Description

Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information about encryption keys via a timing discrepancy during the TLS/SSL handshake.

References

• BID-64758
• BID-64918
• CVE-2014-0411
• REDHAT-RHSA-2014:0026
• REDHAT-RHSA-2014:0027
• REDHAT-RHSA-2014:0030
• REDHAT-RHSA-2014:0097
• REDHAT-RHSA-2014:0134
• REDHAT-RHSA-2014:0135
• REDHAT-RHSA-2014:0136
• REDHAT-RHSA-2014:0414
• XF-90357

Solution

Related Vulnerabilities

• SUSE Linux Security Vulnerability: CVE-2013-5891
• FreeBSD: puppet27 and puppet -- multiple vulnerabilities (Multiple CVEs)
• SUSE: CVE-2014-0428: SUSE Linux Security Advisory
• Sun Patch: SunOS 5.10: RPC patch
• SUSE: CVE-2014-0433: SUSE Linux Security Advisory
• Gentoo Linux: CVE-2014-0433: MySQL: Multiple vulnerabilities
• Oracle MySQL Vulnerability: CVE-2014-0420
• SUSE: CVE-2014-0387: SUSE Linux Security Advisory
• Gentoo Linux: CVE-2013-5905: Oracle JRE/JDK: Multiple vulnerabilities
• HP-UX: CVE-2014-0424: HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access
• FreeBSD: mozilla -- multiple vulnerabilities (Multiple CVEs)
• Cent OS: CVE-2014-0422: CESA-2014:0097 (java-1.6.0-openjdk)
• Gentoo Linux: CVE-2014-0407: VirtualBox: Multiple Vulnerabilities
• Java CPU January 2014 Java SE Deployment vulnerability (CVE-2014-0387)
• Oracle MySQL Vulnerability: CVE-2014-0393
• Gentoo Linux: CVE-2013-5906: Oracle JRE/JDK: Multiple vulnerabilities
• HP-UX: CVE-2013-5898: HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access
• Sun Patch: SunOS 5.8: ps command patch
• Java CPU January 2014 Java SE, JRockit, Java SE Embedded 2D vulnerability (CVE-2013-5907)
• Oracle Solaris 11: CVE-2013-5821 (11.1 SRU 2.5.0)
• Gentoo Linux: CVE-2013-5907: Oracle JRE/JDK: Multiple vulnerabilities
• Sun Patch: SunOS 5.9: rpc.rusersd Patch
• SUSE Linux Security Vulnerability: CVE-2013-1654
• RHSA-2013:1135: nss and nspr security, bug fix, and enhancement update
• RHSA-2014:0136: java-1.5.0-ibm security update
• Cent OS: CVE-2014-0423: CESA-2014:0097 (java-1.6.0-openjdk)
• SUSE Linux Security Vulnerability: CVE-2013-1862
• Gentoo Linux: CVE-2007-0008: Mozilla Network Security Service: Remote execution of arbitrary code
• Gentoo Linux: CVE-2013-5893: Oracle JRE/JDK: Multiple vulnerabilities
• Java CPU January 2014 Java SE, JavaFX, Java SE Embedded 2D vulnerability (CVE-2014-0417)
• Cent OS: CVE-2013-5893: CESA-2014:0027 (java-1.7.0-openjdk)
• Java CPU January 2014 Java SE Serviceability vulnerability (CVE-2014-0373)
• Sun Patch: SunOS 5.10_x86: Oracle Java Web Console 3.1 Patch
• Gentoo Linux: CVE-2014-0385: Oracle JRE/JDK: Multiple vulnerabilities
• Gentoo Linux: CVE-2013-5898: Oracle JRE/JDK: Multiple vulnerabilities
• RHSA-2013:1133: httpd security update
• RHSA-2013:1207: Red Hat JBoss Enterprise Application Platform 6.1.1 update
• HP-UX: CVE-2014-0373: HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access
• Apache Struts DefaultActionMapper OGNL arbitrary command execution (CVE-2013-2251)
• Sun Patch: SunOS 5.9: Asian SunOS 4.x Binary Compatibility(BCP) patch
• Apache Tomcat: Important: Denial of service (CVE-2012-3544)
• Gentoo Linux: CVE-2014-0404: VirtualBox: Multiple Vulnerabilities
• Java CPU January 2014 Java SE Install vulnerability (CVE-2013-5906)
• Amazon Linux AMI: Security patch for httpd (ALAS-2013-193) (multiple CVEs)
• RHSA-2013:1011: Red Hat JBoss Web Server 2.0.1 update
• Gentoo Linux: CVE-2014-0431: MySQL: Multiple vulnerabilities
• Oracle Solaris 11: CVE-2013-1620: Vulnerability in NSS
• HP-UX: CVE-2014-0375: HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access
• Sun Patch: SunOS 5.9_x86: rpc.rusersd Patch
• Cent OS: CVE-2014-0376: CESA-2014:0097 (java-1.6.0-openjdk)
• IBM AIX: java_jan2014_advisory (CVE-2014-0423): Vulnerability in IBM Java SDK affects AIX
• Cent OS: CVE-2014-0373: CESA-2014:0097 (java-1.6.0-openjdk)
• FreeBSD: puppet26 -- multiple vulnerabilities (Multiple CVEs)
• Sun Patch: SunOS 5.8_x86: rpc.rusersd Patch
• FreeBSD: virtualbox-ose -- local vulnerability (CVE-2013-5892)
• Apache Struts: S2-016 (CVE-2013-2251): Security updates available for Apache Struts
• SUSE Linux Security Vulnerability: CVE-2012-3499
• RHSA-2007:0097: firefox security update
• F5 Networks: K16385 (CVE-2013-5882): Multiple MySQL vulnerabilities
• Gentoo Linux: CVE-2013-5899: Oracle JRE/JDK: Multiple vulnerabilities
• IBM AIX: java_jan2014_advisory (CVE-2013-5887): Vulnerability in IBM Java SDK affects AIX
• IBM AIX: java_jan2014_advisory (CVE-2014-0403): Vulnerability in IBM Java SDK affects AIX
• HP-UX: CVE-2013-5889: HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access
• HP-UX: CVE-2013-5907: HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access
• Oracle MySQL Vulnerability: CVE-2013-5908
• Gentoo Linux: CVE-2014-0387: Oracle JRE/JDK: Multiple vulnerabilities
• Java CPU January 2014 Java SE Deployment vulnerability (CVE-2014-0415)
• F5 Networks: K16385 (CVE-2013-5891): Multiple MySQL vulnerabilities
• Oracle Solaris 11: CVE-2013-2924: Vulnerability in Localization (L10N)
• Gentoo Linux: CVE-2013-2067: Apache Tomcat: Multiple vulnerabilities
• Gentoo Linux: CVE-2014-0410: Oracle JRE/JDK: Multiple vulnerabilities
• IBM AIX: java_jan2014_advisory (CVE-2014-0410): Vulnerability in IBM Java SDK affects AIX
• Gentoo Linux: CVE-2014-0428: Oracle JRE/JDK: Multiple vulnerabilities
• Gentoo Linux: CVE-2014-0427: MySQL: Multiple vulnerabilities
• Oracle MySQL Vulnerability: CVE-2014-0412
• Oracle Database: Critical Patch Update - January 2014 (CVE-2014-0377)
• Sun Patch: SunOS 5.9: Apache Security Patch
• Amazon Linux AMI: Security patch for nspr (ALAS-2013-266) (multiple CVEs)
• RHSA-2014:0027: java-1.7.0-openjdk security update
• HP-UX: CVE-2013-1862: Apache Web Server, Remote Execution of Arbitrary Code, Denial of Service (DoS)
• F5 Networks: K16389 (CVE-2014-0412): Multiple MySQL vulnerabilities
• Gentoo Linux: CVE-2014-0368: Oracle JRE/JDK: Multiple vulnerabilities
• RHSA-2014:0134: java-1.7.0-ibm security update
• Java CPU January 2014 Java SE, Java SE Embedded CORBA vulnerability (CVE-2013-5896)
• IBM AIX: java_jan2014_advisory (CVE-2014-0411): Vulnerability in IBM Java SDK affects AIX
• ELSA-2013-0964 Moderate: Oracle Linux tomcat6 security update
• Gentoo Linux: CVE-2013-1862: Apache HTTP Server: Multiple vulnerabilities
• CESA-2007:0079: Firefox security update
• Cent OS: CVE-2012-4558: CESA-2013:0815 (httpd)
• Java CPU January 2014 Java SE, JavaFX JavaFX vulnerability (CVE-2013-5895)
• Java CPU January 2014 Java SE Deployment vulnerability (CVE-2014-0418)
• HP-UX: CVE-2014-0368: HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access
• Apache Struts: S2-015 (CVE-2013-2135): Security updates available for Apache Struts
• FreeBSD: apache22 -- several vulnerabilities (Multiple CVEs)
• HP-UX: CVE-2013-5899: HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access
• F5 Networks: K16389 (CVE-2014-0402): Multiple MySQL vulnerabilities
• Java CPU January 2014 Java SE Install vulnerability (CVE-2014-0385)
• IBM AIX: java_jan2014_advisory (CVE-2013-5878): Vulnerability in IBM Java SDK affects AIX
• SUSE Linux Security Vulnerability: CVE-2013-5860
• Sun Patch: NSS_NSPR_JSS 3.35 Solaris: NSPR 4.18 / NSS 3.35 / JSS 4.3.2 Mainte