Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0025 A number of vulnerabilities have been identified in Oracle Java 20 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle JDK and JRE 7 Update 13 and earlier Oracle JDK and JRE 6 Update 39 and earlier Oracle JDK and JRE 5.0 Update 39 and earlier Oracle SDK and JRE 1.4.2_41 and earlier Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Overwrite Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-1487 CVE-2013-1486 CVE-2013-1485 CVE-2013-1484 CVE-2013-0169 Member content until: Friday, March 22 2013 Reference: ESB-2013.0205 ESB-2013.0204 ESB-2013.0183 ESB-2013.0177 ESB-2013.0161 Comment: Oracle has stated: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." OVERVIEW A number of vulnerabilities have been identified in Oracle Java JDK and JRE 7 Update 13 and earlier, JDK and JRE 6 Update 39 and earlier, JDK and JRE 5.0 Update 39 and earlier, and SDK and JRE 1.4.2_41 and earlier. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: CVE-2013-0169: "Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are 7 Update 13 and before, 6 Update 39 and before, 5.0 Update 39 and before and 1.4.2_41 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data." [2] CVE-2013-1484: "Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries ). Supported versions that are affected are 7 Update 13 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] CVE-2013-1485: "Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 13 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data." [2] CVE-2013-1486: "Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are 7 Update 13 and before, 6 Update 39 and before and 5.0 Update 39 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] CVE-2013-1487: "Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 13 and before and 6 Update 39 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] MITIGATION The vendor recommends updating to the latest version of Java to correct these issues. REFERENCES [1] Updated Release of the February 2013 Oracle Java SE Critical Patch Update http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html [2] Text Form of the Updated Release for the February 2013 Oracle Java SE Critical Patch Update - Risk Matrices http://www.oracle.com/technetwork/topics/security/javacpufeb2013updateverbose-1905895.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUSR30e4yVqjM2NGpAQIW5A/7BaENQwsiJot6mnCvWvySCyzzByztpDAR 9CraX1IZNEn9ZKHxoHpepYqdEgjpWasrmO6pxD4qCMuGQ6x32IYo22/EUJvHGr9n pn9napYtGOqtbI7kDpoiyiylQ0KMfopF2L8In4OW6gtbiyB6p7DUQs9AQTJskk6l 41spliBd/lYS4c6WdeTcGPHcX0AtwZ8Bal5TJtCEdWbS5egIPudcan/L1VPHrn8+ 68sN9LfFLbe/4zsqYpNjJfmiOLT5boZ0KJXXE3R+jUv86ozZK5JVcjhqyWqwZwuu 8a87JRjXrtBgeYhNxrOXXI3ywWFfzTo+alhvOvhO5gpLvEn36j94qK0ClYU+9NJU ghWMVVgShhSi7Mwwphm8mnGic8D5IyQsXquwE6M/deIlrXS4FeRuI+e8UXplTKLM +4cwBNyse2Yzb/Gcd0h/5KZKDh9qPC0OOWWa9R1kjEiMTv4SScr9Bt6NNzhlmqI9 5dsT0vU4H0gFTDnlffPJk1YD6iqCvnSz+RHNF6awTWbUxR/MJRlVK4Ydpgw4BAKM ZtoOMhvCC7vdfT0jgF0stqotBD/7hMtD3qBwdviL9COJbqToAMnCj4QFXFCZ9MC5 2xaLK3pmbvXG9w6iABNMG+qz6SGA2n3QSiNPe4NnXUHs+FQRAZ36qw6+dn+HxRnq okMxZOAo2Ac= =n+Wv -----END PGP SIGNATURE-----