[SingCERT] Oracle Java Multiple Flaws Let Remote Users Execute Arbitrary Code and Local Users Gain Elevated Privileges

Published on Wednesday, 17 April 2013 20:04

[ Summary ]

Multiple vulnerabilities were reported in Oracle Java. It allows a remote user to execute arbitrary code and a local user can obtain elevated privileges on the vulnerable system. A remote user can access and modify data. A remote or local user can cause denial of service conditions.

A remote user can create a specially crafted Java applet or Java Web Start application that, when loaded by the target user, will execute arbitrary code on the vulnerable system.

The 2D [CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-1569, CVE-2013-2434, CVE-2013-2432, CVE-2013-2420, CVE-2013-1491], Beans [CVE-2013-1558], Deployment [CVE-2013-2440, CVE-2013-2435], Hotspot [CVE-2013-2421, CVE-2013-2431], Install [CVE-2013-2425, CVE-2013-1563], JAXP [CVE-2013-1518], JavaFX [CVE-2013-0402, CVE-2013-2414, CVE-2013-2428, CVE-2013-2427], Libraries [CVE-2013-1488, CVE-2013-2422, CVE-2013-2426, CVE-2013-2436], RMI [CVE-2013-1537, CVE-2013-1557], and ImageIO [CVE-2013-2429, CVE-2013-2430] components are affected.

The RMI vulnerability [CVE-2013-1537] also affects Java server deployments.

A local user can execute arbitrary code on the target system with elevated privileges [CVE-2013-2439].

A remote user can exploit a flaw in the AWT component to partially access and modify data [CVE-2013-0401].

A remote user can exploit a flaw in the 2D component to cause denial of service conditions [CVE-2013-2419]

A remote user can partially access data. The JMX [CVE-2013-2424] and JavaFX [CVE-2013-1561] components are affected.

A remote user can partially modify data. The JavaFX [CVE-2013-1564, CVE-2013-2438] and Deployment [CVE-2013-2416, CVE-2013-2433, CVE-2013-1540], and Hotspot [CVE-2013-2423] components are affected.

A remote user can exploit a flaw in the Networking component to partially deny service [CVE-2013-2417].

A local user can exploit a flaw in the Deployment component to partially access and modify data and partially deny service [CVE-2013-2418].

A local user can exploit a flaw in JAX-WS to partially access data [CVE-2013-2415]. Java server deployments are also affected.

This Critical Patch Update contains 42 new security fixes across Java SE products.


[ Affected Products ]

  • JDK and JRE 7 Update 17 and earlier
  • JDK and JRE 6 Update 43 and earlier
  • JDK and JRE 5.0 Update 41 and earlier
  • JavaFX 2.2.7 and earlier


[ Impact Analysis ]

Successful exploitation of the vulnerabilities could possibly allow a remote attacker to be able to execute arbitrary code on the vulnerable system. A remote user can obtain elevated privileges on the vulnerable system. A remote user can access and modify data. A remote or local user can cause denial of service conditions.


[ Solution/Workaround ]

Oracle has issued a fix. Users are advised to install the update to prevent the systems from being exploited.


[ Reference ]

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html