The Mac Security Blog

Security News

Oracle, Apple Patch Vulnerable Java SE Versions

Posted on by

java-security-header

Oracle has patched vulnerable Java SE versions with the release of Java SE 7u45. Oracle strongly recommends that all Java SE 7 users upgrade to this release. In conjunction with Oracle’s update, Apple released Java for OS X 2013-005 and Mac OS X 10.6 Update 17 with fixes for multiple vulnerabilities in Java 1.6.0_51. These releases update the Apple-provided system Java SE 6 to version 1.6.0_65.

Oracle’s critical patch update contains 51 new security fixes for Oracle Java SE. Fifty of these vulnerabilities may be remotely exploitable without authentication, for instance, may be exploited over a network without the need for a username and password. Supported versions that are affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, Java SE Embedded 7u40 and earlier and JavaFX 2.2.40 and earlier.

Apple’s Java for OS X 2013-005 and Mac OS X 10.6 Update 17 contains 38 new security fixes, according to Apple’s security bulletin. Apple described the security fixes as follows:

Multiple vulnerabilities existed in Java 1.6.0_51, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_65.

Apple’s updates are available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion 10.7 or later, OS X Lion Server 10.7 or later, and OS X Mountain Lion 10.8 or later.

Following is a complete list of all 51 vulnerabilities resolved in the Oracle Java SE update, which includes the 38 bugs fixed in Apple’s Java related update:

  • CVE-2013-3829 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data as well as read access to a subset of Java SE, Java SE Embedded accessible data.
  • CVE-2013-4002 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded.
  • CVE-2013-5772 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: jhat). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data.
  • CVE-2013-5774 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
  • CVE-2013-5775 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JavaFX accessible data as well as read access to a subset of Java SE, JavaFX accessible data and ability to cause a partial denial of service (partial DOS) of Java SE, JavaFX.
  • CVE-2013-5776 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
  • CVE-2013-5777 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5778 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
  • CVE-2013-5780 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, JRockit, Java SE Embedded accessible data.
  • CVE-2013-5782 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5783 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Swing). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data as well as read access to a subset of Java SE, Java SE Embedded accessible data.
  • CVE-2013-5784 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: SCRIPTING). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
  • CVE-2013-5787 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5788 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5789 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5790 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: BEANS). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
  • CVE-2013-5797 : Vulnerability in the Java SE, JRockit, JavaFX component of Oracle Java SE (subcomponent: Javadoc). Difficult to exploit vulnerability allows successful authenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JRockit, JavaFX accessible data.
  • CVE-2013-5800 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JGSS). Difficult to exploit vulnerability allows successful unauthenticated network attacks via Kerberos. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
  • CVE-2013-5801 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
  • CVE-2013-5802 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JRockit, Java SE Embedded accessible data as well as read access to a subset of Java SE, JRockit, Java SE Embedded accessible data and ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded.
  • CVE-2013-5803 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: JGSS). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via Kerberos. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded.
  • CVE-2013-5804 : Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Javadoc). Easily exploitable vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JRockit accessible data as well as read access to a subset of Java SE, JRockit accessible data.
  • CVE-2013-5805 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Swing). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5806 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Swing). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5809 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5810 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5812 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data and ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
  • CVE-2013-5814 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: CORBA). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5817 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JNDI). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5818 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
  • CVE-2013-5819 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
  • CVE-2013-5820 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
  • CVE-2013-5823 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded.
  • CVE-2013-5824 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5825 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded.
  • CVE-2013-5829 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5830 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5831 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
  • CVE-2013-5832 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5838 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5840 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
  • CVE-2013-5842 :  Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5843 : Vulnerability in the Java SE, JavaFX, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5844 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5846 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5848 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JavaFX accessible data.
  • CVE-2013-5849 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
  • CVE-2013-5850 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5851 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
  • CVE-2013-5852 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Deployment). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-5854 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, JavaFX accessible data.
Mac users can go to Oracle’s website to download Java SE 7u45 as advised. Users running OS X Lion 10.7 or later and OS X Mountain Lion 10.8 or later can head over to Apple’s Java for OS X 2013-005 download page to install the 63.98 MB update to 1.6.0_65. Users running OS X 10.6.8 Snow Leopard can go to Apple’s Java for Mac OS X 10.6 Update 17 download page to install the 69.54 MB update to 1.6.0_65. Users running Java SE with a browser can download the latest release from Java.com.

 

For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6update17.dmg
Its SHA-1 digest is: 5dfe7eaebf9726352c97964da61d57fa28246c08

 

For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-005.dmg
Its SHA-1 digest is: ce78f9a916b91ec408c933bd0bde5973ca8a2dc4