CVE-2013-2471: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D).Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. CVE-2013-2470: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D).With the release of this Critical Patch Update, Oracle has fixed the Javadoc tool so that it doesn’t produce vulnerable pages anymore, and additionally produced a utility, the “ Java API Documentation Updater Tool,” to fix previously produced (and vulnerable) HTML files.īelow is the full list of CVEs resolved in this critical patch update: This vulnerability has received a CVSS Base Score of 4.3. If exploited, this vulnerability can result in granting a malicious attacker the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to malicious web pages through their web browsers. This means that this vulnerability (CVE-2013-1571, also known as CERT/CC VU#225657) can only be exploited through Javadoc-generated HTML files hosted on a web server. Some HTML pages that were created by any 1.5 or later versions of the Javadoc tool are vulnerable to frame injection. In addition to the above notables, Oracle’s Eric Maurice mentioned that one of the fixes affects the Javadoc tool and the documents it creates, describing the issue and resolution as follows: One of the vulnerabilities fixed in this Critical patch Update affects the Java installer and can only be exploited locally.The most severe of these vulnerabilities has received a CVSS Base Score of 7.5. 4 of the vulnerabilities fixed in this Critical Patch Update can affect client and server deployments.The highest CVSS Base Score for these client-only fixes is 10.0. 34 of the fixes brought with this Critical Patch Update address vulnerabilities that only affect client deployments.37 of these vulnerabilities are remotely exploitable without authentication.Oracle noted the following details of the vulnerabilities fixed in this update: This critical patch applies to Java 7 Update 21 and all versions before, Java 6 Update 45 and before, and Java 5.0 Update 45 and before. Apple’s Java for OS X 2013-004 and Mac OS X v10.6 Update 16 was released for Mac OS X v10.6.8, OS X Lion v10.7 or later, and OS X Mountain Lion v.10.8 or later. Most of the bugs fixed in Java SE 7u25 are “remotely exploitable without authentication,” according to Oracle’s security team. Oracle has released Java SE 7u25 with fixes for a colossal 40 security vulnerabilities. Security News Oracle Kills 40 Java Bugs in One Fell Swoop
0 kommentar(er)
