Lucene search

CERTVU:858729

HistoryFeb 01, 2013 - 12:00 a.m.

Oracle Java contains multiple vulnerabilities

2013-02-0100:00:00

www.kb.cert.org

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.968 High

EPSS

Percentile

99.7%

JSON

Overview

Java 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Oracle Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.

The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle’s document states, "If there is a security manager already installed, this method first calls the security manager’s _checkPermission_ method with a _RuntimePermission("setSecurityManager")_ permission to ensure it’s safe to replace the existing security manager. This may result in throwing a _SecurityException"_.

By leveraging a number of vulnerabilities, an untrusted Java applet can escalate its privileges to allow full privileges, without requiring code signing. Other vulnerabilities can cause exploitable memory corruption, which could affect Java applets, as well as Java applications, depending on what the Java application does and how it may process untrusted data. Oracle Java 7 Update 11, Java 6 Update 38, and earlier Java versions are affected.

At least one of these vulnerabilities is reportedly being exploited in the wild.

Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities. The vulnerabilities that affect server deployments of Java may be exploited by causing a Java server application to process untrusted data.

Solution

Apply an update

These issues are addressed in Java 7 Update 13 and Java 6 Update 39. Please see the Oracle Java SE Critical Patch Update Advisory - February 2013 for more details.

Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.

System administrators wishing to deploy Java 7 Update 10 or later with the “Enable Java content in the browser” feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

Alternatively, Microsoft has released a Fix it that disables Java in the Internet Explorer web browser.

Restrict access to Java applets

Network administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to .jar and .class files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet.

Vendor Information

858729

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Inc. __ Affected

Updated: February 05, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

<http://support.apple.com/kb/HT5647>

Addendum

Apple OS X Snow Leopard and Snow Leopard Server are affected.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23858729 Feedback>).