copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2012.0024.2 - UPDATE [Win][UNIX/Linux] Oracle JDK, JRE, SDK, and JavaFX: Multiple vulnerabilities

Date: 04 April 2012
References: ASB-2012.0009  ESB-2012.0171  ASB-2012.0023.2  ESB-2012.0199  ESB-2012.0229  ESB-2012.0327  ESB-2012.0339  ESB-2012.0343  ESB-2012.0398  ESB-2012.0504  
ESB-2012.0509  ESB-2012.0679  ESB-2012.0937  ESB-2012.1214  ASB-2013.0007  ESB-2013.0322  ESB-2013.0619  ESB-2014.0250.2  ESB-2013.1179  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2012.0024.2
       Oracle Java SE Critical Patch Update Advisory - February 2012
                               4 April 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Oracle JDK
                  Oracle JRE
                  Oracle SDK
                  Oracle JavaFX
Operating System: UNIX variants (UNIX, Linux, OSX)
                  Windows
Impact/Access:    Access Privileged Data -- Remote with User Interaction
                  Modify Arbitrary Files -- Remote with User Interaction
                  Denial of Service      -- Remote/Unauthenticated      
                  Unauthorised Access    -- Remote with User Interaction
                  Reduced Security       -- Unknown/Unspecified         
Resolution:       Patch/Upgrade
CVE Names:        CVE-2012-0508 CVE-2012-0506 CVE-2012-0505
                  CVE-2012-0504 CVE-2012-0503 CVE-2012-0502
                  CVE-2012-0501 CVE-2012-0500 CVE-2012-0499
                  CVE-2012-0498 CVE-2012-0497 CVE-2011-5035
                  CVE-2011-3571 CVE-2011-3563 
Reference:        ASB-2012.0023
                  ASB-2012.0009
                  ESB-2012.0171

Comment: April 2012: CVE-2012-0507 is being actively exploited in the wild.

Revision History: April     4 2012: Rev 2. Replaced CVE-2011-3571 with CVE-2012-0507
                  February 16 2012: Initial Release

OVERVIEW

        Oracle have released updates which correct vulnerabilities in their
        products. [1]


IMPACT

        Details of the vulnerabilities have not been specified by Oracle,
        however the referenced ESB-2012.0171 includes some more
        information.
        
        Oracle have advised the following products are affected: [1]
        
        JDK and JRE 7 Update 2 and earlier
        JDK and JRE 6 Update 30 and earlier
        JDK and JRE 5.0 Update 33 and earlier
        SDK and JRE 1.4.2_35 and earlier
        JavaFX 2.0.2 and earlier


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack,
        Oracle strongly recommends that customers apply CPU fixes as soon
        as possible." [1]
        
        Patches are available on the Oracle website. [1]


REFERENCES

        [1] Oracle Java SE Critical Patch Update Advisory - February 2012
            http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT3uqMO4yVqjM2NGpAQKtGw//b0uLlNCZQYfT+mIRaS9kUMLV+eHz4+bG
seYdivOGU0u1DGNyjFP1TCuDXA7VwAPGYcafYbM30wlYeEW8Qw7Qwc/0jzEOymDL
1ngpM0uxRIJ+p0eeI6CVeia11NmbQ5VZQ34nT+NLPJDwmsKtXvHTOG1J48gFO0q6
Xp+6KJxCnh5IbyxQIPwH0NQYIgQhIaXut3Pv84FwXwb/H5wv5HL+YPAuLRhpIF60
8eiYQVKoBTOvQkUv6nJ9KhJ/Mx0gLrrNzWrMDZUlM36r3VJMbjc/ijntR9XYYPUk
XyPDAN2k7sE0HF2sXAwggJ2hDIq8383BGKTR5/zUxjUrKK6/riMpBqObRRJOauyR
lbN3NShx46RomXy7PTLkU+qN1MIaR0I71L3pzDTmi8UgPBumx0ZNdXcCK6SfkNMD
anV+4s+DYrgH6ipufgo1cyrgfU04ppjE9+CPZsQoZpcSgcorYRrAU6hCwnxkMPRZ
MNalOWNDn7vsrTSLIpnPwgB7vuCFPxTD6MNohcj1iAnYzISYGJD5kQOFZZFYrU2K
IEHtHGSADT9MKS/qY+V4SL6K251x0taP4lI2elXNYGEjzr9U6ohIQ4sPWf03YqwA
4fQPRYBcI2Z7PGzdI35CjBFUC4apQmhHC4e8wAloeKllKSt1/ISemidHA1eftEOH
7AJAYsJRucM=
=oUv+
-----END PGP SIGNATURE-----