copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2013.0025 - ALERT [Win][UNIX/Linux] Oracle Java: Multiple vulnerabilities

Date: 20 February 2013
References: ESB-2013.0841  ESB-2013.0161  ESB-2013.0177  ESB-2013.0183  ESB-2013.0204  ESB-2013.0205  ESB-2013.0229  ESB-2013.0230  ESB-2013.0231  ESB-2013.0233  
ESB-2013.0234  ESB-2013.0235  ESB-2013.0282  ESB-2013.0316  ESB-2013.0360  ESB-2013.0361  ESB-2013.0362  ESB-2013.0366  ESB-2013.0383  ESB-2013.0399.2  ESB-2013.0401  
ESB-2013.0404  ESB-2013.0411  ESB-2013.0439  ESB-2013.0483  ESB-2013.0486  ESB-2013.0496  ESB-2013.0546  ESB-2013.0548  ESB-2013.0601.2  ESB-2013.0612  ESB-2013.0629  
ESB-2013.0634  ESB-2013.0635  ESB-2013.0636  ESB-2013.0642  ESB-2013.0646  ESB-2013.0648  ESB-2013.0652  ESB-2013.0671  ESB-2013.0689  ESB-2013.0690  ESB-2013.0712  
ESB-2013.0728  ESB-2013.0744  ESB-2013.0749  ESB-2013.0767  ESB-2013.0768  ESB-2013.0769  ESB-2013.0782  ESB-2013.0803  ESB-2013.0807  ESB-2013.0808  ESB-2013.0820  
ESB-2013.0834  ESB-2013.0846  ESB-2013.0870  ESB-2013.0916  ESB-2013.0924  ESB-2013.0932  ESB-2013.0935  ESB-2013.0980  ESB-2013.1065  ESB-2013.1066  ESB-2013.1067  
ESB-2013.1077  ESB-2013.1082  ESB-2013.1094  ESB-2013.1195  ESB-2013.1223  ESB-2013.1240  ESB-2013.1268  ESB-2013.1275  ESB-2013.1282  ESB-2013.1402  ESB-2013.1448  
ESB-2013.1449  ASB-2013.0113  ESB-2013.1535  ESB-2013.1539  ESB-2013.1710  ESB-2014.0359  ESB-2014.0752  ESB-2014.1585  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0025
      A number of vulnerabilities have been identified in Oracle Java
                             20 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle JDK and JRE 7 Update 13 and earlier
                      Oracle JDK and JRE 6 Update 39 and earlier
                      Oracle JDK and JRE 5.0 Update 39 and earlier
                      Oracle SDK and JRE 1.4.2_41 and earlier
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Overwrite Arbitrary Files       -- Remote/Unauthenticated
                      Delete Arbitrary Files          -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1487 CVE-2013-1486 CVE-2013-1485
                      CVE-2013-1484 CVE-2013-0169 
Member content until: Friday, March 22 2013
Reference:            ESB-2013.0205
                      ESB-2013.0204
                      ESB-2013.0183
                      ESB-2013.0177
                      ESB-2013.0161

Comment: Oracle has stated: "Due to the threat posed by a successful 
         attack, Oracle strongly recommends that customers apply CPU fixes as
         soon as possible."

OVERVIEW

        A number of vulnerabilities have been identified in Oracle Java JDK and
        JRE 7 Update 13 and earlier, JDK and JRE 6 Update 39 and earlier,
        JDK and JRE 5.0 Update 39 and earlier, and SDK and JRE 1.4.2_41 and 
        earlier. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        CVE-2013-0169: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: JSSE). Supported versions
        that are affected are 7 Update 13 and before, 6 Update 39 and 
        before, 5.0 Update 39 and before and 1.4.2_41 and before. Difficult
        to exploit vulnerability allows successful unauthenticated network 
        attacks via SSL/TLS. Successful attack of this vulnerability can 
        result in unauthorized read access to a subset of Java Runtime 
        Environment accessible data." [2]
        
        CVE-2013-1484: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: Libraries ). Supported 
        versions that are affected are 7 Update 13 and before. Easily 
        exploitable vulnerability allows successful unauthenticated network
        attacks via multiple protocols. Successful attack of this 
        vulnerability can result in unauthorized Operating System takeover 
        including arbitrary code execution." [2]
        
        CVE-2013-1485: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: Libraries). Supported 
        versions that are affected are 7 Update 13 and before. Easily 
        exploitable vulnerability allows successful unauthenticated network
        attacks via multiple protocols. Successful attack of this 
        vulnerability can result in unauthorized update, insert or delete 
        access to some Java Runtime Environment accessible data." [2]
        
        CVE-2013-1486: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: JMX). Supported versions
        that are affected are 7 Update 13 and before, 6 Update 39 and before
        and 5.0 Update 39 and before. Easily exploitable vulnerability 
        allows successful unauthenticated network attacks via multiple 
        protocols. Successful attack of this vulnerability can result in 
        unauthorized Operating System takeover including arbitrary code 
        execution." [2]
        
        CVE-2013-1487: "Vulnerability in the Java Runtime Environment 
        component of Oracle Java SE (subcomponent: Deployment). Supported 
        versions that are affected are 7 Update 13 and before and 6 Update 
        39 and before. Easily exploitable vulnerability allows successful 
        unauthenticated network attacks via multiple protocols. Successful 
        attack of this vulnerability can result in unauthorized Operating 
        System takeover including arbitrary code execution." [2]


MITIGATION

        The vendor recommends updating to the latest version of Java to
        correct these issues.


REFERENCES

        [1] Updated Release of the February 2013 Oracle Java SE Critical Patch
            Update
            http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

        [2] Text Form of the Updated Release for the February 2013 Oracle Java
            SE Critical Patch Update - Risk Matrices
            http://www.oracle.com/technetwork/topics/security/javacpufeb2013updateverbose-1905895.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUSR30e4yVqjM2NGpAQIW5A/7BaENQwsiJot6mnCvWvySCyzzByztpDAR
9CraX1IZNEn9ZKHxoHpepYqdEgjpWasrmO6pxD4qCMuGQ6x32IYo22/EUJvHGr9n
pn9napYtGOqtbI7kDpoiyiylQ0KMfopF2L8In4OW6gtbiyB6p7DUQs9AQTJskk6l
41spliBd/lYS4c6WdeTcGPHcX0AtwZ8Bal5TJtCEdWbS5egIPudcan/L1VPHrn8+
68sN9LfFLbe/4zsqYpNjJfmiOLT5boZ0KJXXE3R+jUv86ozZK5JVcjhqyWqwZwuu
8a87JRjXrtBgeYhNxrOXXI3ywWFfzTo+alhvOvhO5gpLvEn36j94qK0ClYU+9NJU
ghWMVVgShhSi7Mwwphm8mnGic8D5IyQsXquwE6M/deIlrXS4FeRuI+e8UXplTKLM
+4cwBNyse2Yzb/Gcd0h/5KZKDh9qPC0OOWWa9R1kjEiMTv4SScr9Bt6NNzhlmqI9
5dsT0vU4H0gFTDnlffPJk1YD6iqCvnSz+RHNF6awTWbUxR/MJRlVK4Ydpgw4BAKM
ZtoOMhvCC7vdfT0jgF0stqotBD/7hMtD3qBwdviL9COJbqToAMnCj4QFXFCZ9MC5
2xaLK3pmbvXG9w6iABNMG+qz6SGA2n3QSiNPe4NnXUHs+FQRAZ36qw6+dn+HxRnq
okMxZOAo2Ac=
=n+Wv
-----END PGP SIGNATURE-----