Test ID:	1.3.6.1.4.1.25623.1.0.123748
Category:	Oracle Linux Local Security Checks
Title:	Oracle: Security Advisory (ELSA-2013-0165)
Summary:	The remote host is missing an update for the 'java-1.7.0-openjdk' package(s) announced via the ELSA-2013-0165 advisory.
Description:	Summary: The remote host is missing an update for the 'java-1.7.0-openjdk' package(s) announced via the ELSA-2013-0165 advisory. Vulnerability Insight: [1.7.0.9-2.3.4.1.0.1.el6_3] - Update DISTRO_NAME in specfile [1.7.0.9-2.3.4.1.el6] - Rewerted to IcedTea 2.3.4 - rewerted patch105: java-1.7.0-openjdk-disable-system-lcms.patch - removed jxmd and idlj to alternatives - make NOT executed with DISABLE_INTREE_EC=true and UNLIMITED_CRYPTO=true - re-applied patch302 and restored systemtap.patch - buildver set to 9 - icedtea_version set to 2.3.4 - unapplied patch112 java-1.7.openjdk-doNotUseDisabledEcc.patch - restored tmp-patches source tarball - removed /lib/security/US_export_policy.jar and lib/security/local_policy.jar - java-1.7.0-openjdk-java-access-bridge-security.patch's path moved from java.security-linux back to java.security - Resolves: rhbz#895033 [1.7.0.11-2.4.0.1.el6] - Rewritten patch105: java-1.7.0-openjdk-disable-system-lcms.patch - Added jxmd and idlj to alternatives - make executed with DISABLE_INTREE_EC=true and UNLIMITED_CRYPTO=true - Unapplied patch302 and deleted systemtap.patch - buildver increased to 11 - icedtea_version set to 2.4.0 - Added and applied patch112 java-1.7.openjdk-doNotUseDisabledEcc.patch - removed tmp-patches source tarball - Added /lib/security/US_export_policy.jar and lib/security/local_policy.jar - Resolves: rhbz#895033 Affected Software/OS: 'java-1.7.0-openjdk' package(s) on Oracle Linux 5, Oracle Linux 6. Solution: Please install the updated package(s). CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-3174 http://www.mandriva.com/security/advisories?name=MDVSA-2013:095 http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/ RedHat Security Advisories: RHSA-2013:0156 http://rhn.redhat.com/errata/RHSA-2013-0156.html RedHat Security Advisories: RHSA-2013:0165 http://rhn.redhat.com/errata/RHSA-2013-0165.html SuSE Security Announcement: openSUSE-SU-2013:0199 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html http://www.ubuntu.com/usn/USN-1693-1 Common Vulnerability Exposure (CVE) ID: CVE-2013-0422 Bugtraq: 20130110 [SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code (Google Search) http://seclists.org/bugtraq/2013/Jan/48 Cert/CC Advisory: TA13-010A http://www.us-cert.gov/cas/techalerts/TA13-010A.html CERT/CC vulnerability note: VU#625617 http://www.kb.cert.org/vuls/id/625617 http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013 https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
Copyright	Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.