Lucene search

K

[email protected]CVE-2013-1493

HistoryMar 05, 2013 - 10:06 p.m.

CVE-2013-1493

2013-03-0522:06:00

CWE-119

[email protected]

web.nvd.nist.gov

101

cve-2013-1493

oracle

java

cmm

remote code execution

image vulnerability

nvd

9.3 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.966 High

EPSS

Percentile

99.6%

The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February 2013.

CPENameOperatorVersion
oracle:jreoracle jreeq1.7.0
sun:jresun jreeq1.5.0
oracle:jreoracle jrele1.5.0
sun:jdksun jdkeq1.6.0
oracle:jdkoracle jdkeq1.6.0
sun:jresun jreeq1.6.0
oracle:jreoracle jreeq1.6.0
sun:jdksun jdkeq1.5.0
oracle:jdkoracle jdkle1.5.0
oracle:jdkoracle jdkeq1.7.0

References

blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html

h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04117626-1

lists.opensuse.org/opensuse-security-announce/2013-03/msg00009.html

lists.opensuse.org/opensuse-security-announce/2013-03/msg00011.html

lists.opensuse.org/opensuse-security-announce/2013-03/msg00012.html

lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html

mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022145.html

marc.info/?l=bugtraq&m=136439120408139&w=2

marc.info/?l=bugtraq&m=136570436423916&w=2

rhn.redhat.com/errata/RHSA-2013-0601.html

rhn.redhat.com/errata/RHSA-2013-0603.html

rhn.redhat.com/errata/RHSA-2013-0604.html

rhn.redhat.com/errata/RHSA-2013-1455.html

rhn.redhat.com/errata/RHSA-2013-1456.html

security.gentoo.org/glsa/glsa-201406-32.xml

www.exploit-db.com/exploits/24904

www.kb.cert.org/vuls/id/688246

www.mandriva.com/security/advisories?name=MDVSA-2013:095

www.oracle.com/ocom/groups/public/%40otn/documents/webcontent/1915099.xml

www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

www.securityfocus.com/bid/58238

www.securitytracker.com/id/1029803

www.symantec.com/connect/blogs/latest-java-zero-day-shares-connections-bit9-security-incident

www.ubuntu.com/usn/USN-1755-2

www.us-cert.gov/ncas/alerts/TA13-064A

bugzilla.redhat.com/show_bug.cgi?id=917553

krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19246

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19477

twitter.com/jduck1337/status/307629902574800897

wiki.mageia.org/en/Support/Advisories/MGASA-2013-0088

9.3 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.966 High

EPSS

Percentile

99.6%