You are here

U-191: Oracle Java Multiple Vulnerabilities

June 14, 2012 - 7:00am

Addthis

PROBLEM:

Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious local users

PLATFORM:

Oracle Java JDK 1.7.x / 7.x
Oracle Java JRE 1.7.x / 7.x
Sun Java JDK 1.5.x
Sun Java JDK 1.6.x / 6.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x
Sun Java SDK 1.4.x

ABSTRACT:

The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes.

This Critical Patch Update contains 14 new security fixes across Java SE products.
 

reference LINKS: 

Oracle Security Advisory
Secunia Advisory 49472

IMPACT ASSESSMENT:

High

Discussion:

Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious, local users to disclose potentially sensitive information, manipulate certain data, and cause a DoS (Denial of Service) and by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

1.) An error in the 2D subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets or specially crafted data passed to certain APIs.[CVE-2012-0551].

2.) An error in the Deployment subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.[CVE-2012-1711].

3.) An error in the Deployment subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.[CVE-2012-1713].

4) An error in the Hotspot subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.[CVE-2012-1716].

5.) An error in the Hotspot subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.[CVE-2012-1717].

6.) An error in the Swing subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.[CVE-2012-1718].

Successful exploitation of vulnerabilities #1 through #6 may allow execution of arbitrary code.

7) An error in the CORBA subcomponent can be exploited to disclose and manipulate some data via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.[CVE-2012-1719].

8) An error in the Libraries subcomponent can be exploited to disclose and manipulate some data via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.[CVE-2012-1720].

9.) An error in the Deployment subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only. [CVE-2012-1721].

10) An error in the CORBA subcomponent can be exploited to manipulate some data via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.[CVE-2012-1722].

11) An error in the JAXP subcomponent can be exploited to manipulate some data and cause a DoS via untrusted Java Web Start applications and untrusted Java applets or specially crafted data passed to certain APIs.[CVE-2012-1723].

12) An error in the Security subcomponent can be exploited to cause a DoS via untrusted Java Web Start applications and untrusted Java applets or specially crafted data passed to certain APIs.[CVE-2012-1724].

13) An error in the Networking subcomponent can be exploited by local users to manipulate some data and cause a DoS to a server deployment running on Solaris only.[CVE-2012-1725].

14) An error in the printing functionality due to creating temporary spool files with insecure permissions can be exploited to disclose the contents of printed documents owned by other users.[CVE-2012-1726].

Impact:

Cross Site Scripting, Manipulation of data , Exposure of sensitive information , DoS , System access from remote

Solution:

The Vendor has issued a fix at Oracle.com

Addthis