CVE-2014-2483
published 2014-07-17CVE-2014-2483: Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity…
critical9.3CVSS 3.1
AVNACMAuNCCICAC
Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-4223. NOTE: the previous information is from the July 2014 CPU. Oracle has not commented on another vendor's claim that the issue is related to improper restriction of the "use of privileged annotations."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| oracle | jdk | — | — |
| oracle | jre | — | — |
| oracle | openjdk | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvd9.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
Ubuntu
OpenJDK 7 update
vendor_ubuntu·2014-09-17·CVSS 9.3
CVE-2014-2483 [CRITICAL] OpenJDK 7 update
Title: OpenJDK 7 update
Summary: This update provides stability updates for OpenJDK 7.
USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides
stability fixes for the arm64 and ppc64el architectures.
Original advisory details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)
Ubuntu
OpenJDK 7 regression
vendor_ubuntu·2014-08-26·CVSS 9.3
[CRITICAL] OpenJDK 7 regression
Title: OpenJDK 7 regression
Summary: USN-2319-1 introduced a regression in OpenJDK 7.
USN-2319-1 fixed vulnerabilities in OpenJDK 7. Due to an upstream
regression, verifying of the init method call would fail when it was done
from inside a branch when stack frames are activated. This update fixes the
problem.
We apologize for the inconvenience.
Original advisory details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and d
Ubuntu
OpenJDK 7 vulnerabilities
vendor_ubuntu·2014-08-20·CVSS 9.3
CVE-2014-2483 [CRITICAL] OpenJDK 7 vulnerabilities
Title: OpenJDK 7 vulnerabilities
Summary: Several security issues were fixed in OpenJDK 7.
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)
Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-4218, CVE-2014-4266)
A vulnerability was discovered in t
Red Hat
OpenJDK: Restrict use of privileged annotations (Libraries, 8034985)
vendor_redhat·2014-07-15·CVSS 9.3
CVE-2014-2483 [CRITICAL] OpenJDK: Restrict use of privileged annotations (Libraries, 8034985)
OpenJDK: Restrict use of privileged annotations (Libraries, 8034985)
Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-4223. NOTE: the previous information is from the July 2014 CPU. Oracle has not commented on another vendor's claim that the issue is related to improper restriction of the "use of privileged annotations."
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 6) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 6)
Red Hat
OpenJDK: Incorrect handling of invocations with exhausted ranks (Libraries, 8035793)
vendor_redhat·2014-07-15·CVSS 9.3
CVE-2014-4223 [CRITICAL] OpenJDK: Incorrect handling of invocations with exhausted ranks (Libraries, 8035793)
OpenJDK: Incorrect handling of invocations with exhausted ranks (Libraries, 8035793)
Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-2483.
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 6) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 6) - Not affected
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 7) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 7) - Not affected
GHSA
GHSA-9pmr-9fpq-fq64: Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, int
ghsa_unreviewed·2022-05-13·CVSS 9.3
CVE-2014-2483 [CRITICAL] GHSA-9pmr-9fpq-fq64: Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, int
Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-4223. NOTE: the previous information is from the July 2014 CPU. Oracle has not commented on another vendor's claim that the issue is related to improper restriction of the "use of privileged annotations."
GHSA
GHSA-x77f-3hr5-3569: Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors re
ghsa_unreviewed·2022-05-13·CVSS 9.3
CVE-2014-4223 [CRITICAL] GHSA-x77f-3hr5-3569: Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors re
Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-2483.
OSV
openjdk-7 update
osv·2014-09-17·CVSS 9.3
CVE-2014-2483 [CRITICAL] openjdk-7 update
openjdk-7 update
USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides
stability fixes for the arm64 and ppc64el architectures.
Original advisory details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)
Two vulnerabilities were discovered in the OpenJDK JRE related to data
OSV
openjdk-7 regression
osv·2014-08-26·CVSS 9.3
[CRITICAL] openjdk-7 regression
openjdk-7 regression
USN-2319-1 fixed vulnerabilities in OpenJDK 7. Due to an upstream
regression, verifying of the init method call would fail when it was done
from inside a branch when stack frames are activated. This update fixes the
problem.
We apologize for the inconvenience.
Original advisory details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive
OSV
openjdk-7 vulnerabilities
osv·2014-08-20·CVSS 9.3
CVE-2014-2483 [CRITICAL] openjdk-7 vulnerabilities
openjdk-7 vulnerabilities
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)
Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-4218, CVE-2014-4266)
A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-8130 libtiff: divide by zero in the tiffdither tool
bugzilla·2015-01-26·CVSS 6.5
CVE-2014-8130 [MEDIUM] CVE-2014-8130 libtiff: divide by zero in the tiffdither tool
CVE-2014-8130 libtiff: divide by zero in the tiffdither tool
Divide by zero was reported in the libtiff tiffdither tool:
- CVE-2014-8130 libtiff: Divide By Zero in the tiffdither tool
http://bugzilla.maptools.org/show_bug.cgi?id=2483
The above upstream bug was fixed by one of the commits that fix CVE-2014-8127 / CVE-2014-8128 / CVE-2014-8129
Discussion:
Patch
https://github.com/vadz/libtiff/commit/3c5eb8b1be544e41d2c336191bc4936300ad7543
libtiff/tif_unix.c
@@ -257,6 +257,9 @@ TIFFOpenW(const wchar_t* name, const char* mode)
void*
_TIFFmalloc(tmsize_t s)
{
+ if (s == 0)
+ return ((void *) NULL);
+
return (malloc((size_t) s));
}
above patch seems to suppresses this flaw
---
Statement:
Red Hat Product Security has rated this issue as having low security impact, a future update may
Bugzilla
CVE-2014-2483 OpenJDK: Restrict use of privileged annotations (Libraries, 8034985)
bugzilla·2014-07-15·CVSS 9.3
CVE-2014-2483 [CRITICAL] CVE-2014-2483 OpenJDK: Restrict use of privileged annotations (Libraries, 8034985)
CVE-2014-2483 OpenJDK: Restrict use of privileged annotations (Libraries, 8034985)
It was discovered that the Libraries component did not properly
restrict the use of privileged annotations. An untrusted Java
application or applet could possibly use this flaw to bypass Java
sandbox restrictions.
Discussion:
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2014:0890 https://rhn.redhat.com/errata/RHSA-2014-0890.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via RHSA-2014:0889 https://rhn.redhat.com/errata/RHSA-2014-0889.html
---
Fixed now in Oracle Java SE 7.0u65 via Critical Patch Update July 2014.
Fixed in IcedTea 2.5.1 for OpenJDK 7:
http://mail.openjdk.java.net/piperma
http://hg.openjdk.java.net/jdk7u/jdk7u/hotspot/rev/848481af9003http://marc.info/?l=bugtraq&m=140852886808946&w=2http://seclists.org/fulldisclosure/2014/Dec/23http://secunia.com/advisories/60485http://secunia.com/advisories/60812http://security.gentoo.org/glsa/glsa-201502-12.xmlhttp://www.debian.org/security/2014/dsa-2987http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/68608http://www.securitytracker.com/id/1030577http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttps://access.redhat.com/errata/RHSA-2014:0902https://bugzilla.redhat.com/show_bug.cgi?id=1119626http://hg.openjdk.java.net/jdk7u/jdk7u/hotspot/rev/848481af9003http://marc.info/?l=bugtraq&m=140852886808946&w=2http://seclists.org/fulldisclosure/2014/Dec/23http://secunia.com/advisories/60485http://secunia.com/advisories/60812http://security.gentoo.org/glsa/glsa-201502-12.xmlhttp://www.debian.org/security/2014/dsa-2987http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/68608http://www.securitytracker.com/id/1030577http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttps://access.redhat.com/errata/RHSA-2014:0902https://bugzilla.redhat.com/show_bug.cgi?id=1119626
2014-07-17
Published