Oracle Java SE 1.7.x < 1.7.0_211 / 1.8.x < 1.8.0_201 / 1.11.x < 1.11.0_2 Multiple Vulnerabilities (January 2019 CPU)

Medium Nessus Plugin ID 121231

Synopsis

The remote Windows host contains a programming platform that is affected by multiple vulnerabilities.

Description

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update 211, 8 Update 201, 11 Update 2. It is, therefore, affected by multiple vulnerabilities related to the following components :

- An issue in libjpeg 9a, a divide-by-zero error, could allow remote attackers to cause a denial of service condition via a crafted file. (CVE-2018-11212)

- An unspecified vulnerability in Oracle Java SE in the Networking subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE.
(CVE-2019-2426)

- An unspecified vulnerability in Oracle Java SE in the Deployment subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE.
(CVE-2019-2449)

- An unspecified vulnerability in Oracle Java SE in the Libraries subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE.
(CVE-2019-2422)

Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Oracle JDK / JRE 11 Update 2, 8 Update 201 / 7 Update 211 or later. If necessary, remove any affected versions.

See Also

http://www.nessus.org/u?799b2d05

http://www.nessus.org/u?c1896887

Plugin Details

Severity: Medium

ID: 121231

File Name: oracle_java_cpu_jan_2019.nasl

Version: 1.2

Type: local

Agent: windows

Family: Windows

Published: 2019/01/17

Updated: 2019/04/18

Dependencies: 33545

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2018-11212

CVSS v2.0

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS v3.0

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: cpe:/a:oracle:jre, cpe:/a:oracle:jdk

Required KB Items: SMB/Java/JRE/Installed

Patch Publication Date: 2019/01/15

Vulnerability Publication Date: 2019/01/15

Reference Information

CVE: CVE-2018-11212, CVE-2019-2422, CVE-2019-2426, CVE-2019-2449

BID: 106583, 106590, 106596, 106597