Detections
Analytics
RHEL 6 / 7 : java-1.7.0-openjdk (RHSA-2014:1620)
critical Nessus Plugin ID 78455
Language:
Synopsis
The remote Red Hat host is missing one or more security updates for java-1.7.0-openjdk.Description
The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2014:1620 advisory.The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)
It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. (CVE-2014-6517)
It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source.
(CVE-2014-6512)
It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. (CVE-2014-6457)
It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. (CVE-2014-6558)
The CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product Security.
Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
This update also fixes the following bug:
* The TLS/SSL implementation in OpenJDK previously failed to handle Diffie-Hellman (DH) keys with more than 1024 bits. This caused client applications using JSSE to fail to establish TLS/SSL connections to servers using larger DH keys during the connection handshake. This update adds support for DH keys with size up to 2048 bits. (BZ#1148309)
All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the RHEL java-1.7.0-openjdk package based on the guidance in RHSA-2014:1620.See Also
http://www.nessus.org/u?f7ca6c7e
https://access.redhat.com/errata/RHSA-2014:1620
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1071210
https://bugzilla.redhat.com/show_bug.cgi?id=1148309
https://bugzilla.redhat.com/show_bug.cgi?id=1150155
https://bugzilla.redhat.com/show_bug.cgi?id=1150182
https://bugzilla.redhat.com/show_bug.cgi?id=1150273
https://bugzilla.redhat.com/show_bug.cgi?id=1150651
https://bugzilla.redhat.com/show_bug.cgi?id=1150669
https://bugzilla.redhat.com/show_bug.cgi?id=1151046
https://bugzilla.redhat.com/show_bug.cgi?id=1151063
https://bugzilla.redhat.com/show_bug.cgi?id=1151364
https://bugzilla.redhat.com/show_bug.cgi?id=1151517
Plugin Details
Severity: Critical
ID: 78455
File Name: redhat-RHSA-2014-1620.nasl
Version: 1.20
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 10/15/2014
Updated: 4/15/2025
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
Vendor
Vendor Severity: Important
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2014-6506
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS Score Source: CVE-2014-6504
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-accessibility, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-headless, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Ease: No known exploits are available
Patch Publication Date: 10/15/2014
Vulnerability Publication Date: 10/15/2014
Reference Information
CVE: CVE-2014-6457, CVE-2014-6502, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6517, CVE-2014-6519, CVE-2014-6531, CVE-2014-6558