The Mac Security Blog

Security News

Oracle Kills 40 Java Bugs in One Fell Swoop

Posted on by

java-security-headerOracle has released Java SE 7u25 with fixes for a colossal 40 security vulnerabilities. Most of the bugs fixed in Java SE 7u25 are “remotely exploitable without authentication,” according to Oracle’s security team.

This critical patch applies to Java 7 Update 21 and all versions before, Java 6 Update 45 and before, and Java 5.0 Update 45 and before. Apple’s Java for OS X 2013-004 and Mac OS X v10.6 Update 16 was released for Mac OS X v10.6.8, OS X Lion v10.7 or later, and OS X Mountain Lion v.10.8 or later.

Oracle noted the following details of the vulnerabilities fixed in this update:

  • 37 of these vulnerabilities are remotely exploitable without authentication.
  • 34 of the fixes brought with this Critical Patch Update address vulnerabilities that only affect client deployments.  The highest CVSS Base Score for these client-only fixes is 10.0.
  • 4 of the vulnerabilities fixed in this Critical Patch Update can affect client and server deployments.  The most severe of these vulnerabilities has received a CVSS Base Score of 7.5.
  • One of the vulnerabilities fixed in this Critical patch Update affects the Java installer and can only be exploited locally.

In addition to the above notables, Oracle’s Eric Maurice mentioned that one of the fixes affects the Javadoc tool and the documents it creates, describing the issue and resolution as follows:

Some HTML pages that were created by any 1.5 or later versions of the Javadoc tool are vulnerable to frame injection.  This means that this vulnerability (CVE-2013-1571, also known as CERT/CC VU#225657) can only be exploited through Javadoc-generated HTML files hosted on a web server.  If exploited, this vulnerability can result in granting a malicious attacker the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to malicious web pages through their web browsers.  This vulnerability has received a CVSS Base Score of 4.3.  With the release of this Critical Patch Update, Oracle has fixed the Javadoc tool so that it doesn’t produce vulnerable pages anymore, and additionally produced a utility, the “Java API Documentation Updater Tool,” to fix previously produced (and vulnerable) HTML files.

Below is the full list of CVEs resolved in this critical patch update:

  • CVE-2013-2470: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2471: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2472: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2473: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2463: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2464: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2465: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2469: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2459: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2468: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2466: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-3743: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are 6 Update 45 and before and 5.0 Update 45 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2462: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2460: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Serviceability). Supported versions that are affected are 7 Update 21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2445: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System hang or frequently repeatable crash (complete DOS).
  • CVE-2013-2448: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2442: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2461: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2467: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are 5.0 Update 45 and before. Difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2407: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2454: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JDBC). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2458: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2444: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before, 5.0 Update 45 and before and JavaFX 2.2.21 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2446: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: CORBA). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2437: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2400: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data.
  • CVE-2013-3744: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data.
  • CVE-2013-2457: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data.
  • CVE-2013-2453: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data.
  • CVE-2013-2443: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2452: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2455: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2447: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2450: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2456: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2412: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Serviceability). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2449: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-1571: Vulnerability in the Javadoc component of Oracle Java SE. Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before, 5.0 Update 45 and before and JavaFX 2.2.21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Javadoc accessible data.
  • CVE-2013-2451: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Very difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-1500: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data.

Oracle strongly recommends that all Java SE 7 users upgrade to this release. Mac users can go to Oracle’s website to download Java SE 7u15 as advised. Users running OS X Lion v10.7 or later and OS X Mountain Lion v10.8 or later can head over to Apple’s Java for OS X 2013-004 download page to install the 64.01 MB update to 1.6.0_51. Mac OS X v10.6.8 Snow Leopard users can go to Apple’s Java for Mac OS X 10.6 Update 15 download page to install the 69.39 MB update to 1.6.0_45. Users running Java SE with a browser can download the latest release from Java.com.