Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0058
Oracle have released updates to correct security
vulnerabilities in Java products
17 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: JDK and JRE 7 Update 17 and earlier
JDK and JRE 6 Update 43 and earlier
JDK and JRE 5.0 Update 41 and earlier
JavaFX 2.2.7 and earlier
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2440 CVE-2013-2439 CVE-2013-2438
CVE-2013-2436 CVE-2013-2435 CVE-2013-2434
CVE-2013-2433 CVE-2013-2432 CVE-2013-2431
CVE-2013-2430 CVE-2013-2429 CVE-2013-2428
CVE-2013-2427 CVE-2013-2426 CVE-2013-2425
CVE-2013-2424 CVE-2013-2423 CVE-2013-2422
CVE-2013-2421 CVE-2013-2420 CVE-2013-2419
CVE-2013-2418 CVE-2013-2417 CVE-2013-2416
CVE-2013-2415 CVE-2013-2414 CVE-2013-2394
CVE-2013-2384 CVE-2013-2383 CVE-2013-1569
CVE-2013-1564 CVE-2013-1563 CVE-2013-1561
CVE-2013-1558 CVE-2013-1557 CVE-2013-1540
CVE-2013-1537 CVE-2013-1518 CVE-2013-1491
CVE-2013-1488 CVE-2013-0402 CVE-2013-0401
Member content until: Friday, May 17 2013
Reference: ASB-2013.0057
ESB-2013.0229
OVERVIEW
Oracle have released updates to correct security vulnerabilities in
the following Java products: JDK and JRE 7, JDK and JRE 6, JDK and JRE
5.0, and JavaFX 2.2.7 and earlier. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"CVE-2013-0401 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: AWT). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Difficult to exploit vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized update, insert or delete access to some Java Runtime
Environment accessible data as well as read access to a subset of
Java Runtime Environment accessible data." [2]
"CVE-2013-0402 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JavaFX). Supported
versions that are affected are 7 Update 17 and before and JavaFX
2.2.7 and before. Difficult to exploit vulnerability allows
successful unauthenticated network attacks via multiple protocols.
Successful attack of this vulnerability can result in unauthorized
Operating System takeover including arbitrary code execution." [2]
"CVE-2013-1488 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Libraries). Supported
versions that are affected are 7 Update 17 and before. Difficult to
exploit vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
"CVE-2013-1491 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: 2D). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and
before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Easily
exploitable vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
"CVE-2013-1518 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JAXP). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized Operating System takeover including arbitrary code
execution." [2]
"CVE-2013-1537 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: RMI). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized Operating System takeover including arbitrary code
execution." [2]
"CVE-2013-1540 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Deployment). Supported
versions that are affected are 7 Update 17 and before and 6 Update
43 and before. Difficult to exploit vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized update,
insert or delete access to some Java Runtime Environment accessible
data." [2]
"CVE-2013-1557 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: RMI). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized Operating System takeover including arbitrary code
execution." [2]
"CVE-2013-1558 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Beans). Supported
versions that are affected are 7 Update 17 and before and 6 Update
43 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
"CVE-2013-1561 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JavaFX). Supported
versions that are affected are 7 Update 17 and before and JavaFX
2.2.7 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized read access
to a subset of Java Runtime Environment accessible data." [2]
"CVE-2013-1563 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Install). Supported
versions that are affected are 7 Update 17 and before, 6 Update 43
and before and JavaFX 2.2.7 and before. Very difficult to exploit
vulnerability allows successful unauthenticated network attacks via
multiple protocols. Successful attack of this vulnerability can
result in unauthorized Operating System takeover including arbitrary
code execution." [2]
"CVE-2013-1564 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JavaFX). Supported
versions that are affected are 7 Update 17 and before and JavaFX
2.2.7 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized update,
insert or delete access to some Java Runtime Environment accessible
data." [2]
"CVE-2013-1569 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: 2D). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized Operating System takeover including arbitrary code
execution." [2]
"CVE-2013-2383 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: 2D). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized Operating System takeover including arbitrary code
execution." [2]
"CVE-2013-2384 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: 2D). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized Operating System takeover including arbitrary code
execution." [2]
"CVE-2013-2394 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: 2D). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and
before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Very
difficult to exploit vulnerability allows successful unauthenticated
network attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
"CVE-2013-2414 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JavaFX). Supported
versions that are affected are 7 Update 17 and before and JavaFX
2.2.7 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
"CVE-2013-2415 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JAX-WS). Supported
versions that are affected are 7 Update 17 and before. Easily
exploitable vulnerability requiring logon to Operating System.
Successful attack of this vulnerability can result in unauthorized
read access to a subset of Java Runtime Environment accessible
data." [2]
"CVE-2013-2416 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Deployment). Supported
versions that are affected are 7 Update 17 and before. Difficult to
exploit vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized update, insert or delete
access to some Java Runtime Environment accessible data." [2]
"CVE-2013-2417 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Networking). Supported
versions that are affected are 7 Update 17 and before, 6 Update 43
and before and 5.0 Update 41 and before. Easily exploitable
vulnerability allows successful unauthenticated network attacks via
multiple protocols. Successful attack of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java Runtime Environment." [2]
"CVE-2013-2418 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Deployment). Supported
versions that are affected are 7 Update 17 and before and 6 Update
43 and before. Easily exploitable vulnerability requiring logon to
Operating System. Successful attack of this vulnerability can result
in unauthorized update, insert or delete access to some Java Runtime
Environment accessible data as well as read access to a subset of
Java Runtime Environment accessible data and ability to cause a
partial denial of service (partial DOS) of Java Runtime
Environment." [2]
"CVE-2013-2419 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: 2D). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial
DOS) of Java Runtime Environment." [2]
"CVE-2013-2420 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: 2D). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized Operating System takeover including arbitrary code
execution." [2]
"CVE-2013-2421 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: HotSpot). Supported
versions that are affected are 7 Update 17 and before. Difficult to
exploit vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
"CVE-2013-2422 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Libraries). Supported
versions that are affected are 7 Update 17 and before and 6 Update
43 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
"CVE-2013-2423 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Hotspot). Supported
versions that are affected are 7 Update 17 and before. Difficult to
exploit vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized update, insert or delete
access to some Java Runtime Environment accessible data." [2]
"CVE-2013-2424 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JMX). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and before
and 5.0 Update 41 and before. Easily exploitable vulnerability
allows successful unauthenticated network attacks via multiple
protocols. Successful attack of this vulnerability can result in
unauthorized read access to a subset of Java Runtime Environment
accessible data." [2]
"CVE-2013-2425 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Install). Supported
versions that are affected are 7 Update 17 and before. Easily
exploitable vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
"CVE-2013-2426 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Libraries). Supported
versions that are affected are 7 Update 17 and before. Difficult to
exploit vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
"CVE-2013-2427 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JavaFX). Supported
versions that are affected are 7 Update 17 and before and JavaFX
2.2.7 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
"CVE-2013-2428 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JavaFX). Supported
versions that are affected are 7 Update 17 and before and JavaFX
2.2.7 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
"CVE-2013-2429 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: ImageIO). Supported
versions that are affected are 7 Update 17 and before, 6 Update 43
and before and 5.0 Update 41 and before. Very difficult to exploit
vulnerability allows successful unauthenticated network attacks via
multiple protocols. Successful attack of this vulnerability can
result in unauthorized Operating System takeover including arbitrary
code execution." [2]
"CVE-2013-2430 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: ImageIO). Supported
versions that are affected are 7 Update 17 and before, 6 Update 43
and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before.
Very difficult to exploit vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
"CVE-2013-2431 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Hotspot). Supported
versions that are affected are 7 Update 17 and before. Easily
exploitable vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
"CVE-2013-2432 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: 2D). Supported versions
that are affected are 7 Update 17 and before, 6 Update 43 and
before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Easily
exploitable vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
"CVE-2013-2433 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Deployment). Supported
versions that are affected are 7 Update 17 and before and 6 Update
43 and before. Difficult to exploit vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized update,
insert or delete access to some Java Runtime Environment accessible
data." [2]
"CVE-2013-2434 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: 2D). Supported versions
that are affected are 7 Update 17 and before and JavaFX 2.2.7 and
before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
"CVE-2013-2435 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Deployment). Supported
versions that are affected are 7 Update 17 and before and 6 Update
43 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
"CVE-2013-2436 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Libraries). Supported
versions that are affected are 7 Update 17 and before. Difficult to
exploit vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution." [2]
"CVE-2013-2438 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: JavaFX). Supported
versions that are affected are 7 Update 17 and before. Easily
exploitable vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized update, insert or delete
access to some Java Runtime Environment accessible data." [2]
"CVE-2013-2439 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Install). Supported
versions that are affected are 7 Update 17 and before, 6 Update 43
and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before.
Difficult to exploit vulnerability requiring logon to Operating
System. Successful attack of this vulnerability can result in
unauthorized Operating System takeover including arbitrary code
execution." [2]
"CVE-2013-2440 Vulnerability in the Java Runtime Environment
component of Oracle Java SE (subcomponent: Deployment). Supported
versions that are affected are 7 Update 17 and before and 6 Update
43 and before. Easily exploitable vulnerability allows successful
unauthenticated network attacks via multiple protocols. Successful
attack of this vulnerability can result in unauthorized Operating
System takeover including arbitrary code execution." [2]
MITIGATION
Oracle recommends updating to the latest version of the affected
Java products to correct these issues. [1]
REFERENCES
[1] Oracle Java SE Critical Patch Update Advisory - April 2013
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
[2] Text Form of Oracle Java SE Critical Patch Update - April 2013 Risk
Matrices
http://www.oracle.com/technetwork/topics/security/javacpuapr2013verbose-1928687.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUW423O4yVqjM2NGpAQJpGA//QmKUWsML9MzEWcqcmJQ2MFArZigm/q09
MlNu8u8F6dJ/307XAsWNsCRJTX3LckOAAcnFhs8h6rc8foydn6OcWZL7/ex0IZ2w
j02zHHV/B4nRItAktigZhZRpJGvT8Y9yFMYvC/qXX8k8vNonHuuZTEsuAaSFianw
wAaE+LqhPu7xzuYAeLeSVS7MKK2P/3v8I4Os3FYr+tmmjZTi4M4TMBDccSHnYmU7
+atyeH+GHNTC4nsOL5JSNqTV+iNTAPYmFqUkc2bb2v7LJbzIrhb1vFxBVlXrXfmJ
bGzUXoWh4dEk2+y1ynYJVq7cn/351R8fNiZyDTgUQkl4iJ+REz6vc8uxRf6vmrkT
UYgjx6Ib3rQMFsR1qTRCau22u4IMfam81tMsGBkNIKITbSZt4tmyZ0n0UeaGN5lG
Ci41GlTAF2lx+OwIG+NWBLF92+uMd66utYaDZAFIgm0XE+bpPpCCOk2GHaIYrUMe
z4NnZiJJLdABu6n6pnju4O9aLZobreSk4iD2DukNKrvmGWofw9T3+eP6K/cZBiFl
zHf9/9ExUrxyGIikYC6XAM5CjsWdkKDCUtwzMQLy9EdMHRwJ77Mza8s5CDXGAeNg
TiGHFihKnAlQL9INC2lc04gETHUf4dzfGEYyecJQEB8u9I8pTdhI/JlfLY1lE43D
dOVhXnMsogw=
=7iL5
-----END PGP SIGNATURE-----