CVE-2014-0423
OpenJDK: XXE issue in decoder (Beans, 8023245)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and availability via unknown vectors related to Beans. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability in DocumentHandler.java, related to Beans decoding.
Vulnerabilidad no especificada en Oracle Java SE 50.u55, 6u65 y 7u45; JRockit R27.7.7 y R28.2.9; y Java SE Embedded 7u45 permite a usuarios remotos autenticados afectar la confidencialidad y disponibilidad a través de vectores desconocidos relacionados con Beans.
Multiple vulnerabilities has been discovered and corrected in java-1.7.0-openjdk. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. The updated packages provides a solution for these security issues.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-12-12 CVE Reserved
- 2014-01-15 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (36)
| URL | Tag | Source |
|---|---|---|
| http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/995b32f013f5 | X_refsource_confirm | |
| http://secunia.com/advisories/56432 | Third Party Advisory | |
| http://secunia.com/advisories/56485 | Third Party Advisory | |
| http://secunia.com/advisories/56486 | Third Party Advisory | |
| http://secunia.com/advisories/56487 | Third Party Advisory | |
| http://secunia.com/advisories/56535 | Third Party Advisory | |
| http://secunia.com/advisories/59283 | Third Party Advisory | |
| http://secunia.com/advisories/60568 | Third Party Advisory | |
| http://www-01.ibm.com/support/docview.wss?uid=swg21677388 | X_refsource_confirm | |
| http://www-01.ibm.com/support/docview.wss?uid=swg21679287 | X_refsource_confirm | |
| http://www.securityfocus.com/bid/64758 | Vdb Entry | |
| http://www.securityfocus.com/bid/64914 | Vdb Entry | |
| http://www.securitytracker.com/id/1029608 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/90340 | Vdb Entry | |
| https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oracle Search vendor "Oracle" | Jrockit Search vendor "Oracle" for product "Jrockit" | r27.7.7 Search vendor "Oracle" for product "Jrockit" and version "r27.7.7" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jrockit Search vendor "Oracle" for product "Jrockit" | r28.2.9 Search vendor "Oracle" for product "Jrockit" and version "r28.2.9" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0" | update45 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0" | update65 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.6.0 Search vendor "Oracle" for product "Jre" and version "1.6.0" | update65 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0" | update55 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 1.5.0 Search vendor "Oracle" for product "Jre" and version "1.5.0" | update55 |
Affected
| ||||||