Detections
Analytics
Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2016-748)
critical Nessus Plugin ID 93540
Language:
Synopsis
The remote Amazon Linux AMI host is missing a security update.Description
An insufficient bytecode verification flaw was discovered in the Hotspot component in OpenJDK. An untrusted Java application or applet could use this flaw to completely bypass Java sandbox restrictions.(CVE-2016-3606)
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500 , CVE-2016-3508)
Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458 , CVE-2016-3550)
Solution
Run 'yum update java-1.6.0-openjdk' to update your system.See Also
Plugin Details
Severity: Critical
ID: 93540
File Name: ala_ALAS-2016-748.nasl
Version: 2.4
Type: local
Agent: unix
Published: 9/16/2016
Updated: 4/18/2018
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.3
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Critical
Base Score: 9.6
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Information
CPE: p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo, p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src, p-cpe:/a:amazon:linux:java-1.6.0-openjdk, p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel, cpe:/o:amazon:linux, p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc, p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo
Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list
Patch Publication Date: 9/15/2016
Reference Information
CVE: CVE-2016-3458, CVE-2016-3500, CVE-2016-3508, CVE-2016-3550, CVE-2016-3606
ALAS: 2016-748