Date: 14 January 2013
References: ESB-2013.0067.2 ESB-2013.0074 ESB-2013.0085 ESB-2013.0483
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0006
Oracle releases Security Alert for CVE-2013-0422
14 January 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: JDK and JRE 7 Update 10 and earlier
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0422 CVE-2012-3174
Member content until: Wednesday, February 13 2013
Reference: ESB-2013.0067
Comment: The vulnerability CVE-2013-0422 is currently being widely exploited in
malware kits and the details of this vulnerability are publicly
documented and freely available.
OVERVIEW
Oracle have released Security Alert for CVE-2013-0422 to fix this
vulnerability and another with a CVSS score of 10.0 in Oracle Java SE.
[1]
IMPACT
Oracle has published updates for the Oracle Java SE product group.
The exploitable vulnerabilities apply to Java running in web browsers
and on desktops. The Security Alert contains 2 new security fixes for
Oracle Java SE. Both vulnerabilities when exploited allow arbitrary
code to executed.
Included with this update is a change to the default Java Security
Level setting, from "Medium" to "High". This new setting will cause
users always to be prompted before any unsigned Java applet or Java
Web Start application is run. [1]
MITIGATION
Due to the high severity of the vulnerabilities, Oracle strongly
recommends that customers apply this update as soon as possible.
REFERENCES
[1] Oracle Security Alert for CVE-2013-0422
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUPN6C+4yVqjM2NGpAQIaNw/8CUuH9nW7ROE2WICKicVNIxW9cEjrzulf
vInGJIJN1UWjCbyeC7MpHzMiuEXiB46eY+rWIfGnTqZMDg+sC4pNprNECPSMvYoM
nkiBCH4lLNpKTrgOJgTlPBLv70FRkTvRoWFKoxnPrWS5wx8Jk6ovTckRYjR8J1Qz
R0PdRamKzqm+1+vtaXzeV9pqBcEZurhwfaWH1WrAVBcoTVgGfAi7FgNq+Yw1u9BS
6J6vCPfAWdP0uP8KW78aSwqJknwymh34eJukgW0lm1OOfW2wut5kg352mvaFU5FE
x/0rmQYI+3eWc+QnTtlWc67k8MNb43PEGeyTw4PVU90qPBpQv2yN0BKPhny9AzUt
YZKvQ4YFQ7d2TpWX1eX0PnUYzm/wq7hdoS68/vucpbKzFBoCABiUgpwb0nJ6WEUE
Hmr1a4F+dlLdSvEhimrRXO0Zcpa7ZSh/RzcE7XHCP5fg8buphpdeuGxvGR68KefA
vd9VltGZFCgKFhOC3YA7O7Or9g1iRBM5vHT6k80oB9DdgPX+Ubh88eCrA43JyOE2
zUuGamBvJm94+PFAtJTvS0eC7BnNRQHzy16IQ5a+fvJhe+JwOybVR23eGmeiKnRm
9YitkWt4ChkjlIsnDnhXIZ3xju10AUDiie4ji913e0ep5ok1Eg0T2QeY5EsRgX+0
3jSGfj/nEfE=
=tk0n
-----END PGP SIGNATURE-----
|