Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0058 Oracle have released updates to correct security vulnerabilities in Java products 17 April 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JDK and JRE 7 Update 17 and earlier JDK and JRE 6 Update 43 and earlier JDK and JRE 5.0 Update 41 and earlier JavaFX 2.2.7 and earlier Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-2440 CVE-2013-2439 CVE-2013-2438 CVE-2013-2436 CVE-2013-2435 CVE-2013-2434 CVE-2013-2433 CVE-2013-2432 CVE-2013-2431 CVE-2013-2430 CVE-2013-2429 CVE-2013-2428 CVE-2013-2427 CVE-2013-2426 CVE-2013-2425 CVE-2013-2424 CVE-2013-2423 CVE-2013-2422 CVE-2013-2421 CVE-2013-2420 CVE-2013-2419 CVE-2013-2418 CVE-2013-2417 CVE-2013-2416 CVE-2013-2415 CVE-2013-2414 CVE-2013-2394 CVE-2013-2384 CVE-2013-2383 CVE-2013-1569 CVE-2013-1564 CVE-2013-1563 CVE-2013-1561 CVE-2013-1558 CVE-2013-1557 CVE-2013-1540 CVE-2013-1537 CVE-2013-1518 CVE-2013-1491 CVE-2013-1488 CVE-2013-0402 CVE-2013-0401 Member content until: Friday, May 17 2013 Reference: ASB-2013.0057 ESB-2013.0229 OVERVIEW Oracle have released updates to correct security vulnerabilities in the following Java products: JDK and JRE 7, JDK and JRE 6, JDK and JRE 5.0, and JavaFX 2.2.7 and earlier. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "CVE-2013-0401 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data." [2] "CVE-2013-0402 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-1488 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-1491 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-1518 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-1537 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-1540 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data." [2] "CVE-2013-1557 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-1558 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Beans). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-1561 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data." [2] "CVE-2013-1563 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and JavaFX 2.2.7 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-1564 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data." [2] "CVE-2013-1569 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2383 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2384 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2394 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2414 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2415 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are 7 Update 17 and before. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data." [2] "CVE-2013-2416 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data." [2] "CVE-2013-2417 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java Runtime Environment." [2] "CVE-2013-2418 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment." [2] "CVE-2013-2419 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java Runtime Environment." [2] "CVE-2013-2420 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2421 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: HotSpot). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2422 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2423 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data." [2] "CVE-2013-2424 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data." [2] "CVE-2013-2425 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are 7 Update 17 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2426 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2427 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2428 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2429 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2430 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2431 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are 7 Update 17 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2432 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2433 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data." [2] "CVE-2013-2434 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2435 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2436 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2438 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data." [2] "CVE-2013-2439 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] "CVE-2013-2440 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] MITIGATION Oracle recommends updating to the latest version of the affected Java products to correct these issues. [1] REFERENCES [1] Oracle Java SE Critical Patch Update Advisory - April 2013 http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html [2] Text Form of Oracle Java SE Critical Patch Update - April 2013 Risk Matrices http://www.oracle.com/technetwork/topics/security/javacpuapr2013verbose-1928687.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUW423O4yVqjM2NGpAQJpGA//QmKUWsML9MzEWcqcmJQ2MFArZigm/q09 MlNu8u8F6dJ/307XAsWNsCRJTX3LckOAAcnFhs8h6rc8foydn6OcWZL7/ex0IZ2w j02zHHV/B4nRItAktigZhZRpJGvT8Y9yFMYvC/qXX8k8vNonHuuZTEsuAaSFianw wAaE+LqhPu7xzuYAeLeSVS7MKK2P/3v8I4Os3FYr+tmmjZTi4M4TMBDccSHnYmU7 +atyeH+GHNTC4nsOL5JSNqTV+iNTAPYmFqUkc2bb2v7LJbzIrhb1vFxBVlXrXfmJ bGzUXoWh4dEk2+y1ynYJVq7cn/351R8fNiZyDTgUQkl4iJ+REz6vc8uxRf6vmrkT UYgjx6Ib3rQMFsR1qTRCau22u4IMfam81tMsGBkNIKITbSZt4tmyZ0n0UeaGN5lG Ci41GlTAF2lx+OwIG+NWBLF92+uMd66utYaDZAFIgm0XE+bpPpCCOk2GHaIYrUMe z4NnZiJJLdABu6n6pnju4O9aLZobreSk4iD2DukNKrvmGWofw9T3+eP6K/cZBiFl zHf9/9ExUrxyGIikYC6XAM5CjsWdkKDCUtwzMQLy9EdMHRwJ77Mza8s5CDXGAeNg TiGHFihKnAlQL9INC2lc04gETHUf4dzfGEYyecJQEB8u9I8pTdhI/JlfLY1lE43D dOVhXnMsogw= =7iL5 -----END PGP SIGNATURE-----