You are here

V-083: Oracle Java Multiple Vulnerabilities

February 4, 2013 - 12:42am

Addthis

PROBLEM:

Oracle Java Multiple Vulnerabilities

PLATFORM:

Oracle Java JDK 1.5.x / 5.x
Oracle Java JDK 1.7.x / 7.x
Oracle Java JRE 1.7.x / 7.x
Oracle Java SDK 1.4.x / 4.x
Sun Java JDK 1.4.x
Sun Java JDK 1.6.x / 6.x
Sun Java JRE 1.4.x / 4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x

ABSTRACT:

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update and Security Alert.

REFERENCE LINKS:

Oracle Security Advisory February 2013
SecurityTracker Alert ID:  1028071
Secunia Advisory  SA52064
CVE-2012-1541, CVE-2012-1543, CVE-2012-3213, CVE-2012-3342, CVE-2012-4301, CVE-2012-4305, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0436, CVE-2013-0437, CVE-2013-0438, CVE-2013-0439, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0447, CVE-2013-0448, CVE-2013-0449, CVE-2013-0450, CVE-2013-1472, CVE-2013-1473, CVE-2013-1474, CVE-2013-1475, CVE-2013-1476, CVE-2013-1477, CVE-2013-1478, CVE-2013-1479, CVE-2013-1480, CVE-2013-1481, CVE-2013-1482, CVE-2013-1483, CVE-2013-1489

IMPACT ASSESSMENT:

High

DISCUSSION:

Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious local users to gain escalated privileges and by malicious people to disclose certain sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) An unspecified error in the 2D component of the client and server deployment can be exploited to potentially execute arbitrary code.

2) An unspecified error in the 2D component of the client and server deployment can be exploited to potentially execute arbitrary code.

3) An unspecified error in the AWT component of the client deployment can be exploited to potentially execute arbitrary code.

4) An unspecified error in the AWT component of the client deployment can be exploited to potentially execute arbitrary code.

5) An unspecified error in the AWT component of the client and server deployment can be exploited to potentially execute arbitrary code.

6) An unspecified error in the CORBA component of the client deployment can be exploited to potentially execute arbitrary code.

7) An unspecified error in the CORBA component of the client deployment can be exploited to potentially execute arbitrary code.

8) An unspecified error in the CORBA component of the client deployment can be exploited to potentially execute arbitrary code.

9) An unspecified error in the Deployment component of the client deployment can be exploited to potentially execute arbitrary code.

10) An unspecified error in the Deployment component of the client deployment can be exploited to potentially execute arbitrary code.

11) An unspecified error in the Deployment component of the client deployment can be exploited to potentially execute arbitrary code.

12) An unspecified error in the JMX component of the client deployment can be exploited to potentially execute arbitrary code.

13) An unspecified error in the JavaFX component of the client deployment can be exploited to potentially execute arbitrary code.

14) An unspecified error in the Libraries component of the client deployment can be exploited to potentially execute arbitrary code.

15) An unspecified error in the Libraries component of the client deployment can be exploited to potentially execute arbitrary code.

16) An unspecified error in the Libraries component of the client deployment can be exploited to potentially execute arbitrary code.

17) An unspecified error in the Scripting component of the client deployment can be exploited to potentially execute arbitrary code.

18) An unspecified error in the Sound component of the client deployment can be exploited to potentially execute arbitrary code.

19) An unspecified error in the Beans component of the client deployment can be exploited to potentially execute arbitrary code.

20) An unspecified error in the CORBA component of the client deployment can be exploited to potentially execute arbitrary code.

21) An unspecified error in the Deployment component of the client deployment can be exploited to potentially execute arbitrary code.

22) An unspecified error in the Deployment component of the client deployment can be exploited to potentially execute arbitrary code.

23) An unspecified error in the Deployment component of the client deployment can be exploited to disclose and manipulate certain data and cause a DoS.

24) An unspecified error in the Install component of the client deployment can be exploited by a local user to gain escalated privileges.

25) An unspecified error in the AWT component of the client deployment can be exploited to disclose and manipulate certain data.

26) An unspecified error in the Deployment component of the client deployment can be exploited to disclose certain data.

27) An unspecified error in the Deployment component of the client deployment can be exploited to manipulate certain data.

28) An unspecified error in the JAX-WS component of the client deployment can be exploited to disclose certain data.

29) An unspecified error in the JAXP component of the client deployment can be exploited to disclose certain data.

30) An unspecified error in the JMX component of the client deployment can be exploited to disclose certain data.

31) An unspecified error in the JMX component of the client deployment can be exploited to disclose certain data.

32) An unspecified error in the Libraries component of the client deployment can be exploited to manipulate certain data.

33) An unspecified error in the Libraries component of the client deployment can be exploited to manipulate certain data.

34) An unspecified error in the Networking component of the client deployment can be exploited to manipulate certain data.

35) An unspecified error in the RMI component of the client deployment can be exploited to manipulate certain data.

36) An unspecified error in the JSSE component of the server deployment can be exploited via SSL/TLS to cause a DoS.

37) An unspecified error in the Deployment component of the client deployment can be exploited to disclose certain data.

38) An unspecified error in the JSSE component of the client deployment can be exploited via SSL/TLS to disclose and manipulate certain data.

IMPACT:

A remote user can create an application or applet that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can obtain elevated privileges on the target system.

SOLUTION:

Apply Critical Patch Update.

Addthis