Oracle Security Alert for CVE-2013-1493 - Beta Oracle CVRF Oracle Security Alert CVE-2013-1493 Final 1.0 1.0 2013-03-04T13:00:00-07:00 Initial Distribution 2013-03-04T13:00:00-07:00 2013-03-04T13:00:00-07:00 This document contains descriptions of Oracle product security vulnerabilities which have had fixes released for all supported versions and platforms for the associated product. Additional information regarding these vulnerabilities including fix distribution information can be found at the Oracle sites referenced in this document. This document is published at: http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1915099.xml http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html URL to html version of Advisory Darien Kindlund FireEye Vitaliy Toropov TippingPoint's Zero Day Initiative Vitaliy Toropov iDefense an Anonymous Reporter TippingPoint's Zero Day Initiative axtaxt TippingPoint's Zero Day Initiative Sun Java Version 5.0 Update 40 and before Sun Java Version 6 Update 41 and before Sun Java Version 7 Update 15 and before Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 15 and before, 6 Update 41 and before and 5.0 Update 40 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). CVSS Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Oracle Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Fix has been released CVE-2013-0809 P-856V-7 Update 15 and before P-856V-6 Update 41 and before P-856V-5.0 Update 40 and before 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C CVE-2013-1493 Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html P-856V-7 Update 15 and before P-856V-6 Update 41 and before P-856V-5.0 Update 40 and before Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 15 and before, 6 Update 41 and before and 5.0 Update 40 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). CVSS Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Oracle Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C). Fix has been released CVE-2013-1493 P-856V-7 Update 15 and before P-856V-6 Update 41 and before P-856V-5.0 Update 40 and before 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C CVE-2013-1493 Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html P-856V-7 Update 15 and before P-856V-6 Update 41 and before P-856V-5.0 Update 40 and before