The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 45, 6 Update 65, or 5 Update 55.  It is, therefore, potentially affected by security issues in the following components :

  - 2D
  - AWT
  - BEANS
  - CORBA
  - Deployment
  - JAX-WS
  - JAXP
  - JGSS
  - jhat
  - JNDI
  - JavaFX
  - Javadoc
  - Libraries
  - SCRIPTING
  - Security
  - Swing

Updated java-1.6.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.

Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)

The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)

Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850)

Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.
(CVE-2013-5809)

The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)

Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)

Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)

It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)

Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.
(CVE-2013-5804, CVE-2013-5797)

Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)

The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)

The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)

All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.

Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)

The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)

Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829 , CVE-2013-5814 , CVE-2013-5817 , CVE-2013-5842 , CVE-2013-5850)

Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.
(CVE-2013-5809)

The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)

Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825 , CVE-2013-4002 , CVE-2013-5823)

Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-3829 , CVE-2013-5840 , CVE-2013-5774 , CVE-2013-5783 , CVE-2013-5820 , CVE-2013-5849 , CVE-2013-5790 , CVE-2013-5784)

It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)

Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.
(CVE-2013-5804 , CVE-2013-5797)

Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)

The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)

The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)

Updated java-1.7.0-openjdk packages fix security vulnerabilities :

Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine (CVE-2013-5782).

The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine (CVE-2013-5830).

Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850, CVE-2013-5838).

Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions (CVE-2013-5809).

The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions (CVE-2013-5802).

Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823).

Multiple improper permission check issues were discovered in the Libraries Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2013-3829, CVE-2013-5840, CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800, CVE-2013-5849, CVE-2013-5790, CVE-2013-5784).

It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory (CVE-2013-5778).

Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks (CVE-2013-5804, CVE-2013-5797).

Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data (CVE-2013-5780).

The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks (CVE-2013-5772).

The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit (CVE-2013-5803).

This updates IcedTea to version 2.4.3, which fixes these issues, as well as several others.

OpenJDK 1.6 was updated to the new Icedtea release 1.12.7, which includes many fixes for bugs and security issues :

  - S8006900, CVE-2013-3829: Add new date/time capability

  - S8008589: Better MBean permission validation

  - S8011071, CVE-2013-5780: Better crypto provider handling

  - S8011081, CVE-2013-5772: Improve jhat

  - S8011157, CVE-2013-5814: Improve CORBA portablility

  - S8012071, CVE-2013-5790: Better Building of Beans

  - S8012147: Improve tool support

  - S8012277: CVE-2013-5849: Improve AWT DataFlavor

  - S8012425, CVE-2013-5802: Transform TransformerFactory

  - S8013503, CVE-2013-5851: Improve stream factories

  - S8013506: Better Pack200 data handling

  - S8013510, CVE-2013-5809: Augment image writing code

  - S8013514: Improve stability of cmap class

  - S8013739, CVE-2013-5817: Better LDAP resource management

  - S8013744, CVE-2013-5783: Better tabling for AWT

  - S8014085: Better serialization support in JMX classes

  - S8014093, CVE-2013-5782: Improve parsing of images

  - S8014102, CVE-2013-5778: Improve image conversion

  - S8014341, CVE-2013-5803: Better service from Kerberos     servers

  - S8014349, CVE-2013-5840: (cl) Class.getDeclaredClass     problematic in some class loader configurations

  - S8014530, CVE-2013-5825: Better digital signature     processing

  - S8014534: Better profiling support

  - S8014987, CVE-2013-5842: Augment serialization handling

  - S8015614: Update build settings

  - S8015731: Subject java.security.auth.subject to     improvements

  - S8015743, CVE-2013-5774: Address internet addresses

  - S8016256: Make finalization final

  - S8016653, CVE-2013-5804: javadoc should ignore     ignoreable characters in names

  - S8016675, CVE-2013-5797: Make Javadoc pages more robust

  - S8017196, CVE-2013-5850: Ensure Proxies are handled     appropriately

  - S8017287, CVE-2013-5829: Better resource disposal

  - S8017291, CVE-2013-5830: Cast Proxies Aside

  - S8017298, CVE-2013-4002: Better XML support

  - S8017300, CVE-2013-5784: Improve Interface     Implementation

  - S8017505, CVE-2013-5820: Better Client Service

  - S8019292: Better Attribute Value Exceptions

  - S8019617: Better view of objects

  - S8020293: JVM crash

  - S8021290, CVE-2013-5823: Better signature validation

  - S8022940: Enhance CORBA translations

  - S8023683: Enhance class file parsing

According to its version, the IBM Domino (formerly IBM Lotus Domino) on the remote host is 9.x prior to 9.0.1 Fix Pack 1 (FP1). It is, therefore, affected by the following vulnerabilities :

  - A stack overflow issue exists due to the insecure     '-z execstack' flag being used during compilation, which     could aid remote attackers in executing arbitrary code.
    Note that this issue only affects installs on 32-bit     hosts running Linux. (CVE-2014-0892)

  - Note that the fixes in the Oracle Java CPUs for     October 2013 and January 2014 are included in the fixed     IBM Java release, which is included in the fixed IBM     Domino release. (CVE-2013-0408, CVE-2013-3829,     CVE-2013-4002, CVE-2013-4041, CVE-2013-5372,     CVE-2013-5375, CVE-2013-5456, CVE-2013-5457,     CVE-2013-5458, CVE-2013-5772, CVE-2013-5774,     CVE-2013-5776, CVE-2013-5778, CVE-2013-5780,     CVE-2013-5782, CVE-2013-5783, CVE-2013-5784,     CVE-2013-5787, CVE-2013-5788, CVE-2013-5789,     CVE-2013-5790, CVE-2013-5797, CVE-2013-5800,     CVE-2013-5801, CVE-2013-5802, CVE-2013-5803,     CVE-2013-5804, CVE-2013-5805, CVE-2013-5806,     CVE-2013-5809, CVE-2013-5812, CVE-2013-5814,     CVE-2013-5817, CVE-2013-5818, CVE-2013-5819,     CVE-2013-5820, CVE-2013-5823, CVE-2013-5824,     CVE-2013-5825, CVE-2013-5829, CVE-2013-5830,     CVE-2013-5831, CVE-2013-5832, CVE-2013-5838,     CVE-2013-5840, CVE-2013-5842, CVE-2013-5843,     CVE-2013-5848, CVE-2013-5849, CVE-2013-5850,     CVE-2013-5851, CVE-2013-5878, CVE-2013-5884,     CVE-2013-5887, CVE-2013-5888, CVE-2013-5889,     CVE-2013-5893, CVE-2013-5896, CVE-2013-5898,     CVE-2013-5899, CVE-2013-5902, CVE-2013-5904,     CVE-2013-5907, CVE-2013-5910, CVE-2014-0368,     CVE-2014-0373, CVE-2014-0375, CVE-2014-0376,     CVE-2014-0387, CVE-2014-0403, CVE-2014-0410,     CVE-2014-0411, CVE-2014-0415, CVE-2014-0416,     CVE-2014-0417, CVE-2014-0418, CVE-2014-0422,     CVE-2014-0423, CVE-2014-0424, CVE-2014-0428,     CVE-2014-0892)

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-1500, CVE-2013-1571, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743)

Red Hat would like to thank Tim Brown for reporting CVE-2013-1500, and US-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the original reporter of CVE-2013-1571.

All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR14 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-1500, CVE-2013-1571, CVE-2013-2443, CVE-2013-2444, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2452, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743)

Red Hat would like to thank Tim Brown for reporting CVE-2013-1500, and US-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the original reporter of CVE-2013-1571.

All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP3 release. All running instances of IBM Java must be restarted for this update to take effect.

The remote host has a version of IBM Domino (formerly Lotus Domino) 8.5.x prior to 8.5.3 Fix Pack 5 installed.  It is, therefore, reportedly affected by the following vulnerabilities :

  - The included version of the IBM Java SDK contains a     version of the IBM JRE that contains numerous security     issues. (CVE-2013-0809, CVE-2013-1493, CVE-2013-2436,     CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,     CVE-2013-3008, CVE-2013-3009, CVE-2013-3010,     CVE-2013-3011, CVE-2013-3012)

  - Note also that fixes in the Oracle Java CPUs for     February, April and June 2013 are included in the     fixed IBM Java release, which is itself included     in the fixed IBM Domino release.
    (CVE-2012-1541, CVE-2012-3213, CVE-2012-3342,     CVE-2013-0351, CVE-2013-0401, CVE-2013-0402,     CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,     CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,     CVE-2013-0427, CVE-2013-0428, CVE-2013-0429,     CVE-2013-0430, CVE-2013-0431, CVE-2013-0432,     CVE-2013-0433, CVE-2013-0434, CVE-2013-0435,     CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,     CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,     CVE-2013-0444, CVE-2013-0445, CVE-2013-0446,     CVE-2013-0448, CVE-2013-0449, CVE-2013-0450,     CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,     CVE-2013-1478, CVE-2013-1479, CVE-2013-1480,     CVE-2013-1481, CVE-2013-1488, CVE-2013-1489,     CVE-2013-1491, CVE-2013-1500, CVE-2013-1518,     CVE-2013-1537, CVE-2013-1540, CVE-2013-1557,     CVE-2013-1558, CVE-2013-1561, CVE-2013-1563,     CVE-2013-1564, CVE-2013-1569, CVE-2013-1571,     CVE-2013-2383, CVE-2013-2384, CVE-2013-2394,     CVE-2013-2400, CVE-2013-2407, CVE-2013-2412,     CVE-2013-2414, CVE-2013-2415, CVE-2013-2416,     CVE-2013-2417, CVE-2013-2418, CVE-2013-2419,     CVE-2013-2420, CVE-2013-2421, CVE-2013-2422,     CVE-2013-2423, CVE-2013-2424, CVE-2013-2425,     CVE-2013-2426, CVE-2013-2427, CVE-2013-2428,     CVE-2013-2429, CVE-2013-2430, CVE-2013-2431,     CVE-2013-2432, CVE-2013-2433, CVE-2013-2434,     CVE-2013-2435, CVE-2013-2437, CVE-2013-2438,     CVE-2013-2439, CVE-2013-2440, CVE-2013-2442,     CVE-2013-2443, CVE-2013-2444, CVE-2013-2445,     CVE-2013-2446, CVE-2013-2447, CVE-2013-2448,     CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,     CVE-2013-2452, CVE-2013-2453, CVE-2013-2454,     CVE-2013-2456, CVE-2013-2457, CVE-2013-2458,     CVE-2013-2459, CVE-2013-2460, CVE-2013-2461,     CVE-2013-2462, CVE-2013-2463, CVE-2013-2464,     CVE-2013-2465, CVE-2013-2466, CVE-2013-2467,     CVE-2013-2468, CVE-2013-2469, CVE-2013-2470,     CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,     CVE-2013-3743, CVE-2013-3744, CVE-2013-4002)

IBM Java 1.7.0 has been updated to SR5 to fix bugs and security issues.

Please see also http://www.ibm.com/developerworks/java/jdk/alerts/

Also the following bugs have been fixed :

  - add Europe/Busingen to tzmappings (bnc#817062)

  - mark files in jre/bin and bin/ as executable     (bnc#823034)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
70472	Oracle Java SE Multiple Vulnerabilities (October 2013 CPU)	Nessus	Windows	10/17/2013	4/11/2022	critical
70771	RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2013:1505)	Nessus	Red Hat Local Security Checks	11/6/2013	1/14/2021	critical
70908	Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-246)	Nessus	Amazon Linux Local Security Checks	11/14/2013	7/10/2019	critical
70967	Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:267)	Nessus	Mandriva Local Security Checks	11/20/2013	1/6/2021	critical
71171	SuSE 11.2 Security Update : OpenJDK 1.6 (SAT Patch Number 8598)	Nessus	SuSE Local Security Checks	12/3/2013	1/19/2021	critical
73968	IBM Domino 9.x < 9.0.1 Fix Pack 1 Multiple Vulnerabilities (uncredentialed check)	Nessus	Misc.	5/12/2014	4/11/2022	critical
68900	RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2013:1059)	Nessus	Red Hat Local Security Checks	7/16/2013	3/29/2022	critical
68922	RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2013:1081)	Nessus	Red Hat Local Security Checks	7/17/2013	3/29/2022	critical
70743	IBM Domino 8.5.x < 8.5.3 FP5 Multiple Vulnerabilities	Nessus	Windows	11/4/2013	5/25/2022	critical
83595	SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2013:1256-1)	Nessus	SuSE Local Security Checks	5/20/2015	3/29/2022	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical