The remote Redhat Enterprise Linux 5 / 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:1526 advisory.

    The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime     Environment and the OpenJDK 6 Java Software Development Kit.

    Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI     components in OpenJDK. An untrusted Java application or applet could use     these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,     CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)

    A flaw was found in the way the Libraries component of OpenJDK verified     Online Certificate Status Protocol (OCSP) responses. An OCSP response with     no nextUpdate date specified was incorrectly handled as having unlimited     validity, possibly causing a revoked X.509 certificate to be interpreted as     valid. (CVE-2015-4748)

    It was discovered that the JCE component in OpenJDK failed to use constant     time comparisons in multiple cases. An attacker could possibly use these     flaws to disclose sensitive information by measuring the time used to     perform operations using these non-constant time comparisons.
    (CVE-2015-2601)

    A flaw was found in the RC4 encryption algorithm. When using certain keys     for RC4 encryption, an attacker could obtain portions of the plain text     from the cipher text without the knowledge of the encryption key.
    (CVE-2015-2808)

    Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by     default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug     1207101, linked to in the References section, for additional details about     this change.

    A flaw was found in the way the TLS protocol composed the Diffie-Hellman     (DH) key exchange. A man-in-the-middle attacker could use this flaw to     force the use of weak 512 bit export-grade keys during the key exchange,     allowing them to decrypt all traffic. (CVE-2015-4000)

    Note: This update forces the TLS/SSL client implementation in OpenJDK to     reject DH key sizes below 768 bits, which prevents sessions to be     downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,     linked to in the References section, for additional details about this     change.

    It was discovered that the JNDI component in OpenJDK did not handle DNS     resolutions correctly. An attacker able to trigger such DNS errors could     cause a Java application using JNDI to consume memory and CPU time, and     possibly block further DNS resolution. (CVE-2015-4749)

    Multiple information leak flaws were found in the JMX and 2D components in     OpenJDK. An untrusted Java application or applet could use this flaw to     bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)

    A flaw was found in the way the JSSE component in OpenJDK performed X.509     certificate identity verification when establishing a TLS/SSL connection to     a host identified by an IP address. In certain cases, the certificate was     accepted as valid if it was issued for a host name to which the IP address     resolves rather than for the IP address. (CVE-2015-2625)

    All users of java-1.6.0-openjdk are advised to upgrade to these updated     packages, which resolve these issues. All running instances of OpenJDK Java     must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 5 / 6 / 7 : java-1.6.0-openjdk (RHSA-2015:1526)

critical Nessus Plugin ID 85149

Version 2.24

Version 2.23

Version 2.22

Version 2.21

Version 2.24 Mar 21, 2025, 6:26 PM CVSS metrics ("CVSSv3 score" set to 9.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") CVSSv3 severity (based on manual, severity increased from "Medium" to "High") Detection (updated detection logic) Plugin metadata Reference Plugin Feed: 202503211826
Version 2.23 Feb 18, 2025, 11:54 PM Plugin metadata (CVSS 3 Change AC:H --> AC:L where needed) Plugin Feed: 202502182354
Version 2.22 Apr 25, 2023, 11:11 PM CVSS temporal metrics (Adjust exploitability metrics for CISA KEV vulnerabilities) Plugin Feed: 202304252311
Version 2.21 Dec 6, 2022, 1:01 AM Reference Plugin Feed: 202212060101