CVE-2015-4748
Public on 2015-07-16
Modified on 2015-08-24
Description
A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | java-1.6.0-openjdk | 2015-08-24 | ALAS-2015-586 | Fixed |
| Amazon Linux 1 | java-1.7.0-openjdk | 2015-07-22 | ALAS-2015-570 | Fixed |
| Amazon Linux 1 | java-1.8.0-openjdk | 2015-07-22 | ALAS-2015-571 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| NVD | CVSSv2 | 7.6 | AV:N/AC:H/Au:N/C:C/I:C/A:C |