You are here

V-095: Oracle Java Flaws Let Remote Users Execute Arbitrary Code

February 20, 2013 - 12:38am

Addthis

PROBLEM:

Oracle Java Flaws Let Remote Users Execute Arbitrary Code

PLATFORM:

JDK and JRE 7 Update 13 and earlier
JDK and JRE 6 Update 39 and earlier
JDK and JRE 5.0 Update 39 and earlier
SDK and JRE 1.4.2_41 and earlier

ABSTRACT:

Several vulnerabilities were reported in Oracle Java.

REFERENCE LINKS:

Updated Release of the February 2013 Oracle Java SE Critical Patch Update
SecurityTracker Alert ID:  1028155
CVE-2013-1484
CVE-2013-1485
CVE-2013-1486
CVE-2013-1487

IMPACT ASSESSMENT:

High

DISCUSSION:

A remote user can create a specially crafted Java Web Start application or Java applet that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

The Libraries [CVE-2013-1484], JMX [CVE-2013-1486], and Deployment [CVE-2013-1487] components are affected.

A remote user can partially modify data on the target system [CVE-2013-1485]. The Libraries component is affected.

IMPACT:

A remote user can create Java content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can partially modify data on the target system.

SOLUTION:

The vendor has issued a fix (6 Update 41, 7 Update 15).

Addthis