000031137 - Multiple Java SE vulnerabilities in Authentication Manager 8.1 SP1 P5 reported by Tripwire IP360 scanner - False Positives

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000031137
Applies ToRSA Authentication Manager 8.1 SP1 P5
OSSuse Linux Enterprise Server 11 SP3
CVE IDCVE-2013-5878, CVE-2014-0373, CVE-2014-0387, CVE-2014-0410, CVE-2014-0415, CVE-2014-0417, CVE-2014-0422, CVE-2014-0424, CVE-2014-0428, CVE-2014-4216, CVE-2014-4219, CVE-2014-4227, CVE-2014-4262, CVE-2014-4288, CVE-2014-6492 CVE-2014-6493, CVE-2014-6503
Scanning Tool and VersionTripwire IP360 scanner
Article SummaryTripWire IP360 scanner identified multiple Java SE vulnerabilities against AM 8.1 SP1 P5 servers
 
Alert ImpactNot Applicable
Technical DetailsFalse positive
Technical Details ExplanationAll the vulnerabilities listed are Java vulnerabilities fixed in various Oracle CPUs.
CVE-2013-5878, CVE-2014-0373, CVE-2014-0387, CVE-2014-0410, CVE-2014-0415, CVE-2014-0417, CVE-2014-0422, CVE-2014-0424, CVE-2014-0428, CVE-2014-4216, CVE-2014-4219, CVE-2014-4227, CVE-2014-4262, CVE-2014-4288, CVE-2014-6492, CVE-2014-6493, CVE-2014-6503, CVE-2014-6513, CVE-2014-6532, CVE-2014-6601, CVE-2015-0395, CVE-2015-0408, CVE-2015-0412, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469, CVE-2015-0491
CVECVSS Base ScoreOSVulnerabilityRiskSkillDescriptionRemediation
CVE-2013-58787.5SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2013-5878 Related to SecurityLocal AccessNo Known ExploitVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE. Supported versions that are affected are Java SE 6u65 and before,  Java SE 7u45 and before. Attackers can affect Confidentiality, Availability, and Integrity via access vector related to Security.Upgrade to the latest version of Java.
CVE-2014-03737.5SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-0373 Related to ServiceabilityLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u55 and before,  Java SE 6u65 and before,  Java SE 7u45 and before. Attackers can affect Confidentiality, Availability, and Integrity via access vector related to Serviceability.Upgrade to the latest version of Java.
CVE-2014-03877.6SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-0387 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u65 and before,  Java SE 7u45 and before on Firefox. Attackers can affect Confidentiality, Availability, and Integrity via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2014-041010SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-0410 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u65 and before,  Java SE 7u45 and before. Attackers can affect Confidentiality, Availability, and Integrity via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2014-041510SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-0415 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u65 and before,  Java SE 7u45 and before. Attackers can affect Confidentiality, Availability, and Integrity via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2014-04179.3SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-0417 Related to 2DLocal AccessNo Known ExploitVulnerability in the Java SE, JavaFX, Java SE Embedded component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u55 and before,  Java SE 6u65 and before,  Java SE 7u45 and before,  JavaFX 2.2.45, and before. Attackers can affect Confidentiality, Availability, and Integrity via access vector related to 2D.Upgrade to the latest version of Java.
CVE-2014-042210SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-0422 Related to JNDILocal AccessNo Known ExploitVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u55 and before,  Java SE 6u65 and before,  Java SE 7u45 and before. Attackers can affect Confidentiality, Availability, and Integrity via access vector related to JNDI.Upgrade to the latest version of Java.
CVE-2014-04247.5SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-0424 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u65 and before,  Java SE 7u45 and before. Attackers can affect Confidentiality, Availability, and Integrity via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2014-042810SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-0428 Related to CORBALocal AccessNo Known ExploitVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u55 and before,  Java SE 6u65 and before,  Java SE 7u45 and before. Attackers can affect Confidentiality, Availability, and Integrity via access vector related to CORBA.Upgrade to the latest version of Java.
CVE-2014-42169.3SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-4216 Related to HotspotLocal AccessNo Known ExploitThere is a vulnerability in the hotspot component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u65 and prior, Java SE 6u75 and prior, Java SE 7u60 and prior, Java SE 8u5 and prior. Attackers can affect confidentiality, integrity, and availability related to hotspot.Upgrade to the latest version of Java.
CVE-2014-42199.3SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-4219 Related to HotspotLocal AccessNo Known ExploitThere is a vulnerability in the hotspot component of Oracle Java SE. Supported versions that are affected are Java SE 6u75 and prior, Java SE 7u60 and prior, Java SE 8u5 and prior. Attackers can affect confidentiality, integrity, and availability related to hotspot.Upgrade to the latest version of Java.
CVE-2014-422710SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-4227 Related to DeploymentLocal AccessNo Known ExploitThere is a vulnerability in the deployment component of Oracle Java SE. Supported versions that are affected are Java SE 6u75 and prior, Java SE 7u60 and prior, Java SE 8u5 and prior. Attackers can affect confidentiality, integrity, and availability related to deployment.Upgrade to the latest version of Java.
CVE-2014-42629.3SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-4262 Related to LibrariesLocal AccessNo Known ExploitThere is a vulnerability in the libraries component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u65 and prior, Java SE 6u75 and prior, Java SE 7u60 and prior, Java SE 8u5 and prior. Attackers can affect confidentiality, integrity, and availability related to libraries.Upgrade to the latest version of Java.
CVE-2014-42887.6SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-4288 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u81 and prior, Java SE 7u67 and prior, Java SE 8u20 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2014-64927.6SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-6492 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u81 and prior, Java SE 7u67 and prior, Java SE 8u20 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2014-64937.6SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-6493 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u81 and prior, Java SE 7u67 and prior, Java SE 8u20 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2014-65039.3SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-6503 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u81 and prior, Java SE 7u67 and prior, Java SE 8u20 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2014-651310SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-6513 Related to AWTLocal AccessNo Known ExploitVulnerability in the Java SE, Java SE Embedded component of Oracle Java SE. Supported versions that are affected are Java SE 6u81 and prior, Java SE 7u67 and prior, Java SE 8u20 and prior, Java SE Embedded 7u60 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to AWT.Upgrade to the latest version of Java.
CVE-2014-65329.3SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-6532 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u81 and prior, Java SE 7u67 and prior, Java SE 8u20 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2014-660110SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2014-6601 Related to HotspotLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u85 and prior, Java SE 7u72 and prior, Java SE 8u25 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to Hotspot.Upgrade to the latest version of Java.
CVE-2015-03959.3SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2015-0395 Related to HotspotLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u75 and prior, Java SE 6u85 and prior, Java SE 7u72 and prior, Java SE 8u25 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to Hotspot.Upgrade to the latest version of Java.
CVE-2015-040810SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2015-0408 Related to RMILocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u75 and prior, Java SE 6u85 and prior, Java SE 7u72 and prior, Java SE 8u25 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to RMI.Upgrade to the latest version of Java.
CVE-2015-04127.2SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2015-0412 Related to JAX-WSLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u85 and prior, Java SE 7u72 and prior, Java SE 8u25 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to JAX-WS.Upgrade to the latest version of Java.
CVE-2015-04587.6SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2015-0458 Related to DeploymentLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 6u91 and prior, Java SE 7u76 and prior, Java SE 8u40 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to Deployment.Upgrade to the latest version of Java.
CVE-2015-045910SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2015-0459 Related to 2DLocal AccessNo Known ExploitVulnerability in the Java SE, JavaFX component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u81 and prior, Java SE 6u91 and prior, Java SE 7u76 and prior, Java SE 8u40 and prior, Java FX 2.2.76 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to 2D.Upgrade to the latest version of Java.
CVE-2015-04609.3SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2015-0460 Related to HotspotLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u81 and prior, Java SE 6u91 and prior, Java SE 7u76 and prior, Java SE 8u40 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to Hotspot.Upgrade to the latest version of Java.
CVE-2015-046910SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2015-0469 Related to 2DLocal AccessNo Known ExploitVulnerability in the Java SE component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u81 and prior, Java SE 6u91 and prior, Java SE 7u76 and prior, Java SE 8u40 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to 2D.Upgrade to the latest version of Java.
CVE-2015-049110SUSE Linux Enterprise Server 11 SP3Java SE Vulnerability CVE-2015-0491 Related to 2DLocal AccessNo Known ExploitVulnerability in the Java SE, JavaFX component of Oracle Java SE. Supported versions that are affected are Java SE 5.0u81 and prior, Java SE 6u91 and prior,  Java SE 7u76 and prior, Java SE 8u40 and prior,Java FX 2.2.76 and prior. Attackers can affect Confidentiality, Integrity, and Availability via access vector related to 2D.Upgrade to the latest version of Java.

As per Oracle CPU note, all of them affect client deployment of Java only. 
These vulnerabilities can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
They do not affect AM's Java which is a server deployment.
Here is the proposed response:
Impact: The flaw does not exist.
Response: Affects client deployment of Java only. AM server is not affected.

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Corporation distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes