AusCERT - ASB-2013.0034 - ALERT [Win][UNIX/Linux] Oracle Java: Execute arbitrary code/commands

ASB-2013.0034 - ALERT [Win][UNIX/Linux] Oracle Java: Execute arbitrary code/commands - Remote with user interaction

Date: 05 March 2013
Original URL: http://www.auscert.org.au/render.html?cid=10415&it=17121
References: ESB-2013.0314 ESB-2013.0335 ESB-2013.0336 ESB-2013.0337 ESB-2013.0338 ESB-2013.0340 ESB-2013.0360 ESB-2013.0361 ESB-2013.0362 ESB-2013.0401
ESB-2013.0428 ESB-2013.0439 ESB-2013.0483 ESB-2013.0485 ESB-2013.0496 ESB-2013.0546 ESB-2013.0636 ESB-2013.0642 ESB-2013.0646

Click here for PGP verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0034
        New vulnerabilities in Java Runtime Environment can result
                        in arbitrary code execution
                               5 March 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Java
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1493 CVE-2013-0809 
Member content until: Thursday, April  4 2013

Comment: Oracle has stated that they have received reports of CVE-2013-1493 
         being exploited in the wild. AusCERT recommends that administrators 
         apply the updates as soon as possible.

OVERVIEW

        New vulnerabilities have been discovered in the Java Runtime 
        Environment component of Oracle Java SE, which can result in arbitrary 
        code execution in all previous versions of Java. [1, 2]


IMPACT

        Oracle advises that these vulnerabilities may be remotely expoited
        without authentication. Oracle advises that: "For an exploit to be 
        successful, an unsuspecting user running an affected release in a 
        browser must visit a malicious web page that leverages these 
        vulnerabilities." [1]
        
        Furthermore, Oracle notes that: "Successful attack of this vulnerability 
        can result in unauthorized Operating System takeover including arbitrary
        code execution." [2]
        
        Oracle also notes that: "This vulnerability can be exploited only through 
        untrusted Java Web Start applications and untrusted Java applets." [2]


MITIGATION

        Oracle strongly recommends that customers update to the latest version
        of Java - JDK 7 Update 17 as soon as possible. [1]
        
        JDK 6 Update 43 has been made available by Oracle to mitigate these
        vulnerabilities for those customers who have not migrated to JDK 7. [3]
        
        However, Oracle notes that: "This release is the last of publicly 
        available JDK 6 Updates. Oracle recommends that users migrate to JDK 7 
        in order to continue receiving public updates and security 
        enhancements." [3]


REFERENCES

        [1] Oracle Security Alert for CVE-2013-1493
            http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

        [2] Text Form of Oracle Security Alert - CVE-2013-1493 Risk Matrices
            http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493verbose-1915091.html

        [3] Update Release Notes
            http://www.oracle.com/technetwork/java/javase/6u43-relnotes-1915290.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUTVP4u4yVqjM2NGpAQLLAA//S2PgS7UcvZKL2zUVvHdcukJez07AJRUF
nKch64+5loJlvenSSvSbXOAkgiE2btBV+a87SMK0a+8BCFFk9nIBt72gtCAUbXiL
7hi2EvtdTSy4mBs8IIeEtOoHZS7ccBvajMvp+GJQaQH7T5BI0kLBQq9TikUFnpKv
EepDLFTSwjPxD0uX6CwbsW483TtX7SeTgCqPRglX2M1PKcDW5x573zrQZ6GtR7iG
jGab4H2rbasOIzPQAPjNI/f6YX74Htyya/HuTvF48vmhPeXINaoUxMIZ78P+bzPY
czyw0CzFMV8Z6ONUg5yNMcWYKPHZbuL7lfhnMqL8haIiI4V5qm9clH/Gjo67B+DU
042JqbqFHpt0YTDM96g8Zr5QmybgW2jLjgGG8AZx0+LEZSnM8OQhFBFphokMKE37
39sPhE0hlBNr6jshZyfxKw4z2XsyUPXuA1TtHn1+r1Y5BMwG37DEqUOQ9EVdLodf
v+MhWd5KV7tWeRANWxL2py9EhU075HEWsjK3YvvtyorP3J96+qk9CK/wmWvHOvvG
nCZ6sTvSar/bUCNM47pDFDqnpbjGFQibV8qhYR1oxSRQe5h3wM+1fHixg6r2XHr+
x4w/ouiO1LvxBhhHMHMas2OjCXz5LvyeLB+GE9eX2m5ZrRN9gFAmb3gXoZquEkom
S9WiY9ggvTw=
=+67C
-----END PGP SIGNATURE-----