Detections
Analytics

IBM Java 6.0 < 6.0.16.45 / 6.1 < 6.1.8.45 / 7.0 < 7.0.10.5 / 7.1 < 7.1.4.5 / 8.0 < 8.0.4.5 Multiple Vulnerabilities

critical Nessus Plugin ID 160346

Language:

Synopsis

IBM Java is affected by multiple vulnerabilities.

Description

The version of IBM Java installed on the remote host is prior to 6.0 < 6.0.16.45 / 6.1 < 6.1.8.45 / 7.0 < 7.0.10.5 / 7.1 < 7.1.4.5 / 8.0 < 8.0.4.5. It is, therefore, affected by multiple vulnerabilities as referenced in the IBM Security Update May 2017 advisory.

 - inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. (CVE-2016-9840)

 - inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. (CVE-2016-9841)

 - The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. (CVE-2016-9842)

 - The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. (CVE-2016-9843)

 - IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 125150. (CVE-2017-1289)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the IBM Security Update May 2017 advisory.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg1IV95268

http://www-01.ibm.com/support/docview.wss?uid=swg1IV95456

http://www.nessus.org/u?d5a419df

Plugin Details

Severity: Critical

ID: 160346

File Name: ibm_java_2017_05_01.nasl

Version: 1.3

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 4/29/2022

Updated: 10/31/2023

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-9843

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:java

Required KB Items: installed_sw/Java

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/1/2017

Vulnerability Publication Date: 12/4/2016

Reference Information

CVE: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1289

IAVA: 2017-A-0306-S, 2018-A-0226-S, 2020-A-0328