This Security Alert addresses security issues CVE-2010-0886 and CVE-2010-0887, which are vulnerabilities in desktop Java running in web browsers only; these vulnerabilities are not present in Java running on servers or standalone Java desktop applications and do not impact any Oracle server based software. The desktop vulnerabilities are in the Java Deployment Toolkit and the new Java Plug-in that are included in various Oracle Java SE and Java for Business releases. They only affect Java when running in a 32-bit web browser. These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For a successful exploit, a user running an affected release in their browser will need to visit a malicious web page that exploits this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
JDK and JRE 6 for Windows, Solaris, and Linux
JDK and JRE 6 for Windows, Solaris and Linux
Customers who use default Java installation settings that include the automatic update of Java for security and other issues will have these fixes automatically applied over the next 30 days. Customers who do not have automatic update enabled or who want to immediately apply these important fixes, as is recommended by Oracle, should follow the instructions in the table below
|Java Edition||Product Group||Patch Availability and Installation Information|
|Java SE||JDK and JRE 6 Update 20 for Windows, Solaris, and Linux||
The link below is for Software Developers.
|JRE 6 Update 20 for Windows, Solaris, and Linux||
Follow the link below and click the "Free Java Download" button for instructions to install a complete version of Java with fixes for the vulnerabilities described in this Alert.
|JRE 6 Update 20 for Windows||
Follow the link below and follow instructions to update Java with fixes for the vulnerabilities described in this Alert.
|Java for Business||JDK and JRE 6 Update 20 for Windows, Solaris and Linux||
Registered Java for Business users should follow the link below and select the "Java for Business Download Center" link.
Oracle strongly recommends that customers upgrade to these releases as soon as possible.
|CVE#||Component||Protocol||Sub Component||Remote Exploit without Auth.?||CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)||Last Affected Patch set (per Supported Release)||Notes|
|Base Score||Access Vector||Access Complexity||Authentication||Confidentiality||Integrity||Availability|
|CVE-2010-0886||Java Deployment Toolkit||Multiple||N/A||Yes||10.0||Network||Low||None||Complete||Complete||Complete||6 Update 10 through 19||See Note 1|
|CVE-2010-0887||New Java Plug-in||Multiple||N/A||Yes||10.0||Network||Low||None||Complete||Complete||Complete||6 Update 18 and 19||See Note 2|
1. Affects the Windows platform only. CVSS 10.0 score assumes running with Administrator privileges. Otherwise, CVSS score of 7.5 with Confidentiality, Integrity and Availability impacts of Partial+, Partial+ and Partial+.
2. Affects all platforms. CVSS 10.0 score assumes running with Administrator privileges. Otherwise, CVSS score of 7.5 with Confidentiality, Integrity and Availability impacts of Partial+, Partial+ and Partial+.
|2010-May-18||Rev 2. JDK 6 Update 20 for Solaris|
|Rev 1. Initial Release|