Detections
Analytics
RHEL 5 / 6 / 7 : java-1.6.0-openjdk (RHSA-2016:0723)
critical Nessus Plugin ID 91034
Language:
Synopsis
The remote Red Hat host is missing one or more security updates.Description
An update for java-1.6.0-openjdk is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.
Security Fix(es) :
* Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
(CVE-2016-0686, CVE-2016-0687)
* It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. (CVE-2016-3427)
* It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed.
(CVE-2016-3425)
* It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures.
The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected.
(CVE-2016-0695)
Solution
Update the affected packages.See Also
https://access.redhat.com/errata/RHSA-2016:0723
https://access.redhat.com/security/cve/cve-2016-3425
https://access.redhat.com/security/cve/cve-2016-3427
https://access.redhat.com/security/cve/cve-2016-0695
Plugin Details
Severity: Critical
ID: 91034
File Name: redhat-RHSA-2016-0723.nasl
Version: 2.15
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 5/11/2016
Updated: 5/14/2023
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 8.3
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2016-3427
CVSS v3
Risk Factor: Critical
Base Score: 9.6
Temporal Score: 8.9
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
CVSS Score Source: CVE-2016-0687
Vulnerability Information
CPE: cpe:/o:redhat:enterprise_linux:5, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:7.3, cpe:/o:redhat:enterprise_linux:7.4, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo, cpe:/o:redhat:enterprise_linux:6, cpe:/o:redhat:enterprise_linux:7.5, cpe:/o:redhat:enterprise_linux:7.6, cpe:/o:redhat:enterprise_linux:6.7, cpe:/o:redhat:enterprise_linux:7.7, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc, cpe:/o:redhat:enterprise_linux:7.2, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 5/9/2016
Vulnerability Publication Date: 4/21/2016
CISA Known Exploited Vulnerability Due Dates: 6/2/2023
Reference Information
CVE: CVE-2016-0686, CVE-2016-0687, CVE-2016-0695, CVE-2016-3425, CVE-2016-3427
RHSA: 2016:0723