Vulnerability CVE-2011-3551 - CERT Civis.Net

Vulnerability Name:

CVE-2011-3551 (CCN-70842)

Assigned:

2011-10-18

Published:

2011-10-18

Updated:

2018-01-06

Summary:

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

CVSS v3 Severity:

10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-noinfo
CWE-190

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2011-3551

Source: SUSE
Type: UNKNOWN
SUSE-SU-2012:0114

Source: HP
Type: UNKNOWN
HPSBUX02730

Source: HP
Type: UNKNOWN
HPSBMU02799

Source: HP
Type: UNKNOWN
SSRT100867

Source: CCN
Type: RHSA-2011-1380
Critical: java-1.6.0-openjdk security update

Source: CCN
Type: RHSA-2011-1384
Critical: java-1.6.0-sun security update

Source: CCN
Type: RHSA-2012-0034
Critical: java-1.6.0-ibm security update

Source: CCN
Type: RHSA-2013-1455
Low: Red Hat Network Satellite server IBM Java Runtime security update

Source: REDHAT
Type: UNKNOWN
RHSA-2013:1455

Source: CCN
Type: SA46512
Oracle Java SE Multiple Vulnerabilities

Source: CCN
Type: SA46521
Oracle JRockit Multiple Vulnerabilities

Source: CCN
Type: SA46694
Hitachi Cosminexus Products Java Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
48308

Source: CCN
Type: SA53217
IBM Security AppScan Java Multiple Vulnerabilities

Source: CCN
Type: SA53219
IBM Security AppScan Java Multiple Vulnerabilities

Source: GENTOO
Type: UNKNOWN
GLSA-201406-32

Source: DEBIAN
Type: DSA-2356
openjdk-6 -- several vulnerabilities

Source: DEBIAN
Type: DSA-2358
openjdk-6 -- several vulnerabilities

Source: CCN
Type: Hitachi Security Vulnerability Information HS11-024
Multiple Vulnerabilities in Cosminexus

Source: CONFIRM
Type: UNKNOWN
http://www.ibm.com/developerworks/java/jdk/alerts/

Source: CCN
Type: IBM Security Bulletin 1609022
Vulnerabilities in AppScan Standard

Source: CCN
Type: Oracle Java SE Critical Patch Update Advisory - October 2011
Oracle Java SE Critical Patch Update Advisory - October 2011

Source: CONFIRM
Type: Vendor Advisory
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

Source: CCN
Type: OSVDB ID: 76502
Oracle Java SE / JRE 2D Component Unspecified Remote Issue

Source: REDHAT
Type: UNKNOWN
RHSA-2011:1384

Source: BID
Type: UNKNOWN
50224

Source: CCN
Type: BID-50224
Oracle Java SE CVE-2011-3551 Remote Java Runtime Environment Vulnerability

Source: SECTRACK
Type: UNKNOWN
1026215

Source: UBUNTU
Type: UNKNOWN
USN-1263-1

Source: XF
Type: UNKNOWN
oracle-jre-2d-unspecified(70842)

Source: XF
Type: UNKNOWN
oracle-jre-2d-unspecified(70842)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:14318

Vulnerable Configuration:

Configuration 1:

cpe:/a:sun:jdk:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.7.0:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:oracle:jrockit:r28.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.1.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.1.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:*:*:*:*:*:*:*:* (Version <= r28.1.4)

Configuration 3:

cpe:/a:sun:jdk:1.6.0:-:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update1:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update2:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_22:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_23:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_24:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_25:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_26:*:*:*:*:*:*

OR cpe:/a:sun:jdk:*:update_27:*:*:*:*:*:* (Version <= 1.6.0)

OR cpe:/a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:-:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_1:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_10:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_11:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_12:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_13:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_14:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_15:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_16:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_17:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_18:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_19:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_2:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_20:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_21:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_22:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_23:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_24:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_25:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_26:*:*:*:*:*:*

OR cpe:/a:sun:jre:*:update_27:*:*:*:*:*:* (Version <= 1.6.0)

OR cpe:/a:sun:jre:1.6.0:update_3:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_4:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_5:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_6:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_7:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:jrockit:r28.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.1.3:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.1.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.1.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:jrockit:r28.0.1:*:*:*:*:*:*:*

AND

cpe:/a:hitachi:cosminexus_application_server:5:*:*:*:*:*:*:*

OR cpe:/a:hitachi:cosminexus_application_server:6:*:*:*:*:*:*:*

OR cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_service_architect:*:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_client:06-70-/f:*:*:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_operator:07-00-05:*:*:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_service_platform:*:*:*:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_content_manager:*:*:*:*:*:*:*:*

OR cpe:/a:hitachi:cosminexus_developer:6:-:standard:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_developer:6:-:pro:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6:*:server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6:*:workstation:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server_eus:6.1.z:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_appscan:7.9:-:standard:*:*:*:*:*

OR cpe:/a:ibm:security_appscan:8.0:-:standard:*:*:*:*:*

OR cpe:/a:ibm:security_appscan:8.5:-:standard:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20113551	V	CVE-2011-3551	2022-05-20
oval:org.opensuse.security:def:33753	P	Security update for MozillaFirefox (Important)	2021-12-12
oval:org.opensuse.security:def:33714	P	Security update for openssl-1_1 (Low)	2021-09-09
oval:org.opensuse.security:def:32997	P	Security update for xen (Important)	2021-09-06
oval:org.opensuse.security:def:29415	P	Security update for bind (Moderate)	2021-08-30
oval:org.opensuse.security:def:32986	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:32985	P	Security update for openssl (Important)	2021-08-24
oval:org.opensuse.security:def:34499	P	Security update for djvulibre (Important)	2021-08-05
oval:org.opensuse.security:def:34459	P	Security update for spice (Important)	2021-06-08
oval:org.opensuse.security:def:33777	P	Security update for openldap2 (Important)	2021-03-03
oval:org.opensuse.security:def:33076	P	Security update for bind (Important)	2021-02-18
oval:org.opensuse.security:def:33665	P	Security update for java-1_7_1-ibm (Moderate)	2021-01-04
oval:org.opensuse.security:def:28987	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:29710	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:33451	P	Security update for GNOME screensaver	2020-12-01
oval:org.opensuse.security:def:29187	P	Security update for mysql (Important)	2020-12-01
oval:org.opensuse.security:def:29772	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:29330	P	Security update for compat-openssl097g (Moderate)	2020-12-01
oval:org.opensuse.security:def:30447	P	Security update for IBM Java 1.6.0	2020-12-01
oval:org.opensuse.security:def:29568	P	Security update for SDL (Moderate)	2020-12-01
oval:org.opensuse.security:def:33211	P	nagios-nrpe on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28976	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:33821	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:29671	P	Security update for dhcpcd	2020-12-01
oval:org.opensuse.security:def:33363	P	Security update for openssl1 (Important)	2020-12-01
oval:org.opensuse.security:def:29056	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:29728	P	Security update for MozillaFirefox, firefox-glib2, firefox-gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:33608	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:29273	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:30410	P	Security update for xorg-x11-libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28975	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:29622	P	Security update for bsdtar (Important)	2020-12-01
oval:org.opensuse.security:def:33306	P	yast2-core on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:19719	V	HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities	2015-04-20
oval:org.mitre.oval:def:14318	V	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.	2014-08-18
oval:org.mitre.oval:def:15328	P	USN-1263-2 -- OpenJDK 6 regression	2014-06-30
oval:org.mitre.oval:def:15316	P	USN-1263-1 -- IcedTea-Web, OpenJDK 6 vulnerabilities	2014-06-30
oval:org.mitre.oval:def:15374	P	DSA-2358-1 openjdk-6 -- several	2014-06-23
oval:org.mitre.oval:def:15281	P	DSA-2356-1 openjdk-6 -- several	2014-06-23
oval:org.mitre.oval:def:23332	P	ELSA-2011:1384: java-1.6.0-sun security update (Critical)	2014-05-26
oval:org.mitre.oval:def:23746	P	ELSA-2011:1380: java-1.6.0-openjdk security update (Critical)	2014-05-26
oval:org.mitre.oval:def:23157	P	ELSA-2012:0034: java-1.6.0-ibm security update (Critical)	2014-05-26
oval:org.mitre.oval:def:21558	P	RHSA-2011:1380: java-1.6.0-openjdk security update (Critical)	2014-02-24
oval:org.mitre.oval:def:22009	P	RHSA-2011:1384: java-1.6.0-sun security update (Critical)	2014-02-24
oval:org.mitre.oval:def:20940	P	RHSA-2012:0034: java-1.6.0-ibm security update (Critical)	2014-02-24
oval:com.redhat.rhsa:def:20120034	P	RHSA-2012:0034: java-1.6.0-ibm security update (Critical)	2012-01-18
oval:com.redhat.rhsa:def:20111384	P	RHSA-2011:1384: java-1.6.0-sun security update (Critical)	2011-10-19
oval:com.ubuntu.precise:def:20113551000	V	CVE-2011-3551 on Ubuntu 12.04 LTS (precise) - low.	2011-10-19
oval:com.redhat.rhsa:def:20111380	P	RHSA-2011:1380: java-1.6.0-openjdk security update (Critical)	2011-10-18