All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CVE-2014-0376 is a vulnerability in Oracle Java SE and OpenJDK that affects the JAXP library (a tool for processing XML documents). The flaw allows remote attackers to compromise data integrity through improper permission checks when creating document builders, but only affects sandboxed Java applications like Web Start apps and applets. The specific details of the vulnerability were not fully disclosed by Oracle.
CVE-2013-2133 is a security flaw in Red Hat JBossWS (a tool for building web services) used in JBoss Enterprise Application Platform (EAP) before version 6.2.0, where the EJB invocation handler (the component that processes method calls) fails to properly check access restrictions. This allows remote authenticated users (people with login credentials) to bypass security controls and access JAX-WS handlers (special functions that intercept web service requests) that should be restricted, simply by having permission to use the underlying EJB class.
CVE-2013-5851 is an unspecified vulnerability in Oracle Java SE 7u40 and earlier versions that allows remote attackers to exploit the software. The vulnerability affects both standard Java SE and Java SE Embedded, meaning it impacts Java running on regular computers and also on smaller embedded devices (computers built into other products).
CVE-2013-5825 is an unspecified vulnerability in older versions of Oracle Java SE (a programming language and runtime environment) and related products that allows remote attackers to disrupt service availability through JAXP (Java API for XML Processing, a tool for handling XML data). The vulnerability can be triggered through sandboxed Java Web Start applications, Java applets, or by sending data directly to affected APIs.
A security flaw in Oracle Java SE versions 7u40 and earlier, Java SE 6u60 and earlier, and Java SE Embedded 7u40 and earlier affects the integrity of data through JAX-WS (Java API for XML Web Services, a tool for building web services). The vulnerability can only be exploited through sandboxed Java Web Start applications and sandboxed Java applets (programs that run in a restricted environment within a web browser).
CVE-2013-5802 is an unspecified vulnerability in multiple versions of Oracle Java SE (Java Standard Edition, the main version of Java used by developers) and related Java products that allows remote attackers to compromise confidentiality (keeping data private), integrity (keeping data accurate), and availability (keeping systems running). The vulnerability can be exploited through JAXP (Java API for XML Processing, a tool for handling XML data), including through compromised Java Web Start applications and Java applets (small programs that run in web browsers).
CVE-2013-2415 is an unspecified vulnerability in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, that affects the JAX-WS (Java API for XML Web Services, a tool for building web services) component and may leak sensitive information. The vulnerability requires local access (an attacker already on your computer) to exploit and cannot be used through untrusted applets or Java Web Start applications.
A vulnerability exists in Oracle Java SE versions 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier, as well as OpenJDK 6 and 7, related to JAXP (Java API for XML Processing, a tool for handling XML documents). Remote attackers can exploit this unspecified flaw to compromise the confidentiality, integrity, and availability of affected systems.
A security flaw in Samba 3.6.x (a software that allows file sharing between computers) before version 3.6.6 fails to properly enforce SMB2 share attributes (settings that control how network shares behave). This allows authenticated users (those with valid login credentials) to write to shares marked as read-only, cause data integrity issues with file locking mechanisms, or exploit incorrect handling of visibility settings.
CVE-2013-0435 is a security flaw in Oracle Java SE 6 and 7 (specifically versions 6 through Update 38, and 7 through Update 11) related to JAX-WS (a Java web services framework) that could allow attackers to access sensitive information. The vulnerability only affects client-side Java deployments and can be exploited through untrusted Java Web Start applications (programs downloaded and run through Java) and untrusted Java applets (small programs embedded in web pages), though these run with limited privileges in a sandbox (a restricted environment).
A security flaw was found in Oracle Java SE versions 7 (up to Update 11), 6 (up to Update 38), and older versions, as well as OpenJDK, that could let remote attackers (people attacking from outside your system) access sensitive information through JAXP (Java API for XML Processing, a tool for handling XML files). The exact nature of the vulnerability was not publicly detailed by Oracle, though another vendor suggested it involved a publicly accessible method in JAXP that could expose private data.
IBM WebSphere Application Server 8.5 Liberty Profile before version 8.5.0.1 has a security flaw in its JAX-RS component (a tool for building web services) that fails to properly validate incoming requests, allowing attackers to gain unauthorized access. The vulnerability is caused by improper input validation (CWE-20, where the system doesn't properly check data before using it).
CVE-2012-5074 is an unspecified vulnerability in Oracle Java SE 7 Update 7 and earlier versions that affects the Java Runtime Environment (JRE, the software that runs Java programs on your computer). The vulnerability can only be exploited through untrusted Java Web Start applications and untrusted Java applets (small programs that run in web browsers), which are limited by the Java sandbox (a restricted environment that prevents programs from accessing sensitive system resources).
CVE-2012-4604 is a flaw in Websense Web Security's TRITON management console that allows attackers to bypass authentication (the process of verifying a user's identity) and access reports they shouldn't see by manipulating cookie fields, specifically the uid and userRoles parameters. The vulnerability affects versions before 7.6 Hotfix 24.
A vulnerability in the Investigative Reports web interface of Websense Web Security's TRITON management console allows remote attackers (people without authorized access) to execute commands on the system through unspecified vectors (unknown attack methods). The flaw affects multiple versions of Websense Web Security, Web Filter, Web Security Gateway, and Web Security Gateway Anywhere.
A security flaw exists in Java Runtime Environment (JRE, the software that runs Java programs) versions 7 update 4 and earlier, and version 6 update 32 and earlier, that allows attackers over the internet to disrupt service availability through an unspecified vulnerability related to JAXP (Java API for XML Processing, a tool for handling XML data). The exact nature of the vulnerability was not fully detailed in the advisory.
CVE-2011-1377 is a vulnerability in the Web Services Security component of IBM WebSphere Application Server (WAS) version 6.1 where the Web Services Feature Pack before version 6.1.0.41 does not properly handle enabling WS-Security (a security standard for web services) for JAX-WS applications, potentially causing unspecified security impacts. The vulnerability has an unknown severity rating and the specific attack methods are not detailed in this source.
SASHA 0.2.0 contains a cross-site scripting (XSS) vulnerability, a type of security flaw where attackers can inject malicious code into web pages, in its lib.base.php file through the instructors parameter. This allows attackers to inject arbitrary web scripts or HTML code that could compromise users visiting the affected application.
CVE-2011-4160 is an unspecified vulnerability in HP Operations Agent 11.00 and Performance Agent 4.73 and 5.0 running on multiple operating systems (AIX, HP-UX, Linux, and Solaris) that allows local users (people with access to the same computer) to bypass directory-access restrictions through unknown methods. The vulnerability has a CVSS score (a 0-10 rating of how severe a security flaw is) of 4.0.
Fix: Update IBM WebSphere Application Server 8.5 Liberty Profile to version 8.5.0.1 or later.
NVD/CVE DatabaseCVE-2012-5076 is a vulnerability in Oracle Java SE 7 Update 7 and earlier versions that affects the JAX-WS (Java web services framework) component in the Java Runtime Environment. Remote attackers could exploit this flaw to compromise confidentiality (reading data), integrity (modifying data), and availability (disrupting service) of affected systems.
Fix: Apply updates per vendor instructions. The source references Oracle's October 2012 security advisory (http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html) as a patch vendor advisory with available fixes.
NVD/CVE DatabaseFix: Apply the appropriate hotfix for your version: Hotfix 109 for version 7.1, Hotfix 06 for version 7.1.1, Hotfix 78 for version 7.5, Hotfix 12 for version 7.5.1, Hotfix 24 for version 7.6, and Hotfix 12 for version 7.6.2. Consult Websense vendor advisories for installation instructions.
NVD/CVE DatabaseFix: Upgrade the Web Services Feature Pack to version 6.1.0.41 or later for IBM WebSphere Application Server 6.1.
NVD/CVE Database