Date: 20 February 2013
References: ESB-2013.0161 ESB-2013.0177 ESB-2013.0183 ESB-2013.0204 ESB-2013.0205 ESB-2013.0229 ESB-2013.0230 ESB-2013.0231 ESB-2013.0233 ESB-2013.0234
ESB-2013.0235 ESB-2013.0282 ESB-2013.0316 ESB-2013.0360 ESB-2013.0361 ESB-2013.0362 ESB-2013.0366 ESB-2013.0383 ESB-2013.0399 ESB-2013.0401 ESB-2013.0404
ESB-2013.0411 ESB-2013.0439 ESB-2013.0483 ESB-2013.0486 ESB-2013.0496 ESB-2013.0546 ESB-2013.0548 ESB-2013.0601 ESB-2013.0612 ESB-2013.0629 ESB-2013.0634
ESB-2013.0635 ESB-2013.0636 ESB-2013.0642 ESB-2013.0646 ESB-2013.0648 ESB-2013.0652
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0025
A number of vulnerabilities have been identified in Oracle Java
20 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle JDK and JRE 7 Update 13 and earlier
Oracle JDK and JRE 6 Update 39 and earlier
Oracle JDK and JRE 5.0 Update 39 and earlier
Oracle SDK and JRE 1.4.2_41 and earlier
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Overwrite Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1487 CVE-2013-1486 CVE-2013-1485
CVE-2013-1484 CVE-2013-0169
Member content until: Friday, March 22 2013
Reference: ESB-2013.0205
ESB-2013.0204
ESB-2013.0183
ESB-2013.0177
ESB-2013.0161
Comment: Oracle has stated: "Due to the threat posed by a successful
attack, Oracle strongly recommends that customers apply CPU fixes as
soon as possible."
OVERVIEW
A number of vulnerabilities have been identified in Oracle Java JDK and
JRE 7 Update 13 and earlier, JDK and JRE 6 Update 39 and earlier,
JDK and JRE 5.0 Update 39 and earlier, and SDK and JRE 1.4.2_41 and
earlier. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
CVE-2013-0169: "Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JSSE). Supported versions
that are affected are 7 Update 13 and before, 6 Update 39 and
before, 5.0 Update 39 and before and 1.4.2_41 and before. Difficult
to exploit vulnerability allows successful unauthenticated network
attacks via SSL/TLS. Successful attack of this vulnerability can
result in unauthorized read access to a subset of Java Runtime
Environment accessible data." [2]
CVE-2013-1484: "Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Libraries ). Supported
versions that are affected are 7 Update 13 and before. Easily
exploitable vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
CVE-2013-1485: "Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Libraries). Supported
versions that are affected are 7 Update 13 and before. Easily
exploitable vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized update, insert or delete
access to some Java Runtime Environment accessible data." [2]
CVE-2013-1486: "Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JMX). Supported versions
that are affected are 7 Update 13 and before, 6 Update 39 and before
and 5.0 Update 39 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized Operating System takeover including arbitrary code
execution." [2]
CVE-2013-1487: "Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Deployment). Supported
versions that are affected are 7 Update 13 and before and 6 Update
39 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
MITIGATION
The vendor recommends updating to the latest version of Java to
correct these issues.
REFERENCES
[1] Updated Release of the February 2013 Oracle Java SE Critical Patch
Update
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
[2] Text Form of the Updated Release for the February 2013 Oracle Java
SE Critical Patch Update - Risk Matrices
http://www.oracle.com/technetwork/topics/security/javacpufeb2013updateverbose-1905895.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUSR30e4yVqjM2NGpAQIW5A/7BaENQwsiJot6mnCvWvySCyzzByztpDAR
9CraX1IZNEn9ZKHxoHpepYqdEgjpWasrmO6pxD4qCMuGQ6x32IYo22/EUJvHGr9n
pn9napYtGOqtbI7kDpoiyiylQ0KMfopF2L8In4OW6gtbiyB6p7DUQs9AQTJskk6l
41spliBd/lYS4c6WdeTcGPHcX0AtwZ8Bal5TJtCEdWbS5egIPudcan/L1VPHrn8+
68sN9LfFLbe/4zsqYpNjJfmiOLT5boZ0KJXXE3R+jUv86ozZK5JVcjhqyWqwZwuu
8a87JRjXrtBgeYhNxrOXXI3ywWFfzTo+alhvOvhO5gpLvEn36j94qK0ClYU+9NJU
ghWMVVgShhSi7Mwwphm8mnGic8D5IyQsXquwE6M/deIlrXS4FeRuI+e8UXplTKLM
+4cwBNyse2Yzb/Gcd0h/5KZKDh9qPC0OOWWa9R1kjEiMTv4SScr9Bt6NNzhlmqI9
5dsT0vU4H0gFTDnlffPJk1YD6iqCvnSz+RHNF6awTWbUxR/MJRlVK4Ydpgw4BAKM
ZtoOMhvCC7vdfT0jgF0stqotBD/7hMtD3qBwdviL9COJbqToAMnCj4QFXFCZ9MC5
2xaLK3pmbvXG9w6iABNMG+qz6SGA2n3QSiNPe4NnXUHs+FQRAZ36qw6+dn+HxRnq
okMxZOAo2Ac=
=n+Wv
-----END PGP SIGNATURE-----
|