-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0144
       Oracle Java SE Critical Patch Update Advisory - October 2012
                              17 October 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              JDK and JRE 7 Update 7 and earlier
                      JDK and JRE 6 Update 35 and earlier
                      JDK and JRE 5.0 Update 36 and earlier
                      SDK and JRE 1.4.2_38 and earlier
                      JavaFX 2.2 and earlier
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
                      Reduced Security                -- Unknown/Unspecified   
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-5089 CVE-2012-5088 CVE-2012-5087
                      CVE-2012-5086 CVE-2012-5085 CVE-2012-5084
                      CVE-2012-5083 CVE-2012-5082 CVE-2012-5081
                      CVE-2012-5080 CVE-2012-5079 CVE-2012-5078
                      CVE-2012-5077 CVE-2012-5076 CVE-2012-5075
                      CVE-2012-5074 CVE-2012-5073 CVE-2012-5072
                      CVE-2012-5071 CVE-2012-5070 CVE-2012-5069
                      CVE-2012-5068 CVE-2012-5067 CVE-2012-4416
                      CVE-2012-3216 CVE-2012-3159 CVE-2012-3143
                      CVE-2012-1533 CVE-2012-1532 CVE-2012-1531
Member content until: Friday, November 16 2012

OVERVIEW

        Oracle has released the Java SE Critical Patch Update Advisory for 
        October 2012. [1]


IMPACT

        Oracle has published 30 new security fixes for Oracle Java SE, 29 of
        which may be remotely exploited without authentication, and 10 with
        CVSS scores of 10.0. [1] 
        
        A Text Form of the Risk Matrix provides a more comprehensive overview
        of the vulnerabilities and their impact. [2] 


MITIGATION

        Oracle states that "Due to the threat posed by a successful attack,
        Oracle strongly recommends that customers apply CPU fixes as soon as
        possible." [1]
        
        All users should apply the patches available on the Oracle website,
        however there are also some workarounds. According to Oracle "it may
        be possible to reduce the risk of successful attack by restricting
        network protocols required by an attack. For attacks that require
        certain privileges or access to certain packages, removing the
        privileges or the ability to access the packages from unprivileged
        users may help reduce the risk of successful attack." However doing so
        may affect application functionality, so customers should test
        thoroughly in a non-production environment first. Oracle also 
        emphasises that this workaround is not a permanent solution. [1]


REFERENCES

        [1] Oracle Java SE Critical Patch Update Advisory - October 2012
            http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

        [2] Text Form of Risk Matrix for Oracle Java SE
            http://www.oracle.com/technetwork/topics/security/javacpuoct2012verbose-1515981.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUH4n2u4yVqjM2NGpAQJkZRAAwLmyNtkkK9qk6HHI3u7Ix/r50uxADK9L
GNztin/mdIy2TmrXHSUF5wXNoNJI/j9NdkigJrxiMnkmlECbQeJWUrO2PyXusLGa
kXHwFHEjy1bnzxpk0mky+UdSYMVb5VZ6agrD3nlS6uoYupYlQUyncJbsDrfaiPQM
IwaPNu+7vVTvsg3flNN7tXH3YCdRiWM8LnNdDCxjt+1t4cZkN5rubWgbGTaTPquc
KAmQ7WKeJPF4H+A5Xe5M9+d26oENBRKhdmNOhsrUN47589pfUs/sKLad3bIjLQ2F
153tR6T2SUs96HN5AhUU/SBX9uJrbjZ/MTWIJxkt3VNbfGCW8pF9ScMdkKAcDUF5
rujU+iJf716IpQFHFhT6oDEqeqpz0/i7vrBsbDWrYKxD0BVUoH6/CojSEwulFKXA
bd7q/WAvfC68wnZZe5EpezRCA9lY3yR9rDkDqDXsGAgz9LPfejS9/fpbUVyvJWqe
G0Z20DpoVhcp3lRQs6EGHJEt5HQGYL/tuQHsjMOqCr6fbrcXb8j32cMWpztlhckU
J3jc0uJKbkOOJXNrYvpGcYtCLC5N8/c6/oiQcZofcwA2dOndzEqqKTJVMHEWIAo1
QC7qlqbLeKEusyIkEsLSnfQ/hz7F6Vm39rIpambObRfdNYEthdq5PkJ2naMyiq0C
xw84uOA75fE=
=rxVT
-----END PGP SIGNATURE-----