Oracle Security Alert CVE-2010-0886


Description

This Security Alert addresses security issues CVE-2010-0886 and CVE-2010-0887, which are vulnerabilities in desktop Java running in web browsers only; these vulnerabilities are not present in Java running on servers or standalone Java desktop applications and do not impact any Oracle server based software. The desktop vulnerabilities are in the Java Deployment Toolkit and the new Java Plug-in that are included in various Oracle Java SE and Java for Business releases. They only affect Java when running in a 32-bit web browser. These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For a successful exploit, a user running an affected release in their browser will need to visit a malicious web page that exploits this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
 

Supported Products Affected


Java SE

JDK and JRE 6 for Windows, Solaris, and Linux

Java for Business

JDK and JRE 6 for Windows, Solaris and Linux

Patch Availability

Customers who use default Java installation settings that include the automatic update of Java for security and other issues will have these fixes automatically applied over the next 30 days. Customers who do not have automatic update enabled or who want to immediately apply these important fixes, as is recommended by Oracle, should follow the instructions in the table below

Java Edition

Product Group

Patch Availability and Installation Information

Java SE

JDK and JRE 6 Update 20 for Windows, Solaris, and Linux

The link below is for Software Developers.
•  Download
 

JRE 6 Update 20 for Windows, Solaris, and Linux

Follow the link below and click the "Free Java Download" button for instructions to install a complete version of Java with fixes for the vulnerabilities described in this Alert.
•  http://java.com/
 
JRE 6 Update 20 for Windows Follow the link below and follow instructions to update Java with fixes for the vulnerabilities described in this Alert.
•  Java Update
 
JDK 6 Update 20 for Solaris

Registered Solaris users can install this update as a Solaris patch:
•  125136-22 (sparc, 32 bit)
•  125137-22 (sparc, 64 bit)
•  125138-22 (x86, 32 bit)
•  125139-22 (x86, 64 bit)

Java for Business

JDK and JRE 6 Update 20 for Windows, Solaris and Linux

Registered Java for Business users should follow the link below and select the "Java for Business Download Center" link.
•  http://www.sun.com/software/javaseforbusiness/getit_download.jsp
 

Oracle strongly recommends that customers upgrade to these releases as soon as possible.

Risk Matrix

CVE# Component Protocol Sub
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Last Affected Patch set (per Supported Release) Notes
Base Score Access Vector Access Complexity Authentication Confidentiality Integrity Availability
CVE-2010-0886 Java Deployment Toolkit Multiple N/A Yes 10.0 Network Low None Complete Complete Complete 6 Update 10 through 19 See Note 1
CVE-2010-0887 New Java Plug-in Multiple N/A Yes 10.0 Network Low None Complete Complete Complete 6 Update 18 and 19 See Note 2

Notes:

  1. Affects the Windows platform only. CVSS 10.0 score assumes running with Administrator privileges. Otherwise, CVSS score of 7.5 with Confidentiality, Integrity and Availability impacts of Partial+, Partial+ and Partial+.
  2. Affects all platforms.  CVSS 10.0 score assumes running with Administrator privileges. Otherwise, CVSS score of 7.5 with Confidentiality, Integrity and Availability impacts of Partial+, Partial+ and Partial+.

References

Modification History


2010-May-18 Rev 2. JDK 6 Update 20 for Solaris

2010-April-15

Rev 1. Initial Release