Oracle Critical Patch Update Advisory - February 2013 - Beta Oracle CVRF Oracle Critical Patch Update Advisory JavaCPUFeb2013Update Final 1.0 1.0 2013-02-19T13:00:00-07:00 Initial Distribution 2013-02-19T13:00:00-07:00 2013-02-19T13:00:00-07:00 This document contains descriptions of Oracle product security vulnerabilities which have had fixes released for all supported versions and platforms for the associated product. Additional information regarding these vulnerabilities including fix distribution information can be found at the Oracle sites referenced in this document. This document is published at: http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1905890.xml http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html URL to html version of Advisory Ben Murphy TippingPoint's Zero Day Initiative Kenny Paterson Royal Holloway, University of London Michael Schierl Michael Schierl Nadhem AlFardan Royal Holloway, University of London Tomasko Labuda iSIGHT Partners Global Vulnerability Partnership Will Dormann CERT/CC Sun Java Version 1.4.2_41 and before Sun Java Version 5.0 Update 39 and before Sun Java Version 6 Update 39 and before Sun Java Version 7 Update 13 and before Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are 7 Update 13 and before, 6 Update 39 and before, 5.0 Update 39 and before and 1.4.2_41 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data. Note: Applies to server deployments of JSSE. SSL/TLS Plaintext Recovery vulnerability also known as "Lucky Thirteen" vulnerability. See http://www.isg.rhul.ac.uk/tls/. CVSS Base Score 4.3 (Confidentiality impacts). CVSS V2 Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N). Oracle Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N). Fix has been released CVE-2013-0169 P-856V-7 Update 13 and before P-856V-6 Update 39 and before P-856V-5.0 Update 39 and before P-856V-1.4.2_41 and before 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N JavaCPUFeb2013Update Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html P-856V-7 Update 13 and before P-856V-6 Update 39 and before P-856V-5.0 Update 39 and before P-856V-1.4.2_41 and before Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries ). Supported versions that are affected are 7 Update 13 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). CVSS Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Oracle Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Fix has been released CVE-2013-1484 P-856V-7 Update 13 and before 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C JavaCPUFeb2013Update Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html P-856V-7 Update 13 and before Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 13 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). CVSS Base Score 5.0 (Integrity impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N). Oracle Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N). Fix has been released CVE-2013-1485 P-856V-7 Update 13 and before 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N JavaCPUFeb2013Update Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html P-856V-7 Update 13 and before Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are 7 Update 13 and before, 6 Update 39 and before and 5.0 Update 39 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). CVSS Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Oracle Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Fix has been released CVE-2013-1486 P-856V-7 Update 13 and before P-856V-6 Update 39 and before P-856V-5.0 Update 39 and before 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C JavaCPUFeb2013Update Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html P-856V-7 Update 13 and before P-856V-6 Update 39 and before P-856V-5.0 Update 39 and before Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 13 and before and 6 Update 39 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). CVSS Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Oracle Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Fix has been released CVE-2013-1487 P-856V-7 Update 13 and before P-856V-6 Update 39 and before 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C JavaCPUFeb2013Update Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html P-856V-7 Update 13 and before P-856V-6 Update 39 and before