|
|
ASB-2012.0144 - ALERT [Win][UNIX/Linux] Oracle JDK, JRE, SDK, and JavaFX: Multiple vulnerabilities |
|
Date: 17 October 2012 Original URL: http://www.auscert.org.au/render.html?cid=32&it=16480 References: ESB-2012.0998 ESB-2012.0999 ESB-2012.1003 ESB-2012.1004 ESB-2012.1090 ESB-2012.1147 ESB-2012.1168 ESB-2012.1187 ESB-2013.0021 ESB-2013.0051 ESB-2013.0053 ESB-2013.0123 ESB-2013.0156 ESB-2013.0157 ESB-2013.0276 ESB-2013.0298 ESB-2013.0322 ESB-2013.0330 ESB-2013.0356 ESB-2013.0432 ESB-2013.0437 ESB-2013.0589 ESB-2013.0619 ESB-2013.0621 ESB-2013.0646 ESB-2013.0653 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0144
Oracle Java SE Critical Patch Update Advisory - October 2012
17 October 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: JDK and JRE 7 Update 7 and earlier
JDK and JRE 6 Update 35 and earlier
JDK and JRE 5.0 Update 36 and earlier
SDK and JRE 1.4.2_38 and earlier
JavaFX 2.2 and earlier
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5089 CVE-2012-5088 CVE-2012-5087
CVE-2012-5086 CVE-2012-5085 CVE-2012-5084
CVE-2012-5083 CVE-2012-5082 CVE-2012-5081
CVE-2012-5080 CVE-2012-5079 CVE-2012-5078
CVE-2012-5077 CVE-2012-5076 CVE-2012-5075
CVE-2012-5074 CVE-2012-5073 CVE-2012-5072
CVE-2012-5071 CVE-2012-5070 CVE-2012-5069
CVE-2012-5068 CVE-2012-5067 CVE-2012-4416
CVE-2012-3216 CVE-2012-3159 CVE-2012-3143
CVE-2012-1533 CVE-2012-1532 CVE-2012-1531
Member content until: Friday, November 16 2012
OVERVIEW
Oracle has released the Java SE Critical Patch Update Advisory for
October 2012. [1]
IMPACT
Oracle has published 30 new security fixes for Oracle Java SE, 29 of
which may be remotely exploited without authentication, and 10 with
CVSS scores of 10.0. [1]
A Text Form of the Risk Matrix provides a more comprehensive overview
of the vulnerabilities and their impact. [2]
MITIGATION
Oracle states that "Due to the threat posed by a successful attack,
Oracle strongly recommends that customers apply CPU fixes as soon as
possible." [1]
All users should apply the patches available on the Oracle website,
however there are also some workarounds. According to Oracle "it may
be possible to reduce the risk of successful attack by restricting
network protocols required by an attack. For attacks that require
certain privileges or access to certain packages, removing the
privileges or the ability to access the packages from unprivileged
users may help reduce the risk of successful attack." However doing so
may affect application functionality, so customers should test
thoroughly in a non-production environment first. Oracle also
emphasises that this workaround is not a permanent solution. [1]
REFERENCES
[1] Oracle Java SE Critical Patch Update Advisory - October 2012
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
[2] Text Form of Risk Matrix for Oracle Java SE
http://www.oracle.com/technetwork/topics/security/javacpuoct2012verbose-1515981.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUH4n2u4yVqjM2NGpAQJkZRAAwLmyNtkkK9qk6HHI3u7Ix/r50uxADK9L
GNztin/mdIy2TmrXHSUF5wXNoNJI/j9NdkigJrxiMnkmlECbQeJWUrO2PyXusLGa
kXHwFHEjy1bnzxpk0mky+UdSYMVb5VZ6agrD3nlS6uoYupYlQUyncJbsDrfaiPQM
IwaPNu+7vVTvsg3flNN7tXH3YCdRiWM8LnNdDCxjt+1t4cZkN5rubWgbGTaTPquc
KAmQ7WKeJPF4H+A5Xe5M9+d26oENBRKhdmNOhsrUN47589pfUs/sKLad3bIjLQ2F
153tR6T2SUs96HN5AhUU/SBX9uJrbjZ/MTWIJxkt3VNbfGCW8pF9ScMdkKAcDUF5
rujU+iJf716IpQFHFhT6oDEqeqpz0/i7vrBsbDWrYKxD0BVUoH6/CojSEwulFKXA
bd7q/WAvfC68wnZZe5EpezRCA9lY3yR9rDkDqDXsGAgz9LPfejS9/fpbUVyvJWqe
G0Z20DpoVhcp3lRQs6EGHJEt5HQGYL/tuQHsjMOqCr6fbrcXb8j32cMWpztlhckU
J3jc0uJKbkOOJXNrYvpGcYtCLC5N8/c6/oiQcZofcwA2dOndzEqqKTJVMHEWIAo1
QC7qlqbLeKEusyIkEsLSnfQ/hz7F6Vm39rIpambObRfdNYEthdq5PkJ2naMyiq0C
xw84uOA75fE=
=rxVT
-----END PGP SIGNATURE-----
|