-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0075
             Oracle have released updates to correct security
                     vulnerabilities in Java products
                               19 June 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              JDK and JRE 7 Update 21 and earlier
                      JDK and JRE 6 Update 45 and earlier
                      JDK and JRE 5.0 Update 45 and earlier
                      JavaFX 2.2.21 and earlier
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-3744 CVE-2013-3743 CVE-2013-2473
                      CVE-2013-2472 CVE-2013-2471 CVE-2013-2470
                      CVE-2013-2469 CVE-2013-2468 CVE-2013-2467
                      CVE-2013-2466 CVE-2013-2465 CVE-2013-2464
                      CVE-2013-2463 CVE-2013-2462 CVE-2013-2461
                      CVE-2013-2460 CVE-2013-2459 CVE-2013-2458
                      CVE-2013-2457 CVE-2013-2456 CVE-2013-2455
                      CVE-2013-2454 CVE-2013-2453 CVE-2013-2452
                      CVE-2013-2451 CVE-2013-2450 CVE-2013-2449
                      CVE-2013-2448 CVE-2013-2447 CVE-2013-2446
                      CVE-2013-2445 CVE-2013-2444 CVE-2013-2443
                      CVE-2013-2442 CVE-2013-2437 CVE-2013-2412
                      CVE-2013-2407 CVE-2013-2400 CVE-2013-1571
                      CVE-2013-1500  
Member content until: Friday, July 19 2013
Reference:            ESB-2013.0545

OVERVIEW

        Oracle have released updates to correct security vulnerabilities in
        the following Java products: JDK and JRE 7, JDK and JRE 6, JDK and JRE
        5.0, and JavaFX 2.2.21 and earlier. [1]


IMPACT

        The vendor has provided the following details regarding these
        vulnerabilities:
        
        "CVE-2013-1500 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: 2D). Supported versions that
        are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0
        Update 45 and before. Easily exploitable vulnerability requiring logon
        to Operating System. Successful attack of this vulnerability can result
        in unauthorized update, insert or delete access to some Java Runtime
        Environment accessible data as well as read access to a subset of Java
        Runtime Environment accessible data." [2]
        
        "CVE-2013-1571 Vulnerability in the Javadoc component of Oracle
        Java SE. Supported versions that are affected are 7 Update 21 and 
        before, 6 Update 45 and before, 5.0 Update 45 and before and JavaFX 
        2.2.21 and before. Difficult to exploit vulnerability allows successful
        unauthenticated network attacks via HTTP. Successful attack of this
        vulnerability can result in unauthorized update, insert or delete
        access to some Javadoc accessible data." [2]
        
        "CVE-2013-2400 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: Deployment). Supported 
        versions that are affected are 7 Update 21 and before. Easily 
        exploitable vulnerability allows successful unauthenticated network 
        attacks via multiple protocols. Successful attack of this vulnerability 
        can result in unauthorized update, insert or delete access to some Java 
        Runtime Environment accessible data." [2]
        
        "CVE-2013-2407 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Libraries). Supported versions that
        are affected are 7 Update 21 and before and 6 Update 45 and before.
        Easily exploitable vulnerability allows successful unauthenticated
        network attacks via multiple protocols. Successful attack of this
        vulnerability can result in unauthorized read access to a subset of
        Java Runtime Environment accessible data and ability to cause a partial
        denial of service (partial DOS) of Java Runtime Environment." [2]
        
        "CVE-2013-2412 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Serviceability). Supported versions
        that are affected are 7 Update 21 and before and 6 Update 45 and
        before. Easily exploitable vulnerability allows successful
        unauthenticated network attacks via multiple protocols. Successful
        attack of this vulnerability can result in unauthorized read access to
        a subset of Java Runtime Environment accessible data." [2]
        
        "CVE-2013-2437 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Deployment). Supported versions that
        are affected are 7 Update 21 and before and 6 Update 45 and before.
        Easily exploitable vulnerability allows successful unauthenticated
        network attacks via multiple protocols. Successful attack of this
        vulnerability can result in unauthorized read access to a subset of
        Java Runtime Environment accessible data." [2]
        
        "CVE-2013-2442 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Deployment). Supported versions that
        are affected are 7 Update 21 and before and 6 Update 45 and before.
        Easily exploitable vulnerability allows successful unauthenticated
        network attacks via multiple protocols. Successful attack of this
        vulnerability can result in unauthorized update, insert or delete
        access to some Java Runtime Environment accessible data as well as read 
        access to a subset of Java Runtime Environment accessible data and 
        ability to cause a partial denial of service (partial DOS) of Java 
        Runtime Environment." [2]
        
        "CVE-2013-2443 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Libraries). Supported versions that
        are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0
        Update 45 and before. Easily exploitable vulnerability allows
        successful unauthenticated network attacks via multiple protocols.
        Successful attack of this vulnerability can result in unauthorized
        read access to a subset of Java Runtime Environment accessible
        data." [2]
        
        "CVE-2013-2444 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: AWT). Supported versions that are
        affected are 7 Update 21 and before, 6 Update 45 and before, 5.0 Update
        45 and before and JavaFX 2.2.21 and before. Easily exploitable
        vulnerability allows successful unauthenticated network attacks via
        multiple protocols. Successful attack of this vulnerability can result
        in unauthorized ability to cause a partial denial of service
        (partial DOS) of Java Runtime Environment." [2]
        
        CVE-2013-2445	Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Hotspot). Supported versions that are
        affected are 7 Update 21 and before, 6 Update 45 and before and 5.0
        Update 45 and before. Easily exploitable vulnerability allows
        successful unauthenticated network attacks via multiple protocols.
        Successful attack of this vulnerability can result in unauthorized
        Operating System hang or frequently repeatable crash (complete
        DOS)." [2]
        
        "CVE-2013-2446 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: CORBA). Supported versions that are
        affected are 7 Update 21 and before, 6 Update 45 and before and 5.0
        Update 45 and before. Easily exploitable vulnerability allows
        successful unauthenticated network attacks via multiple protocols.
        Successful attack of this vulnerability can result in unauthorized
        read access to a subset of Java Runtime Environment accessible
        data." [2]
        
        "CVE-2013-2447 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Networking). Supported versions that
        are affected are 7 Update 21 and before, 6 Update 45 and before and
        5.0 Update 45 and before. Easily exploitable vulnerability allows
        successful unauthenticated network attacks via multiple protocols.
        Successful attack of this vulnerability can result in unauthorized
        read access to a subset of Java Runtime Environment accessible
        data." [2]
        
        "CVE-2013-2448 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Sound). Supported versions that
        are affected are 7 Update 21 and before, 6 Update 45 and before and
        5.0 Update 45 and before. Very difficult to exploit vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2449 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Libraries). Supported versions
        that are affected are 7 Update 21 and before. Difficult to exploit
        vulnerability allows successful unauthenticated network attacks via
        multiple protocols. Successful attack of this vulnerability can result
        in unauthorized read access to a subset of Java Runtime Environment
        accessible data." [2]
        
        "CVE-2013-2450 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Serialization). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized ability to cause a partial denial of service (partial DOS)
        of Java Runtime Environment." [2]
        
        "CVE-2013-2451 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Networking). Supported versions
        that are affected are 7 Update 21 and before and 6 Update 45 and
        before. Very difficult to exploit vulnerability requiring logon to
        Operating System. Successful attack of this vulnerability can result
        in unauthorized update, insert or delete access to some Java Runtime
        Environment accessible data as well as read access to a subset of Java
        Runtime Environment accessible data and ability to cause a partial
        denial of service (partial DOS) of Java Runtime Environment." [2]
        
        "CVE-2013-2452 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Libraries). Supported versions that
        are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized read access to a subset of Java Runtime Environment
        accessible data." [2]
        
        "CVE-2013-2453 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: JMX). Supported versions that are
        affected are 7 Update 21 and before and 6 Update 45 and before. Easily
        exploitable vulnerability allows successful unauthenticated network
        attacks via multiple protocols. Successful attack of this vulnerability
        can result in unauthorized update, insert or delete access to some
        Java Runtime Environment accessible data." [2]
        
        "CVE-2013-2454 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: JDBC). Supported versions that
        are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Difficult to exploit vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized update, insert or delete access to some Java Runtime
        Environment accessible data as well as read access to a subset of
        Java Runtime Environment accessible data." [2]
        
        "CVE-2013-2455 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Libraries). Supported versions that
        are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized read access to a subset of Java Runtime Environment
        accessible data." [2]
        
        "CVE-2013-2456 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Serialization). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized read access to a subset of Java Runtime Environment
        accessible data." [2]
        
        "CVE-2013-2457 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: JMX). Supported versions that
        are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized update, insert or delete access to some Java Runtime
        Environment accessible data." [2]
        
        "CVE-2013-2458 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Libraries). Supported versions
        that are affected are 7 Update 21 and before. Difficult to exploit
        vulnerability allows successful unauthenticated network attacks via
        multiple protocols. Successful attack of this vulnerability can result
        in unauthorized update, insert or delete access to some Java Runtime
        Environment accessible data as well as read access to a subset of
        Java Runtime Environment accessible data." [2]
        
        "CVE-2013-2459 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: AWT). Supported versions that
        are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2460 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Serviceability). Supported versions
        that are affected are 7 Update 21 and before. Difficult to exploit
        vulnerability allows successful unauthenticated network attacks via
        multiple protocols. Successful attack of this vulnerability can result
        in unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2461 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: Libraries). Supported
        versions that are affected are 7 Update 21 and before and 6 Update
        45 and before. Easily exploitable vulnerability allows successful
        unauthenticated network attacks via multiple protocols. Successful
        attack of this vulnerability can result in unauthorized update,
        insert or delete access to some Java Runtime Environment accessible
        data as well as read access to a subset of Java Runtime Environment
        accessible data and ability to cause a partial denial of service
        (partial DOS) of Java Runtime Environment." [2]
        
        "CVE-2013-2462 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Deployment). Supported versions
        that are affected are 7 Update 21 and before. Difficult to exploit
        vulnerability allows successful unauthenticated network attacks via
        multiple protocols. Successful attack of this vulnerability can result
        in unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2463 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: 2D). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2464 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: 2D). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2465 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: 2D). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2466 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: Deployment). Supported
        versions that are affected are 7 Update 21 and before and 6 Update
        45 and before. Easily exploitable vulnerability allows successful
        unauthenticated network attacks via multiple protocols. Successful
        attack of this vulnerability can result in unauthorized Operating
        System takeover including arbitrary code execution." [2]
        
        "CVE-2013-2467 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Install). Supported versions that
        are affected are 5.0 Update 45 and before. Difficult to exploit
        vulnerability requiring logon to Operating System. Successful attack
        of this vulnerability can result in unauthorized Operating System
        takeover including arbitrary code execution." [2]
        
        "CVE-2013-2468 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: Deployment). Supported
        versions that are affected are 7 Update 21 and before and 6 Update
        45 and before. Easily exploitable vulnerability allows successful
        unauthenticated network attacks via multiple protocols. Successful
        attack of this vulnerability can result in unauthorized Operating
        System takeover including arbitrary code execution." [2]
        
        "CVE-2013-2469 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: 2D). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2470 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: 2D). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2471 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: 2D). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2472 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: 2D). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-2473 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: 2D). Supported versions
        that are affected are 7 Update 21 and before, 6 Update 45 and before
        and 5.0 Update 45 and before. Easily exploitable vulnerability
        allows successful unauthenticated network attacks via multiple
        protocols. Successful attack of this vulnerability can result in
        unauthorized Operating System takeover including arbitrary code
        execution." [2]
        
        "CVE-2013-3743 Vulnerability in the Java Runtime Environment
        component of Oracle Java SE (subcomponent: AWT). Supported versions
        that are affected are 6 Update 45 and before and 5.0 Update 45
        and before. Difficult to exploit vulnerability allows successful
        unauthenticated network attacks via multiple protocols. Successful
        attack of this vulnerability can result in unauthorized Operating
        System takeover including arbitrary code execution." [2]
        
        "CVE-2013-3744 Vulnerability in the Java Runtime Environment component
        of Oracle Java SE (subcomponent: Deployment). Supported versions
        that are affected are 7 Update 21 and before. Easily exploitable
        vulnerability allows successful unauthenticated network attacks via
        multiple protocols. Successful attack of this vulnerability can result
        in unauthorized update, insert or delete access to some Java Runtime
        Environment accessible data." [2]


MITIGATION

        Oracle recommends updating to the latest version of the affected 
        Java products to correct these issues. [1]


REFERENCES

        [1] Oracle Java SE Critical Patch Update Advisory - June 2013
            http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

        [2] Text Form of Oracle Java SE Critical Patch Update - June 2013 Risk
            Matrices
            http://www.oracle.com/technetwork/topics/security/javacpujun2013verbose-1899853.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUcD84e4yVqjM2NGpAQKZuQ/+Lx7skWqyHyhOUDCLN6MI3pDBkBl3bYn5
vfdL5RVXKALQMTlfu53Pt49H5C4mn33anThWLK9YG/Kqns7ODEr4BYYjGpIxrp/R
3uoPJM2kM5UjV5g72H0xl9oxroHqWgx37AL0K75jZspFyeMe5zIKRDVswSKMrDUm
QZ0++LXE9o+aAsJCRcK1oC95NAkJeB3hJTJpzECoFjOoo2PxqyZKRPWW+FjLSCz6
ZgnsiYQSsOk6jvat62iMa/iSmO5Mpyztp8ZI/g8XXw++XqAPIajcuwDT4e64D/lz
wFqaqgPoPOfQt4BHacH9zKeqfCWVlB9E3/rz1riN1QHXKwWi6xYMbRfJWXxMUXjN
FV/l1Yvhhv4uYoK1kEffZFvvwh5HaS9iIB0yb3kuNYvmet/A2tMby/72DBgZuFJv
Ep64/P84RWkfjoSnHLkWlUlgZP0OK+AuUmoz2GMLUvzKCjhU38zCxS7aBQdEJWLh
J0sMsu8rjtwYEYa1m/sd0SHbdtBf9tfIASTbw+krhGqUUDxf4eFFjGtwQi7a/AoS
2pu2RxSlXM3pYR2B2TyPsB7zHcxdWQ702PRLAmjxJvafvzJ/GuQSlzbfXcSSC4cq
tPlhCi4YxBjEMO/7dnvx4l7lwbyuO+0xpab7yWdrwiPBGnkoYN8aUQD+Pf0kH6Lo
Ib3Ky6cU18k=
=EzN5
-----END PGP SIGNATURE-----