Vulnerability CVE-2011-3558 - CERT Civis.Net

Vulnerability Name:

CVE-2011-3558 (CCN-70835)

Assigned:

2011-10-18

Published:

2011-10-18

Updated:

2018-01-06

Summary:

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2011-3558

Source: CCN
Type: HP Security Bulletin HPSBMU02769 SSRT100846
HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Unauthorized Access, Execution of Arbitrary Code, and Other Vulnerabilities

Source: HP
Type: UNKNOWN
HPSBUX02730

Source: HP
Type: UNKNOWN
HPSBMU02799

Source: HP
Type: UNKNOWN
SSRT100867

Source: OSVDB
Type: UNKNOWN
76510

Source: CCN
Type: RHSA-2011-1380
Critical: java-1.6.0-openjdk security update

Source: CCN
Type: RHSA-2011-1384
Critical: java-1.6.0-sun security update

Source: CCN
Type: SA46512
Oracle Java SE Multiple Vulnerabilities

Source: CCN
Type: SA46521
Oracle JRockit Multiple Vulnerabilities

Source: CCN
Type: SA46694
Hitachi Cosminexus Products Java Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
48308

Source: CCN
Type: SA53217
IBM Security AppScan Java Multiple Vulnerabilities

Source: CCN
Type: SA53219
IBM Security AppScan Java Multiple Vulnerabilities

Source: GENTOO
Type: UNKNOWN
GLSA-201406-32

Source: CCN
Type: Hitachi Security Vulnerability Information HS11-024
Multiple Vulnerabilities in Cosminexus

Source: CONFIRM
Type: UNKNOWN
http://www.ibm.com/developerworks/java/jdk/alerts/

Source: CCN
Type: IBM Security Bulletin 1609022
Vulnerabilities in AppScan Standard

Source: CCN
Type: Oracle Java SE Critical Patch Update Advisory - October 2011
Oracle Java SE Critical Patch Update Advisory - October 2011

Source: CONFIRM
Type: Vendor Advisory
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

Source: CCN
Type: OSVDB ID: 76510
Oracle Java SE / JRE HotSpot Component Unspecified Remote Information Disclosure

Source: REDHAT
Type: UNKNOWN
RHSA-2011:1384

Source: BID
Type: UNKNOWN
50242

Source: CCN
Type: BID-50242
Oracle Java SE CVE-2011-3558 Remote Java Runtime Environment Vulnerability

Source: SECTRACK
Type: UNKNOWN
1026215

Source: UBUNTU
Type: UNKNOWN
USN-1263-1

Source: XF
Type: UNKNOWN
oracle-java-hotspot-info-disc(70835)

Source: XF
Type: UNKNOWN
oracle-java-hotspot-info-disc(70835)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:13475

Vulnerable Configuration:

Configuration 1:

cpe:/a:sun:jdk:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.7.0:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:sun:jdk:1.6.0:-:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update1:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update2:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_22:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_23:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_24:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_25:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_26:*:*:*:*:*:*

OR cpe:/a:sun:jdk:*:update_27:*:*:*:*:*:* (Version <= 1.6.0)

OR cpe:/a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:-:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_1:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_10:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_11:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_12:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_13:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_14:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_15:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_16:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_17:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_18:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_19:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_2:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_20:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_21:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_22:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_23:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_24:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_25:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_26:*:*:*:*:*:*

OR cpe:/a:sun:jre:*:update_27:*:*:*:*:*:* (Version <= 1.6.0)

OR cpe:/a:sun:jre:1.6.0:update_3:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_4:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_5:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_6:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:update_7:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration CCN 1:

cpe:/a:hp:systems_insight_manager:4.2:sp1:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:4.2:sp2:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:5.0:sp1:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:5.0:sp2:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:5.0:sp3:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:5.0:sp5:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:4.0:*:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:5.0:*:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:5.3:*:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:5.3:update_1:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:6.1:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:6.2:*:*:*:*:*:*:*

OR cpe:/a:hp:systems_insight_manager:6.3:*:*:*:*:*:*:*

AND

cpe:/a:hitachi:cosminexus_application_server:5:*:*:*:*:*:*:*

OR cpe:/a:hitachi:cosminexus_application_server:6:*:*:*:*:*:*:*

OR cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_service_architect:*:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_client:06-70-/f:*:*:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_operator:07-00-05:*:*:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_service_platform:*:*:*:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_content_manager:*:*:*:*:*:*:*:*

OR cpe:/a:hitachi:cosminexus_developer:6:-:standard:*:*:*:*:*

OR cpe:/a:hitachi:ucosminexus_developer:6:-:pro:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6:*:server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6:*:workstation:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server_eus:6.1.z:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_appscan:7.9:-:standard:*:*:*:*:*

OR cpe:/a:ibm:security_appscan:8.0:-:standard:*:*:*:*:*

OR cpe:/a:ibm:security_appscan:8.5:-:standard:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20113558	V	CVE-2011-3558	2015-11-16
oval:org.mitre.oval:def:19814	V	HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities	2015-04-20
oval:org.mitre.oval:def:13475	V	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot.	2014-08-18
oval:org.mitre.oval:def:15316	P	USN-1263-1 -- IcedTea-Web, OpenJDK 6 vulnerabilities	2014-06-30
oval:org.mitre.oval:def:15328	P	USN-1263-2 -- OpenJDK 6 regression	2014-06-30
oval:org.mitre.oval:def:23332	P	ELSA-2011:1384: java-1.6.0-sun security update (Critical)	2014-05-26
oval:org.mitre.oval:def:23746	P	ELSA-2011:1380: java-1.6.0-openjdk security update (Critical)	2014-05-26
oval:org.mitre.oval:def:21558	P	RHSA-2011:1380: java-1.6.0-openjdk security update (Critical)	2014-02-24
oval:org.mitre.oval:def:22009	P	RHSA-2011:1384: java-1.6.0-sun security update (Critical)	2014-02-24
oval:com.redhat.rhsa:def:20111384	P	RHSA-2011:1384: java-1.6.0-sun security update (Critical)	2011-10-19
oval:com.ubuntu.precise:def:20113558000	V	CVE-2011-3558 on Ubuntu 12.04 LTS (precise) - medium.	2011-10-19
oval:com.redhat.rhsa:def:20111380	P	RHSA-2011:1380: java-1.6.0-openjdk security update (Critical)	2011-10-18