-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0025
      A number of vulnerabilities have been identified in Oracle Java
                             20 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle JDK and JRE 7 Update 13 and earlier
                      Oracle JDK and JRE 6 Update 39 and earlier
                      Oracle JDK and JRE 5.0 Update 39 and earlier
                      Oracle SDK and JRE 1.4.2_41 and earlier
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Overwrite Arbitrary Files       -- Remote/Unauthenticated
                      Delete Arbitrary Files          -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1487 CVE-2013-1486 CVE-2013-1485
                      CVE-2013-1484 CVE-2013-0169 
Member content until: Friday, March 22 2013
Reference:            ESB-2013.0205
                      ESB-2013.0204
                      ESB-2013.0183
                      ESB-2013.0177
                      ESB-2013.0161

Comment: Oracle has stated: "Due to the threat posed by a successful 
         attack, Oracle strongly recommends that customers apply CPU fixes as
         soon as possible."

OVERVIEW

        A number of vulnerabilities have been identified in Oracle Java JDK and
        JRE 7 Update 13 and earlier, JDK and JRE 6 Update 39 and earlier,
        JDK and JRE 5.0 Update 39 and earlier, and SDK and JRE 1.4.2_41 and 
        earlier. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        CVE-2013-0169: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: JSSE). Supported versions
        that are affected are 7 Update 13 and before, 6 Update 39 and 
        before, 5.0 Update 39 and before and 1.4.2_41 and before. Difficult
        to exploit vulnerability allows successful unauthenticated network 
        attacks via SSL/TLS. Successful attack of this vulnerability can 
        result in unauthorized read access to a subset of Java Runtime 
        Environment accessible data." [2]
        
        CVE-2013-1484: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: Libraries ). Supported 
        versions that are affected are 7 Update 13 and before. Easily 
        exploitable vulnerability allows successful unauthenticated network
        attacks via multiple protocols. Successful attack of this 
        vulnerability can result in unauthorized Operating System takeover 
        including arbitrary code execution." [2]
        
        CVE-2013-1485: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: Libraries). Supported 
        versions that are affected are 7 Update 13 and before. Easily 
        exploitable vulnerability allows successful unauthenticated network
        attacks via multiple protocols. Successful attack of this 
        vulnerability can result in unauthorized update, insert or delete 
        access to some Java Runtime Environment accessible data." [2]
        
        CVE-2013-1486: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: JMX). Supported versions
        that are affected are 7 Update 13 and before, 6 Update 39 and before
        and 5.0 Update 39 and before. Easily exploitable vulnerability 
        allows successful unauthenticated network attacks via multiple 
        protocols. Successful attack of this vulnerability can result in 
        unauthorized Operating System takeover including arbitrary code 
        execution." [2]
        
        CVE-2013-1487: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: Deployment). Supported 
        versions that are affected are 7 Update 13 and before and 6 Update 
        39 and before. Easily exploitable vulnerability allows successful 
        unauthenticated network attacks via multiple protocols. Successful 
        attack of this vulnerability can result in unauthorized Operating 
        System takeover including arbitrary code execution." [2]


MITIGATION

        The vendor recommends updating to the latest version of Java to
        correct these issues.


REFERENCES

        [1] Updated Release of the February 2013 Oracle Java SE Critical Patch
            Update
            http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

        [2] Text Form of the Updated Release for the February 2013 Oracle Java
            SE Critical Patch Update - Risk Matrices
            http://www.oracle.com/technetwork/topics/security/javacpufeb2013updateverbose-1905895.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUSR30e4yVqjM2NGpAQIW5A/7BaENQwsiJot6mnCvWvySCyzzByztpDAR
9CraX1IZNEn9ZKHxoHpepYqdEgjpWasrmO6pxD4qCMuGQ6x32IYo22/EUJvHGr9n
pn9napYtGOqtbI7kDpoiyiylQ0KMfopF2L8In4OW6gtbiyB6p7DUQs9AQTJskk6l
41spliBd/lYS4c6WdeTcGPHcX0AtwZ8Bal5TJtCEdWbS5egIPudcan/L1VPHrn8+
68sN9LfFLbe/4zsqYpNjJfmiOLT5boZ0KJXXE3R+jUv86ozZK5JVcjhqyWqwZwuu
8a87JRjXrtBgeYhNxrOXXI3ywWFfzTo+alhvOvhO5gpLvEn36j94qK0ClYU+9NJU
ghWMVVgShhSi7Mwwphm8mnGic8D5IyQsXquwE6M/deIlrXS4FeRuI+e8UXplTKLM
+4cwBNyse2Yzb/Gcd0h/5KZKDh9qPC0OOWWa9R1kjEiMTv4SScr9Bt6NNzhlmqI9
5dsT0vU4H0gFTDnlffPJk1YD6iqCvnSz+RHNF6awTWbUxR/MJRlVK4Ydpgw4BAKM
ZtoOMhvCC7vdfT0jgF0stqotBD/7hMtD3qBwdviL9COJbqToAMnCj4QFXFCZ9MC5
2xaLK3pmbvXG9w6iABNMG+qz6SGA2n3QSiNPe4NnXUHs+FQRAZ36qw6+dn+HxRnq
okMxZOAo2Ac=
=n+Wv
-----END PGP SIGNATURE-----