: RHSA-2014:1034: tomcat security update (Low)
Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same Apache Tomcat instance. (CVE-2014-0119) All Tomcat users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Tomcat must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:1034-00
CESA-2014:1034
CVE-2014-0119
Version: 3
Platform(s): Red Hat Enterprise Linux 7
CentOS Linux 7
Product(s): tomcat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26187
 
Oval ID: oval:org.mitre.oval:def:26187
Title: Critical Patch Update July 2014
Description: Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Common Agent Container (Cacao).
Family: unix Class: vulnerability
Reference(s): CVE-2014-4239
Version: 3
Platform(s): Sun Solaris 10
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26198
 
Oval ID: oval:org.mitre.oval:def:26198
Title: USN-2319-2 -- openjdk-7 regression
Description: USN-2319-1 introduced a regression in OpenJDK 7.
Family: unix Class: patch
Reference(s): USN-2319-2
CVE-2014-2483
CVE-2014-2490
CVE-2014-4216
CVE-2014-4219
CVE-2014-4223
CVE-2014-4262
CVE-2014-4209
CVE-2014-4244
CVE-2014-4263
CVE-2014-4218
CVE-2014-4266
CVE-2014-4264
CVE-2014-4221
CVE-2014-4252
CVE-2014-4268
Version: 3
Platform(s): Ubuntu 14.04
Product(s): openjdk-7
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26213
 
Oval ID: oval:org.mitre.oval:def:26213
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4220.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4208
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26289
 
Oval ID: oval:org.mitre.oval:def:26289
Title: Critical Patch Update July 2014
Description: Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11.1 allows local users to affect availability via unknown vectors related to sockfs.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4224
Version: 3
Platform(s): Sun Solaris 10
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26370
 
Oval ID: oval:org.mitre.oval:def:26370
Title: RHSA-2014:1036: java-1.5.0-ibm security update (Important)
Description: IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP7 release. All running instances of IBM Java must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:1036-00
CVE-2014-4209
CVE-2014-4218
CVE-2014-4219
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Product(s): java-1.5.0-ibm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26374
 
Oval ID: oval:org.mitre.oval:def:26374
Title: RHSA-2014:1038: tomcat6 security update (Low)
Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment. (CVE-2013-4590) It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same Apache Tomcat instance. (CVE-2014-0119) All Tomcat users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:1038-00
CESA-2014:1038
CVE-2013-4590
CVE-2014-0119
Version: 3
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26379
 
Oval ID: oval:org.mitre.oval:def:26379
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4262
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26392
 
Oval ID: oval:org.mitre.oval:def:26392
Title: DEPRECATED: ELSA-2014-0474 -- struts security update (important)
Description: [1.2.9-4jpp.7] - Resolves: rhbz#1092457 - CVE-2014-0114: Fixed ClassLoader manipulation vulnerability - Added dist tag to release
Family: unix Class: patch
Reference(s): ELSA-2014-0474
CVE-2014-0114
Version: 4
Platform(s): Oracle Linux 5
Product(s): struts
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26407
 
Oval ID: oval:org.mitre.oval:def:26407
Title: RHSA-2014:1033: java-1.6.0-ibm security update (Critical)
Description: IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-4209, CVE-2014-4218, CVE-2014-4219, CVE-2014-4227, CVE-2014-4244, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4265) The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat Product Security. All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP1 release. All running instances of IBM Java must be restarted for the update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:1033-00
CVE-2014-4209
CVE-2014-4218
CVE-2014-4219
CVE-2014-4227
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4265
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Product(s): java-1.6.0-ibm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26443
 
Oval ID: oval:org.mitre.oval:def:26443
Title: SUSE-SU-2014:1015-1 -- Security update for tomcat6
Description: Tomcat has been updated to version 6.0.41, which brings security and bug fixes.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1015-1
CVE-2014-0096
CVE-2014-0099
CVE-2014-0119
CVE-2013-4322
CVE-2012-3544
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26454
 
Oval ID: oval:org.mitre.oval:def:26454
Title: SUSE-SU-2014:1072-1 -- Security update for MySQL
Description: This MySQL update provides the following:upgrade to version 5.5.39
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1072-1
CVE-2014-2484
CVE-2014-4258
CVE-2014-4260
CVE-2014-2494
CVE-2014-4238
CVE-2014-4207
CVE-2014-4233
CVE-2014-4240
CVE-2014-4214
CVE-2014-4243
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): MySQL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26472
 
Oval ID: oval:org.mitre.oval:def:26472
Title: DEPRECATED: ELSA-2014-0429 -- tomcat6 security update (Moderate)
Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286) It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322) A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050) All Tomcat users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): ELSA-2014-0429
CVE-2014-0050
CVE-2013-4322
CVE-2013-4286
CVE-2012-3544
Version: 4
Platform(s): Oracle Linux 6
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26480
 
Oval ID: oval:org.mitre.oval:def:26480
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4265
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26497
 
Oval ID: oval:org.mitre.oval:def:26497
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4216
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26498
 
Oval ID: oval:org.mitre.oval:def:26498
Title: SUSE-SU-2014:1080-1 -- Security update for apache2
Description: This apache2 update fixes the following security and non security issues: * mod_cgid denial of service (CVE-2014-0231, bnc#887768) * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765) * mod_dav denial of service (CVE-2013-6438, bnc#869105) * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098, bnc#869106) * Support ECDH in Apache2 (bnc#859916) Security Issues: * CVE-2014-0098 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098> * CVE-2013-6438 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438> * CVE-2014-0226 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226> * CVE-2014-0231 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1080-1
CVE-2014-0231
CVE-2014-0226
CVE-2013-6438
CVE-2014-0098
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): apache2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26507
 
Oval ID: oval:org.mitre.oval:def:26507
Title: Allows remote attackers to cause a denial of service by streaming data.
Description: Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.
Family: windows Class: vulnerability
Reference(s): CVE-2012-3544
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Apache Tomcat
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26513
 
Oval ID: oval:org.mitre.oval:def:26513
Title: USN-2319-1 -- openjdk-7 vulnerabilities
Description: Several security issues were fixed in OpenJDK 7.
Family: unix Class: patch
Reference(s): USN-2319-1
CVE-2014-2483
CVE-2014-2490
CVE-2014-4216
CVE-2014-4219
CVE-2014-4223
CVE-2014-4262
CVE-2014-4209
CVE-2014-4244
CVE-2014-4263
CVE-2014-4218
CVE-2014-4266
CVE-2014-4264
CVE-2014-4221
CVE-2014-4252
CVE-2014-4268
Version: 3
Platform(s): Ubuntu 14.04
Product(s): openjdk-7
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26534
 
Oval ID: oval:org.mitre.oval:def:26534
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4227
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26545
 
Oval ID: oval:org.mitre.oval:def:26545
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Libraries.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4221
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26557
 
Oval ID: oval:org.mitre.oval:def:26557
Title: SUSE-SU-2014:1055-1 -- Security update for IBM Java
Description: java-1_6_0-ibm has been updated to fix several security issues.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1055-1
CVE-2014-4227
CVE-2014-4262
CVE-2014-4219
CVE-2014-4209
CVE-2014-4268
CVE-2014-4218
CVE-2014-4252
CVE-2014-4265
CVE-2014-4263
CVE-2014-4244
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): IBM Java
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26588
 
Oval ID: oval:org.mitre.oval:def:26588
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4268
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26592
 
Oval ID: oval:org.mitre.oval:def:26592
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4252
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26604
 
Oval ID: oval:org.mitre.oval:def:26604
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4208.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4220
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26649
 
Oval ID: oval:org.mitre.oval:def:26649
Title: DEPRECATED: SUSE-SU-2014:1015-1 -- Security update for tomcat6
Description: Tomcat has been updated to version 6.0.41, which brings security and bug fixes.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1015-1
CVE-2014-0096
CVE-2014-0099
CVE-2014-0119
CVE-2013-4322
CVE-2012-3544
Version: 4
Platform(s): SUSE Linux Enterprise Server 11
Product(s): tomcat6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26655
 
Oval ID: oval:org.mitre.oval:def:26655
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement."
Family: unix Class: vulnerability
Reference(s): CVE-2014-4263
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26666
 
Oval ID: oval:org.mitre.oval:def:26666
Title: DEPRECATED: ELSA-2014-0370 -- httpd security update (Moderate)
Description: The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. It was found that the mod_dav module did not correctly strip leading white space from certain elements in a parsed XML. In certain httpd configurations that use the mod_dav module (for example when using the mod_dav_svn module), a remote attacker could send a specially crafted DAV request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the &quot;apache&quot; user. (CVE-2013-6438) A buffer over-read flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled (on Red Hat Enterprise Linux it is disabled by default), a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed cookie header. (CVE-2014-0098) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.
Family: unix Class: patch
Reference(s): ELSA-2014-0370
CVE-2013-6438
CVE-2014-0098
Version: 4
Platform(s): Oracle Linux 6
Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26670
 
Oval ID: oval:org.mitre.oval:def:26670
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-4223. NOTE: the previous information is from the July 2014 CPU. Oracle has not commented on another vendor's claim that the issue is related to improper restriction of the "use of privileged annotations."
Family: unix Class: vulnerability
Reference(s): CVE-2014-2483
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26676
 
Oval ID: oval:org.mitre.oval:def:26676
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4244
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26705
 
Oval ID: oval:org.mitre.oval:def:26705
Title: SUSE-SU-2014:1037-1 -- Security update for IBM Java 1.7.0
Description: IBM Java 1.7.0 has been updated to fix 14 security issues.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1037-1
CVE-2014-4227
CVE-2014-4262
CVE-2014-4219
CVE-2014-4209
CVE-2014-4220
CVE-2014-4268
CVE-2014-4218
CVE-2014-4252
CVE-2014-4266
CVE-2014-4265
CVE-2014-4221
CVE-2014-4263
CVE-2014-4244
CVE-2014-4208
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): IBM Java 1.7.0
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26717
 
Oval ID: oval:org.mitre.oval:def:26717
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Serviceability.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4266
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26720
 
Oval ID: oval:org.mitre.oval:def:26720
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-2483.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4223
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26723
 
Oval ID: oval:org.mitre.oval:def:26723
Title: HP-UX running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Family: unix Class: vulnerability
Reference(s): CVE-2014-2490
Version: 8
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26734
 
Oval ID: oval:org.mitre.oval:def:26734