Vulnerability Note VU#858729
Oracle Java contains multiple vulnerabilities
Java 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The Oracle Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.
The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException".
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities. The vulnerabilities that affect server deployments of Java may be exploited by causing a Java server application to process untrusted data.
Apply an update
Disable Java in web browsers
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Inc.||Affected||-||05 Feb 2013|
|Oracle Corporation||Affected||-||01 Feb 2013|
CVSS Metrics (Learn More)
These vulnerabilities were reported by Oracle.
This document was written by Will Dormann.
- CVE IDs: CVE-2012-1541 CVE-2012-1543 CVE-2012-3213 CVE-2012-3342 CVE-2012-4301 CVE-2012-4305 CVE-2013-0351 CVE-2013-0409 CVE-2013-0419 CVE-2013-0423 CVE-2013-0424 CVE-2013-0425 CVE-2013-0426 CVE-2013-0427 CVE-2013-0428 CVE-2013-0429 CVE-2013-0430 CVE-2013-0431 CVE-2013-0432 CVE-2013-0433 CVE-2013-0434 CVE-2013-0435 CVE-2013-0436 CVE-2013-0437 CVE-2013-0438 CVE-2013-0439 CVE-2013-0440 CVE-2013-0441 CVE-2013-0442 CVE-2013-0443 CVE-2013-0444 CVE-2013-0445 CVE-2013-0446 CVE-2013-0447 CVE-2013-0448 CVE-2013-0449 CVE-2013-0450 CVE-2013-1472 CVE-2013-1473 CVE-2013-1474 CVE-2013-1475 CVE-2013-1476 CVE-2013-1477 CVE-2013-1478 CVE-2013-1479 CVE-2013-1480 CVE-2013-1481 CVE-2013-1482 CVE-2013-1483 CVE-2013-1489
- US-CERT Alert: TA13-032A
- Date Public: 01 Feb 2013
- Date First Published: 01 Feb 2013
- Date Last Updated: 14 Jun 2013
- Document Revision: 34
If you have feedback, comments, or additional information about this vulnerability, please send us email.