Red Hat Enterprise Linux 6 Supplementary update for java-1.8.0-ibm
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2016-0705 CVE-2017-3732 CVE-2017-3736 CVE-2018-1517 CVE-2018-1656 CVE-2018-2940 CVE-2018-2952 CVE-2018-2973 CVE-2018-12539 |
| CWE-ID | CWE-415 CWE-310 CWE-20 CWE-22 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Red Hat Enterprise Linux for Power, big endian Operating systems & Components / Operating system Red Hat Enterprise Linux for Scientific Computing Operating systems & Components / Operating system Red Hat Enterprise Linux for IBM z Systems Operating systems & Components / Operating system Red Hat Enterprise Linux Desktop Operating systems & Components / Operating system Red Hat Enterprise Linux Workstation Operating systems & Components / Operating system Red Hat Enterprise Linux Server Operating systems & Components / Operating system java-1.8.0-ibm-src (Red Hat package) Operating systems & Components / Operating system package or component java-1.8.0-ibm-plugin (Red Hat package) Operating systems & Components / Operating system package or component java-1.8.0-ibm-jdbc (Red Hat package) Operating systems & Components / Operating system package or component java-1.8.0-ibm-devel (Red Hat package) Operating systems & Components / Operating system package or component java-1.8.0-ibm-demo (Red Hat package) Operating systems & Components / Operating system package or component java-1.8.0-ibm (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Double free error
EUVDB-ID: #VU1622
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-0705
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to double-free error when parsing DSA private keys. A remote attacker can trigger memory corruption and cause the service to crash.
Install updates from vendor's website.
Red Hat Enterprise Linux for Power, big endian: 6
Red Hat Enterprise Linux for Scientific Computing: 6
Red Hat Enterprise Linux for IBM z Systems: 6
Red Hat Enterprise Linux Desktop: 6
Red Hat Enterprise Linux Workstation: 6
Red Hat Enterprise Linux Server: 6.0
java-1.8.0-ibm-src (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-plugin (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-jdbc (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-devel (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-demo (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:6.0:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-src_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-plugin_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-jdbc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-devel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-demo_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2018:2575
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU5442
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3732
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to propagating error in the x86_64 Montgomery squaring procedure. A remote attacker with access to unpatched vulnerable system that uses a shared private key with Diffie-Hellman (DH) parameters set can gain unauthorized access to sensitive private key information.
According to vendor’s advisory, this vulnerability is unlikely to be exploited in real-world attacks, as it requires significant resources and online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.
Vulnerability exploitation against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for Power, big endian: 6
Red Hat Enterprise Linux for Scientific Computing: 6
Red Hat Enterprise Linux for IBM z Systems: 6
Red Hat Enterprise Linux Desktop: 6
Red Hat Enterprise Linux Workstation: 6
Red Hat Enterprise Linux Server: 6.0
java-1.8.0-ibm-src (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-plugin (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-jdbc (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-devel (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-demo (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:6.0:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-src_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-plugin_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-jdbc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-devel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-demo_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2018:2575
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Carry propagation issue
EUVDB-ID: #VU9109
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3736
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt data.
The vulnerability exists due to carry propagating bug in the x86_64 Montgomery squaring procedure (bn_sqrx8x_internal). A remote attacker can decrypt encrypted data. The vulnerability affects processors that support the BMI1, BMI2 and ADX extensions like
Intel Broadwell (5th generation) and later or AMD Ryzen.
Install updates from vendor's website.
Red Hat Enterprise Linux for Power, big endian: 6
Red Hat Enterprise Linux for Scientific Computing: 6
Red Hat Enterprise Linux for IBM z Systems: 6
Red Hat Enterprise Linux Desktop: 6
Red Hat Enterprise Linux Workstation: 6
Red Hat Enterprise Linux Server: 6.0
java-1.8.0-ibm-src (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-plugin (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-jdbc (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-devel (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-demo (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:6.0:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-src_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-plugin_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-jdbc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-devel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-demo_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2018:2575
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU81418
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-1517
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via specially crafted String data
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for Power, big endian: 6
Red Hat Enterprise Linux for Scientific Computing: 6
Red Hat Enterprise Linux for IBM z Systems: 6
Red Hat Enterprise Linux Desktop: 6
Red Hat Enterprise Linux Workstation: 6
Red Hat Enterprise Linux Server: 6.0
java-1.8.0-ibm-src (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-plugin (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-jdbc (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-devel (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-demo (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:6.0:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-src_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-plugin_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-jdbc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-devel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-demo_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2018:2575
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Path traversal
EUVDB-ID: #VU15958
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-1656
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct directory traversal attack on the target system.
The weakness exists due to insufficient protection of path traversal attacks when extracting compressed dump files. A remote attacker can conduct directory traversal attack and extract compressed dump files.
Install updates from vendor's website.
Red Hat Enterprise Linux for Power, big endian: 6
Red Hat Enterprise Linux for Scientific Computing: 6
Red Hat Enterprise Linux for IBM z Systems: 6
Red Hat Enterprise Linux Desktop: 6
Red Hat Enterprise Linux Workstation: 6
Red Hat Enterprise Linux Server: 6.0
java-1.8.0-ibm-src (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-plugin (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-jdbc (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-devel (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-demo (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:6.0:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-src_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-plugin_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-jdbc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-devel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-demo_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2018:2575
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU33760
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2940
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for Power, big endian: 6
Red Hat Enterprise Linux for Scientific Computing: 6
Red Hat Enterprise Linux for IBM z Systems: 6
Red Hat Enterprise Linux Desktop: 6
Red Hat Enterprise Linux Workstation: 6
Red Hat Enterprise Linux Server: 6.0
java-1.8.0-ibm-src (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-plugin (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-jdbc (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-devel (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-demo (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:6.0:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-src_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-plugin_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-jdbc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-devel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-demo_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2018:2575
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Denial of service
EUVDB-ID: #VU14322
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2952
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to unknown flaw. A remote attacker can cause a partial denial of service under unspecified conditions.
Install updates from vendor's website.
Red Hat Enterprise Linux for Power, big endian: 6
Red Hat Enterprise Linux for Scientific Computing: 6
Red Hat Enterprise Linux for IBM z Systems: 6
Red Hat Enterprise Linux Desktop: 6
Red Hat Enterprise Linux Workstation: 6
Red Hat Enterprise Linux Server: 6.0
java-1.8.0-ibm-src (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-plugin (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-jdbc (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-devel (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-demo (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:6.0:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-src_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-plugin_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-jdbc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-devel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-demo_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2018:2575
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU33761
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-2973
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for Power, big endian: 6
Red Hat Enterprise Linux for Scientific Computing: 6
Red Hat Enterprise Linux for IBM z Systems: 6
Red Hat Enterprise Linux Desktop: 6
Red Hat Enterprise Linux Workstation: 6
Red Hat Enterprise Linux Server: 6.0
java-1.8.0-ibm-src (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-plugin (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-jdbc (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-devel (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-demo (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:6.0:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-src_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-plugin_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-jdbc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-devel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-demo_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2018:2575
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Privilege escalation
EUVDB-ID: #VU15959
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-12539
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local unauthenticated attacker to gain elevated privileges on the target system.
The weakness exists due to the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. A local attacker can conduct directory traversal attack and extract compressed dump files.
Install updates from vendor's website.
Red Hat Enterprise Linux for Power, big endian: 6
Red Hat Enterprise Linux for Scientific Computing: 6
Red Hat Enterprise Linux for IBM z Systems: 6
Red Hat Enterprise Linux Desktop: 6
Red Hat Enterprise Linux Workstation: 6
Red Hat Enterprise Linux Server: 6.0
java-1.8.0-ibm-src (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-plugin (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-jdbc (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-devel (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm-demo (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
java-1.8.0-ibm (Red Hat package): before 1.8.0.5.20-1jpp.1.el6_10
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:6:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:6.0:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-src_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-plugin_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-jdbc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-devel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm-demo_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:java-1_8_0-ibm_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2018:2575
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
