copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » UNIX (all) » IRIX » ASB-2012.0085 - ALERT [Win][UNIX/Linux][Mobile] Orac...
 

ASB-2012.0085 - ALERT [Win][UNIX/Linux][Mobile] Oracle JDK, JRE 7 and JavaFX: Execute arbitrary code/commands - Remote with user interaction
Date: 13 June 2012
References: ASB-2012.0060  ESB-2012.0547  ESB-2012.0549  ESB-2012.0550  ESB-2012.0551  ESB-2012.0593  ESB-2012.0594  ESB-2012.0642  ESB-2012.0780.2  ESB-2012.0850  
ESB-2012.0853  ESB-2012.0854  ESB-2012.0896  ESB-2012.0952  ESB-2012.1011  ESB-2012.1039  ESB-2012.1057  ESB-2012.1097  ESB-2012.1129  ESB-2013.0118  ESB-2013.0298  
ESB-2013.0410  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0085
   Oracle releases Java SE Critical Patch Update Advisory for June 2012
                               13 June 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              JDK and JRE 7 Update 4 and earlier
                      JDK and JRE 6 Update 32 and earlier
                      JDK and JRE 5.0 Update 35 and earlier
                      SDK and JRE 1.4.2_37 and earlier
                      JavaFX 2.1 and earlier
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
                      Mobile Device
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Unauthorised Access             -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-1713 CVE-2012-1721 CVE-2012-1722
                      CVE-2012-1723 CVE-2012-1725 CVE-2012-1716
                      CVE-2012-1711 CVE-2012-1726 CVE-2012-0551
                      CVE-2012-1719 CVE-2012-1724 CVE-2012-1718
                      CVE-2012-1720 CVE-2012-1717 
Member content until: Friday, July 13 2012
Reference:            ASB-2012.0060

Comment: All platforms that include Java functionality are potentially affected
         by these vulnerabilities. Members are advised to monitor for advisories
         from the respective vendors.

OVERVIEW

        Oracle has released the Java SE Critical Patch Update Advisory for 
        June 2012. It contains 14 new security fixes for Oracle Java SE ,
        12 of which may be remotely exploited without authentication. [1]


IMPACT

        Oracle has publised updates for the Oracle Java SE product group. 
        Java applets and Java Web Start applications are impacted by these
        vulnerabilities. Exploitation occurs at the level of access of the
        currently logged in user, which on Microsoft Windows is typically 
        Administrator. Oracle has published a security matrix at its site
        for the affected products, as well as a text form of the matrix. [2] 


MITIGATION

        Oracle strongly recommends that, due to the threat posed by a 
        successful attack, customers apply patches as soon as possible.


REFERENCES

        [1] Oracle Java SE Critical Patch Update Advisory - June 2012
            http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

        [2] Text Form of Oracle Java SE Critical Patch Update - June 2012 Risk
            Matrices
            http://www.oracle.com/technetwork/topics/security/javacpujun2012verbose-1515971.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT9gqW+4yVqjM2NGpAQJ9/hAAjLWlOC1zmm7z0u3PxQBPcNZxN8AqH37A
jOop8qfxvrBgDsC+AxYVQGSWiHVicFzHJCuXMfKwAEB0nr+UGeAMeB+TujGEOr1Z
IhuPpWMZx4Ri2xvC8sUIdVPchNQLk26PBMqEsddCK+uGewct84Ji5TxdHOsozN9G
KgBzjh3VBlgXSpvYXdEISSeyLgVZPSNJfJx9ZPlMt/ZGf7BweCxp45ZBLhExSwvb
wR7x2qC1CjKoDkyQD7BSa7syYjLBuULoLLU3IsexMFoyn11FbrVUNgexIy4pZObx
EEt33kVMUNUIaAUeQbJdoCGWk1NSlrH4WN+XFDyj1F+GFmF1t5sHMLLwU4XIZ7G0
TwH0In36TmKsxwniNScUX2cdN9VpZAcoQ/ltpBCgQJ+zMhj1ocwzQSTeh1WEcKLL
xjUHUoj52QNT4ZbYcltiBhxdn4XlVwGzKZkjdZLEIEF7ckYkatH3Nn5GgmNACCgT
bFnjz50Mjai3u3mb64Xy+vIqYEvFp4UAAM1kdi6oB4dg+mPQq8MX22NAkfOjUA4r
eNX5mtaw5UW7wd6iY4vNpzutBNh0uCvwdH5AlDeerxYpwU8bM8uXCwK9u6k2Bd5e
1BnvOyFfH8u4T71iOf9OLOVOuUxELX4nwJhxcq99aotmnfwPLfWVvQlAIcADrwnc
Sg6fyO/M5Ng=
=jlDP
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/15933