Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0144 Oracle Java SE Critical Patch Update Advisory - October 2012 17 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JDK and JRE 7 Update 7 and earlier JDK and JRE 6 Update 35 and earlier JDK and JRE 5.0 Update 36 and earlier SDK and JRE 1.4.2_38 and earlier JavaFX 2.2 and earlier Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2012-5089 CVE-2012-5088 CVE-2012-5087 CVE-2012-5086 CVE-2012-5085 CVE-2012-5084 CVE-2012-5083 CVE-2012-5082 CVE-2012-5081 CVE-2012-5080 CVE-2012-5079 CVE-2012-5078 CVE-2012-5077 CVE-2012-5076 CVE-2012-5075 CVE-2012-5074 CVE-2012-5073 CVE-2012-5072 CVE-2012-5071 CVE-2012-5070 CVE-2012-5069 CVE-2012-5068 CVE-2012-5067 CVE-2012-4416 CVE-2012-3216 CVE-2012-3159 CVE-2012-3143 CVE-2012-1533 CVE-2012-1532 CVE-2012-1531 Member content until: Friday, November 16 2012 OVERVIEW Oracle has released the Java SE Critical Patch Update Advisory for October 2012. [1] IMPACT Oracle has published 30 new security fixes for Oracle Java SE, 29 of which may be remotely exploited without authentication, and 10 with CVSS scores of 10.0. [1] A Text Form of the Risk Matrix provides a more comprehensive overview of the vulnerabilities and their impact. [2] MITIGATION Oracle states that "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." [1] All users should apply the patches available on the Oracle website, however there are also some workarounds. According to Oracle "it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack." However doing so may affect application functionality, so customers should test thoroughly in a non-production environment first. Oracle also emphasises that this workaround is not a permanent solution. [1] REFERENCES [1] Oracle Java SE Critical Patch Update Advisory - October 2012 http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html [2] Text Form of Risk Matrix for Oracle Java SE http://www.oracle.com/technetwork/topics/security/javacpuoct2012verbose-1515981.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUH4n2u4yVqjM2NGpAQJkZRAAwLmyNtkkK9qk6HHI3u7Ix/r50uxADK9L GNztin/mdIy2TmrXHSUF5wXNoNJI/j9NdkigJrxiMnkmlECbQeJWUrO2PyXusLGa kXHwFHEjy1bnzxpk0mky+UdSYMVb5VZ6agrD3nlS6uoYupYlQUyncJbsDrfaiPQM IwaPNu+7vVTvsg3flNN7tXH3YCdRiWM8LnNdDCxjt+1t4cZkN5rubWgbGTaTPquc KAmQ7WKeJPF4H+A5Xe5M9+d26oENBRKhdmNOhsrUN47589pfUs/sKLad3bIjLQ2F 153tR6T2SUs96HN5AhUU/SBX9uJrbjZ/MTWIJxkt3VNbfGCW8pF9ScMdkKAcDUF5 rujU+iJf716IpQFHFhT6oDEqeqpz0/i7vrBsbDWrYKxD0BVUoH6/CojSEwulFKXA bd7q/WAvfC68wnZZe5EpezRCA9lY3yR9rDkDqDXsGAgz9LPfejS9/fpbUVyvJWqe G0Z20DpoVhcp3lRQs6EGHJEt5HQGYL/tuQHsjMOqCr6fbrcXb8j32cMWpztlhckU J3jc0uJKbkOOJXNrYvpGcYtCLC5N8/c6/oiQcZofcwA2dOndzEqqKTJVMHEWIAo1 QC7qlqbLeKEusyIkEsLSnfQ/hz7F6Vm39rIpambObRfdNYEthdq5PkJ2naMyiq0C xw84uOA75fE= =rxVT -----END PGP SIGNATURE-----