copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
Security Bul...
»
AusCERT Secu...
» ASB-2013.0034 - ALERT [Win][UNIX/Linux] Oracle Java:...
ASB-2013.0034 - ALERT [Win][UNIX/Linux] Oracle Java: Execute arbitrary code/commands - Remote with user interaction
Date:
05 March 2013
References
:
ESB-2013.0314
ESB-2013.0335
ESB-2013.0336
ESB-2013.0337
ESB-2013.0338
ESB-2013.0340
ESB-2013.0360
ESB-2013.0361
ESB-2013.0362
ESB-2013.0401
ESB-2013.0428
ESB-2013.0439
ESB-2013.0483
ESB-2013.0485
ESB-2013.0496
ESB-2013.0546
ESB-2013.0636
ESB-2013.0642
ESB-2013.0646
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0034 New vulnerabilities in Java Runtime Environment can result in arbitrary code execution 5 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Java Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-1493 CVE-2013-0809 Member content until: Thursday, April 4 2013 Comment: Oracle has stated that they have received reports of CVE-2013-1493 being exploited in the wild. AusCERT recommends that administrators apply the updates as soon as possible. OVERVIEW New vulnerabilities have been discovered in the Java Runtime Environment component of Oracle Java SE, which can result in arbitrary code execution in all previous versions of Java. [1, 2] IMPACT Oracle advises that these vulnerabilities may be remotely expoited without authentication. Oracle advises that: "For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities." [1] Furthermore, Oracle notes that: "Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] Oracle also notes that: "This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets." [2] MITIGATION Oracle strongly recommends that customers update to the latest version of Java - JDK 7 Update 17 as soon as possible. [1] JDK 6 Update 43 has been made available by Oracle to mitigate these vulnerabilities for those customers who have not migrated to JDK 7. [3] However, Oracle notes that: "This release is the last of publicly available JDK 6 Updates. Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements." [3] REFERENCES [1] Oracle Security Alert for CVE-2013-1493 http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html [2] Text Form of Oracle Security Alert - CVE-2013-1493 Risk Matrices http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493verbose-1915091.html [3] Update Release Notes http://www.oracle.com/technetwork/java/javase/6u43-relnotes-1915290.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUTVP4u4yVqjM2NGpAQLLAA//S2PgS7UcvZKL2zUVvHdcukJez07AJRUF nKch64+5loJlvenSSvSbXOAkgiE2btBV+a87SMK0a+8BCFFk9nIBt72gtCAUbXiL 7hi2EvtdTSy4mBs8IIeEtOoHZS7ccBvajMvp+GJQaQH7T5BI0kLBQq9TikUFnpKv EepDLFTSwjPxD0uX6CwbsW483TtX7SeTgCqPRglX2M1PKcDW5x573zrQZ6GtR7iG jGab4H2rbasOIzPQAPjNI/f6YX74Htyya/HuTvF48vmhPeXINaoUxMIZ78P+bzPY czyw0CzFMV8Z6ONUg5yNMcWYKPHZbuL7lfhnMqL8haIiI4V5qm9clH/Gjo67B+DU 042JqbqFHpt0YTDM96g8Zr5QmybgW2jLjgGG8AZx0+LEZSnM8OQhFBFphokMKE37 39sPhE0hlBNr6jshZyfxKw4z2XsyUPXuA1TtHn1+r1Y5BMwG37DEqUOQ9EVdLodf v+MhWd5KV7tWeRANWxL2py9EhU075HEWsjK3YvvtyorP3J96+qk9CK/wmWvHOvvG nCZ6sTvSar/bUCNM47pDFDqnpbjGFQibV8qhYR1oxSRQe5h3wM+1fHixg6r2XHr+ x4w/ouiO1LvxBhhHMHMas2OjCXz5LvyeLB+GE9eX2m5ZrRN9gFAmb3gXoZquEkom S9WiY9ggvTw= =+67C -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=10415&it=17121