CVE-2014-2423
published 2014-04-16CVE-2014-2423: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and…
high7.5CVSS 3.1
AVNACLAuNCPIPAP
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-0458.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| oracle | jdk | — | — |
| oracle | jdk | — | — |
| oracle | jdk | — | — |
| oracle | jre | — | — |
| oracle | jre | — | — |
| oracle | jre | — | — |
CVSS provenance
nvd7.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
Ubuntu
OpenJDK 6 vulnerabilities
vendor_ubuntu·2014-05-01·CVSS 10.0
CVE-2014-0429 [CRITICAL] OpenJDK 6 vulnerabilities
Title: OpenJDK 6 vulnerabilities
Summary: Several security issues were fixed in OpenJDK 6.
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452,
CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0461, CVE-2014-0462,
CVE-2014-2397, CVE-2014-2405, CVE-2014-2412, CVE-2014-2414, CVE-2014-2421,
CVE-2014-2423, CVE-2014-2427)
Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-0453, CVE-2014-0460)
A vulnerability wa
Ubuntu
OpenJDK 7 vulnerabilities
vendor_ubuntu·2014-04-30·CVSS 10.0
CVE-2014-0429 [CRITICAL] OpenJDK 7 vulnerabilities
Title: OpenJDK 7 vulnerabilities
Summary: Several security issues were fixed in OpenJDK 7.
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452,
CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458,
CVE-2014-0461, CVE-2014-2397, CVE-2014-2402, CVE-2014-2412, CVE-2014-2414,
CVE-2014-2421, CVE-2014-2423, CVE-2014-2427)
Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-0453, CVE-2014-0460)
A v
Red Hat
OpenJDK: Activation framework default command map caching (JAX-WS, 8025152)
vendor_redhat·2014-04-15·CVSS 7.5
CVE-2014-0458 [HIGH] OpenJDK: Activation framework default command map caching (JAX-WS, 8025152)
OpenJDK: Activation framework default command map caching (JAX-WS, 8025152)
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-2423.
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 6) - Not affected
Package: java-1.7.0-oracle (Red Hat Enterprise Linux 7) - Not affected
Red Hat
OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026801)
vendor_redhat·2014-04-15·CVSS 7.5
CVE-2014-0452 [HIGH] OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026801)
OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026801)
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0458 and CVE-2014-2423.
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 6) - Not affected
Package: java-1.7.0-oracle (Red Hat Enterprise Linux 7) - Not affected
Red Hat
OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188)
vendor_redhat·2014-04-15·CVSS 7.5
CVE-2014-2423 [HIGH] OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188)
OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188)
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-0458.
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 6) - Not affected
Package: java-1.7.0-oracle (Red Hat Enterprise Linux 7) - Not affected
VulDB
Oracle Java SE/Java SE Embedded 6u71/7u51/8 JAX-WS cross site scripting (Nessus ID 73654 / ID 350405)
vuldb·2026-05-11·CVSS 7.5
CVE-2014-2423 [HIGH] Oracle Java SE/Java SE Embedded 6u71/7u51/8 JAX-WS cross site scripting (Nessus ID 73654 / ID 350405)
A vulnerability, which was classified as critical, was found in Oracle Java SE and Java SE Embedded 6u71/7u51/8. This affects an unknown part of the component JAX-WS. Such manipulation leads to basic cross site scripting.
This vulnerability is listed as CVE-2014-2423. The attack may be performed from remote. There is no available exploit.
You should upgrade the affected component.
GHSA
GHSA-4rcf-j8r8-4576: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
ghsa_unreviewed·2022-05-10·CVSS 7.5
CVE-2014-2423 [HIGH] GHSA-4rcf-j8r8-4576: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-0458.
GHSA
GHSA-94mc-862r-9gjc: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
ghsa_unreviewed·2022-05-10·CVSS 7.5
CVE-2014-0458 [HIGH] GHSA-94mc-862r-9gjc: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-2423.
GHSA
GHSA-p9f6-jpfc-m7rw: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
ghsa_unreviewed·2022-05-10·CVSS 7.5
CVE-2014-0452 [HIGH] GHSA-p9f6-jpfc-m7rw: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0458 and CVE-2014-2423.
OSV
openjdk-7 vulnerabilities
osv·2014-04-30·CVSS 10.0
CVE-2014-0429 [CRITICAL] openjdk-7 vulnerabilities
openjdk-7 vulnerabilities
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452,
CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458,
CVE-2014-0461, CVE-2014-2397, CVE-2014-2402, CVE-2014-2412, CVE-2014-2414,
CVE-2014-2421, CVE-2014-2423, CVE-2014-2427)
Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-0453, CVE-2014-0460)
A vulnerability was discovered in the OpenJDK JRE related to availabi
OSV
CVE-2014-0458: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
osv·2014-04-15·CVSS 7.5
CVE-2014-0458 [HIGH] CVE-2014-0458: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-2423.
OSV
CVE-2014-0452: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
osv·2014-04-15·CVSS 7.5
CVE-2014-0452 [HIGH] CVE-2014-0452: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0458 and CVE-2014-2423.
OSV
CVE-2014-2423: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
osv·2014-04-15·CVSS 7.5
CVE-2014-2423 [HIGH] CVE-2014-2423: Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity
Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-0458.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-2423 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188)
bugzilla·2014-04-14·CVSS 7.5
CVE-2014-2423 [HIGH] CVE-2014-2423 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188)
CVE-2014-2423 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188)
It was discovered that JAXWS incorrectly cached certain data initialized
via thread context class loaders. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
Discussion:
Fixed now in Oracle Java SE 6u75, 7u55 and 8u5 via Oracle Critical Patch Update Advisory - April 2014.
Fixed in IcedTea6 1.13.3 and IcedTea7 2.4.7:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027214.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027222.html
External References:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
---
This issue has been addressed in following products:
Red Hat Ent
Bugzilla
CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
bugzilla·2013-04-15·CVSS 3.7
CVE-2013-2423 [LOW] CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
java.lang.invoke.MethodHandles did not perform access checks correctly. An untrusted Java application or applet could use this to set value of a final field.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in Oracle Java SE 7u21.
---
OpenJDK7 upstream repositories commit:
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https:
http://marc.info/?l=bugtraq&m=140852886808946&w=2http://marc.info/?l=bugtraq&m=140852974709252&w=2http://rhn.redhat.com/errata/RHSA-2014-0675.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0685.htmlhttp://secunia.com/advisories/58415http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://security.gentoo.org/glsa/glsa-201502-12.xmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21672080http://www.debian.org/security/2014/dsa-2912http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.htmlhttp://www.securityfocus.com/bid/66887http://www.ubuntu.com/usn/USN-2187-1http://www.ubuntu.com/usn/USN-2191-1https://access.redhat.com/errata/RHSA-2014:0413https://access.redhat.com/errata/RHSA-2014:0414http://marc.info/?l=bugtraq&m=140852886808946&w=2http://marc.info/?l=bugtraq&m=140852974709252&w=2http://rhn.redhat.com/errata/RHSA-2014-0675.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0685.htmlhttp://secunia.com/advisories/58415http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://security.gentoo.org/glsa/glsa-201502-12.xmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21672080http://www.debian.org/security/2014/dsa-2912http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.htmlhttp://www.securityfocus.com/bid/66887http://www.ubuntu.com/usn/USN-2187-1http://www.ubuntu.com/usn/USN-2191-1https://access.redhat.com/errata/RHSA-2014:0413https://access.redhat.com/errata/RHSA-2014:0414
2014-04-16
Published