Published: 15/10/2014 Updated: 08/09/2020

CVSS v2 Base Score: 6.8 | Impact Score: 6.9 | Exploitability Score: 8

VMScore: 605

Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C

It exists that the Libraries component in OpenJDK failed to properly handle ZIP archives that contain entries with a NUL byte used in the file names. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2014-6562) Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519) It exists that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. (CVE-2014-6517) It exists that the Hotspot component in OpenJDK failed to properly handle malformed Shared Archive files. A local attacker able to modify a Shared Archive file used by a virtual machine of a different user could possibly use this flaw to escalate their privileges. (CVE-2014-6468) It exists that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. (CVE-2014-6512) It exists that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. (CVE-2014-6457) It exists that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an malicious user to affect the integrity of an encrypted stream handled by this class. (CVE-2014-6558)

Vulnerable Product	Search on Vulmon	Subscribe to Product
oracle jdk 1.8.0
oracle jre 1.8.0

It was discovered that the Libraries component in OpenJDK failed to properly handle ZIP archives that contain entries with a NUL byte used in the file names An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions (CVE-2014-6562) Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in ...

It was discovered that the Hotspot component in OpenJDK failed to properly handle malformed Shared Archive files A local attacker able to modify a Shared Archive file used by a virtual machine of a different user could possibly use this flaw to escalate their privileges ...

NVD-CWE-noinfo http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html http://secunia.com/advisories/60416 http://rhn.redhat.com/errata/RHSA-2014-1636.html http://www.securityfocus.com/bid/70488 http://secunia.com/advisories/61609 http://linux.oracle.com/errata/ELSA-2014-1636 http://secunia.com/advisories/61928 http://security.gentoo.org/glsa/glsa-201502-12.xml http://www-01.ibm.com/support/docview.wss?uid=swg21692299 https://nvd.nist.gov https://alas.aws.amazon.com/ALAS-2014-432.html https://access.redhat.com/security/cve/cve-2014-6468

CVE-2014-6468

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect