SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(Apple Issues Fix) Oracle Java Flaws Let Remote Users Execute Arbitrary Code and Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1028072
SecurityTracker URL:  http://securitytracker.com/id/1028072
CVE Reference:   CVE-2012-1541, CVE-2012-1543, CVE-2012-3213, CVE-2012-3342, CVE-2012-4301, CVE-2012-4305, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0436, CVE-2013-0437, CVE-2013-0438, CVE-2013-0439, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0447, CVE-2013-0448, CVE-2013-0449, CVE-2013-0450, CVE-2013-1472, CVE-2013-1473, CVE-2013-1474, CVE-2013-1475, CVE-2013-1476, CVE-2013-1477, CVE-2013-1478, CVE-2013-1479, CVE-2013-1480, CVE-2013-1481, CVE-2013-1482, CVE-2013-1483, CVE-2013-1489   (Links to External Site)
Date:  Feb 2 2013
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0 Update 38 and prior; 6 Update 38 and prior; 7 Update 11 and prior
Description:   Multiple vulnerabilities were reported in Oracle Java. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A remote user can cause denial of service conditions.

A remote user can create a specially crafted Java Web Start application or Java applet that, when loaded by the target user, will execute arbitrary code on the target system [CVE-2012-1541, CVE-2012-1543, CVE-2012-3213, CVE-2012-3342, CVE-2012-4301, CVE-2012-4305, CVE-2013-0419, CVE-2013-0423, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-0429, CVE-2013-0436, CVE-2013-0437, CVE-2013-0439, CVE-2013-0441, CVE-2013-0442, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446,
CVE-2013-0447, CVE-2013-0450, CVE-2013-1472, CVE-2013-1474, CVE-2013-1475, CVE-2013-1476, CVE-2013-1477, CVE-2013-1478, CVE-2013-1479, CVE-2013-1480, CVE-2013-1481, CVE-2013-1482, CVE-2013-1483].

A local user can exploit a flaw in the Install component to execute arbitrary code on the target system with elevated privileges [CVE-2013-0430].

A remote user can exploit a flaw in the Deployment component to partially access and modify data and cause partial denial of service conditions [CVE-2013-0351].

A remote user can partially access and modify data. The AWT [CVE-2013-0432] and JSSE [CVE-2013-0443] components are affected.

A remote user can partially access data. The AWT [CVE-2013-0449], JAX-WS [CVE-2013-0435], JAXP [CVE-2013-0434], JMX [CVE-2013-0409, CVE-2013-0431], and Deployment [CVE-2013-0438] components are affected.

A remote user can partially modify data. The AWT [CVE-2013-1473], Libraries [CVE-2013-0427, CVE-2013-0448], Networking [CVE-2013-0433], and RMI [CVE-2013-0424] components are affected.

A remote user can cause partial denial of service conditions. The JSSE component [CVE-2013-0440] is affected.

The following researchers reported these vulnerabilities:

Adam Gowdiak of Security Explorations; Aniway.Anyway via TippingPoint; Chris Ries via TippingPoint; David Hoyt; David Thiel of Information Security Partners (iSEC); iDefense; James Forshaw (tyranid) via TippingPoint; Jeroen Frijters; Mark Yason of
the IBM X-Force; Tomas Hoger of Red Hat; Vitaliy Toropov via iDefense; and Vitaliy Toropov via TippingPoint.

Impact:   A remote user can create an application or applet that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can obtain elevated privileges on the target system.

A remote user can cause denial of service conditions on the target system.

Solution:   Apple has issued a fix for Mac OS X 10.6.

The Apple advisory will be available at:

http://support.apple.com/kb/HT1222

Vendor URL:  www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html (Links to External Site)
Cause:   Not specified
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.6.x

Message History:   This archive entry is a follow-up to the message listed below.
Feb 1 2013 Oracle Java Flaws Let Remote Users Execute Arbitrary Code and Local Users Gain Elevated Privileges



 Source Message Contents

Subject:  APPLE-SA-2013-02-01-1 Java for Mac OS X v10.6 Update 12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2013-02-01-1 Java for Mac OS X v10.6 Update 12

Java for Mac OS X v10.6 Update 12 is now available and addresses the
following:

Java
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact:  Multiple vulnerabilities in Java 1.6.0_37
Description:  Multiple vulnerabilities exist in Java 1.6.0_37, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues are addressed by updating to Java version 1.6.0_39.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481


Java for Mac OS X 10.6 Update 12 may be obtained
from the Software Update pane in System Preferences or
Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The download file is named: JavaForMacOSX10.6.dmg
Its SHA-1 digest is: 0c790491ca22ee009086ee1ec1f1b358024dd83e

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJRDHzrAAoJEPefwLHPlZEwARUQAJqht+yZpLhvksCJ+hFcvdGI
6K+xYeHlIwjYmF+/QekNxOpkCvdjfaC5YVFKIretUePA7t+E/kkj2UbBrLOpOKfk
Sh2OFOTTwFdQf7naDgdIROos5c8iNFUufGzjJFUzjUeEiVDFI37Keij+pttYsPXs
1n9T2YajHAsSsbjb6ldIOhV03WkjIGKH3k9Kn9HiwFA4s0lIB01TiKKEgpUfBVVM
HwoHtXrgt5lFbR3w80iyhGKnB/Su2JkQ6yIgK/66OkcvTziyZlxi7HT39MjH7gLK
uuKoKfD2jue5P6Sk0YKQ8LA+5qD+ODmYEQwSov1Kf13ARVSBrLnPnw+Chx1rjura
QyVAP6q+Ss8Im0wFpXH9HlHWy1FiepABgvhM0GfxB34Qwx3mrG3w5cy4ASQDtveb
vXOkko4XKZ1rrTq3GpIX+zl1KVdVQNXjzhN9vx48mqK9IXogAwBQcFJX/P1Bk/2k
38nkjmCD3peSBq1PGwoSO/3nKDXS4mWc2caUSgT//xVrl9hFiss7iuOHT13lnuu9
yXKjNjwH4Mi1LIVEghgr0CLnUiYiHCiGKlBIRWGqHkUGQONtmvQh6aoFg2Er5WrM
lFikl3hM5JMm9vpW6pAJRvdfKghniKaO6ekJzlSj6smamBwLBAo+lcDg+Z+FxMOX
FeQoXC/8drXJLOuVs4wQ
=qzRL
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC