The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle JDK

vulnerability alert CVE-2013-3829 CVE-2013-4002 CVE-2013-5772

Oracle Java: multiple vulnerabilities of October 2013

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Impacted products: BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, DB2 UDB, Domino, Notes, Tivoli System Automation, WebSphere MQ, ePO, Java OpenJDK, openSUSE, Java Oracle, Puppet, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 51.
Creation date: 16/10/2013.
Identifiers: 1663589, 1663930, 1664550, 1670264, 1671933, BID-63079, BID-63082, BID-63089, BID-63095, BID-63098, BID-63101, BID-63102, BID-63103, BID-63106, BID-63110, BID-63111, BID-63112, BID-63115, BID-63118, BID-63120, BID-63121, BID-63122, BID-63124, BID-63126, BID-63127, BID-63128, BID-63129, BID-63130, BID-63131, BID-63132, BID-63133, BID-63134, BID-63135, BID-63136, BID-63137, BID-63139, BID-63140, BID-63141, BID-63142, BID-63143, BID-63144, BID-63145, BID-63146, BID-63147, BID-63148, BID-63149, BID-63150, BID-63151, BID-63152, BID-63153, BID-63154, BID-63155, BID-63156, BID-63157, BID-63158, c04031205, c04031212, CERTA-2013-AVI-586, CERTFR-2014-AVI-117, CERTFR-2014-AVI-199, cpuoct2013, CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775, CVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805, CVE-2013-5806, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851, CVE-2013-5852, CVE-2013-5854, FEDORA-2013-19285, FEDORA-2013-19338, HPSBUX02943, HPSBUX02944, MDVSA-2013:266, MDVSA-2013:267, openSUSE-SU-2013:1663-1, openSUSE-SU-2013:1968-1, RHSA-2013:1440-01, RHSA-2013:1447-01, RHSA-2013:1451-01, RHSA-2013:1505-01, RHSA-2013:1507-01, RHSA-2013:1508-01, RHSA-2013:1509-01, RHSA-2013:1793-01, RHSA-2014:1319-01, RHSA-2014:1818-01, RHSA-2014:1821-01, RHSA-2014:1822-01, RHSA-2014:1823-01, RHSA-2015:0269-01, RHSA-2015:0675-01, RHSA-2015:0773-01, SB10058, SE-2012-01, SOL16872, SOL48802597, SUSE-SU-2013:1666-1, SUSE-SU-2013:1669-1, SUSE-SU-2013:1677-2, SUSE-SU-2013:1677-3, VIGILANCE-VUL-13601, VMSA-2014-0002, ZDI-13-244, ZDI-13-245, ZDI-13-246, ZDI-13-247, ZDI-13-248.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63103, CVE-2013-5782]

An attacker can use a vulnerability of Libraries via LDAP Deserialization, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63121, CVE-2013-5830, ZDI-13-248]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63118, CVE-2013-5809]

An attacker can use a vulnerability of 2D via FileImageInputStream, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63137, CVE-2013-5829, ZDI-13-247]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63143, CVE-2013-5814]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63139, CVE-2013-5824]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63145, CVE-2013-5788]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63155, CVE-2013-5787]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63156, CVE-2013-5789]

An attacker can use a vulnerability of JNDI via LdapCtx, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63146, CVE-2013-5817, ZDI-13-244]

An attacker can use a vulnerability of Libraries via ObjectOutputStream, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63150, CVE-2013-5842, ZDI-13-246]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63151, CVE-2013-5843]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63158, CVE-2013-5832]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63153, CVE-2013-5850]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63131, CVE-2013-5838]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63112, CVE-2013-5805]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63122, CVE-2013-5806]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63127, CVE-2013-5846]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63132, CVE-2013-5810]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63136, CVE-2013-5844]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63140, CVE-2013-5777]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63130, CVE-2013-5852]

An attacker can use a vulnerability of JAXP, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63135, CVE-2013-5802]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63144, CVE-2013-5775]

An attacker can use a vulnerability of Javadoc, in order to obtain or alter information. [severity:3/4; BID-63149, CVE-2013-5804]

An attacker can use a vulnerability of Deployment, in order to obtain information, or to trigger a denial of service. [severity:3/4; BID-63126, CVE-2013-5812]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:3/4; BID-63120, CVE-2013-3829]

An attacker can use a vulnerability of Swing NumberFormatter and RealTimeSequencer, in order to obtain or alter information. [severity:3/4; BID-63154, CVE-2013-5783, ZDI-13-245]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; BID-63101, CVE-2013-5825]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2013-4002]

An attacker can use a vulnerability of Security, in order to trigger a denial of service. [severity:2/4; BID-63110, CVE-2013-5823]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; BID-63134, CVE-2013-5778]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; BID-63147, CVE-2013-5801]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63152, CVE-2013-5776]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63157, CVE-2013-5818]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63141, CVE-2013-5819]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63129, CVE-2013-5831]

An attacker can use a vulnerability of JAX-WS, in order to alter information. [severity:2/4; BID-63133, CVE-2013-5820]

An attacker can use a vulnerability of JAXP, in order to obtain information. [severity:2/4; BID-63142, CVE-2013-5851]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; BID-63148, CVE-2013-5840]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-63128, CVE-2013-5774]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63124, CVE-2013-5848]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; BID-63115, CVE-2013-5780]

An attacker can use a vulnerability of JGSS, in order to obtain information. [severity:2/4; BID-63111, CVE-2013-5800]

An attacker can use a vulnerability of AWT, in order to obtain information. [severity:2/4; BID-63106, CVE-2013-5849]

An attacker can use a vulnerability of BEANS, in order to obtain information. [severity:2/4; BID-63102, CVE-2013-5790]

An attacker can use a vulnerability of SCRIPTING, in order to alter information. [severity:2/4; BID-63098, CVE-2013-5784]

An attacker can use a vulnerability of Javadoc, in order to alter information. [severity:2/4; BID-63095, CVE-2013-5797]

An attacker can use a vulnerability of jhat, in order to alter information. [severity:1/4; BID-63089, CVE-2013-5772]

An attacker can use a vulnerability of JGSS, in order to trigger a denial of service. [severity:1/4; BID-63082, CVE-2013-5803]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:1/4; BID-63079, CVE-2013-5854]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2013-1571

Javadoc: Frame injection via Relative URI

Synthesis of the vulnerability

An attacker can use a relative URI, to inject an HTML page in web sites generated with Javadoc, in order to trigger a phishing attack on victims connecting on the web site.
Impacted products: Tomcat, Debian, Fedora, HP-UX, Tivoli System Automation, Java OpenJDK, openSUSE, Java Oracle, JavaFX, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: document.
Creation date: 15/07/2013.
Identifiers: 1650599, BID-60634, c03868911, c03874547, CERTFR-2014-AVI-244, CVE-2013-1571, DSA-2722-1, DSA-2727-1, FEDORA-2013-11281, FEDORA-2013-11285, HPSBUX02907, HPSBUX02908, javacpujun2013, MDVSA-2013:183, MDVSA-2013:196, MDVSA-2014:042, openSUSE-SU-2013:1247-1, openSUSE-SU-2013:1288-1, RHSA-2013:0957-01, RHSA-2013:0958-01, RHSA-2013:0963-01, RHSA-2013:1014-01, RHSA-2013:1059-01, RHSA-2013:1060-01, RHSA-2013:1081-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SUSE-SU-2013:1238-1, SUSE-SU-2013:1254-1, SUSE-SU-2013:1255-1, SUSE-SU-2013:1255-2, SUSE-SU-2013:1255-3, SUSE-SU-2013:1256-1, SUSE-SU-2013:1257-1, SUSE-SU-2013:1263-1, SUSE-SU-2013:1263-2, SUSE-SU-2013:1305-1, VIGILANCE-VUL-13106, VU#225657.

Description of the vulnerability

The Javadoc tool generates the documentation of applications written in Java language.

Index files (index.htm[l]) and table of contents files (toc.htm[l]) are dynamically generated. However, they contain JavaScript code which does not correctly filter relative URI. An HTML Frame can then be replaced by a malicious Frame.

An attacker can therefore use a relative URI, to inject an HTML page in web sites generated with Javadoc, in order to trigger a phishing attack on victims connecting on the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-1500 CVE-2013-1571 CVE-2013-2400

Oracle JRE, JDK, JavaFX: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle JRE, JDK, JavaFX.
Impacted products: Debian, Fedora, HP-UX, Domino, Notes, Tivoli System Automation, WebSphere MQ, Java OpenJDK, openSUSE, Java Oracle, JavaFX, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, vCenter Server, VMware vSphere.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 40.
Creation date: 19/06/2013.
Identifiers: 1648416, 1650599, 1657132, BID-60617, BID-60618, BID-60619, BID-60620, BID-60621, BID-60622, BID-60623, BID-60624, BID-60625, BID-60626, BID-60627, BID-60629, BID-60630, BID-60631, BID-60632, BID-60633, BID-60634, BID-60635, BID-60636, BID-60637, BID-60638, BID-60639, BID-60640, BID-60641, BID-60643, BID-60644, BID-60645, BID-60646, BID-60647, BID-60649, BID-60650, BID-60651, BID-60652, BID-60653, BID-60654, BID-60655, BID-60656, BID-60657, BID-60658, BID-60659, c03868911, c03874547, c03898880, CERTA-2013-AVI-361, CERTFR-2014-AVI-244, CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2467, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3744, DSA-2722-1, DSA-2727-1, FEDORA-2013-11281, FEDORA-2013-11285, HPSBUX02907, HPSBUX02908, HPSBUX02922, IC94453, javacpujun2013, KLYH95CMCJ, MDVSA-2013:183, MDVSA-2013:196, openSUSE-SU-2013:1247-1, openSUSE-SU-2013:1288-1, PSA-2013-0811-1, PSA-2013-0813-1, PSA-2013-0819-1, PSA-2013-0827-1, RHSA-2013:0957-01, RHSA-2013:0958-01, RHSA-2013:0963-01, RHSA-2013:1014-01, RHSA-2013:1059-01, RHSA-2013:1060-01, RHSA-2013:1081-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT101305, SUSE-SU-2013:1238-1, SUSE-SU-2013:1254-1, SUSE-SU-2013:1255-1, SUSE-SU-2013:1255-2, SUSE-SU-2013:1255-3, SUSE-SU-2013:1256-1, SUSE-SU-2013:1257-1, SUSE-SU-2013:1263-1, SUSE-SU-2013:1263-2, SUSE-SU-2013:1264-1, SUSE-SU-2013:1293-2, SUSE-SU-2013:1305-1, swg21641098, swg21644918, VIGILANCE-VUL-12992, VMSA-2013-0006.1, VMSA-2013-0009.1, VMSA-2013-0012.1, VU#225657, ZDI-13-132, ZDI-13-151, ZDI-13-152, ZDI-13-153, ZDI-13-154, ZDI-13-155, ZDI-13-156, ZDI-13-157, ZDI-13-158, ZDI-13-159, ZDI-13-160.

Description of the vulnerability

Several vulnerabilities were announced in Oracle JRE, JDK, JavaFX.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60651, CVE-2013-2470, ZDI-13-158]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60659, CVE-2013-2471, ZDI-13-152]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60656, CVE-2013-2472, ZDI-13-151]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60623, CVE-2013-2473, ZDI-13-154]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60655, CVE-2013-2463, ZDI-13-156]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60631, CVE-2013-2464, ZDI-13-157]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60657, CVE-2013-2465, ZDI-13-153]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60658, CVE-2013-2469, ZDI-13-155]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60647, CVE-2013-2459, PSA-2013-0811-1]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60637, CVE-2013-2468]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60624, CVE-2013-2466]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-60626, CVE-2013-3743]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60630, CVE-2013-2462]

An attacker can use a vulnerability of Serviceability, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-60635, CVE-2013-2460]

An attacker can use a vulnerability of Hotspot, in order to create a denial of service. [severity:2/4; BID-60639, CVE-2013-2445]

An attacker can use a vulnerability of Sound, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60640, CVE-2013-2448, ZDI-13-160]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60643, CVE-2013-2442]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60645, CVE-2013-2461]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-60649, CVE-2013-2467]

An attacker can use a vulnerability of Libraries, in order to obtain information, or to create a denial of service. [severity:3/4; BID-60653, CVE-2013-2407]

An attacker can use a vulnerability of JDBC, in order to obtain or alter information. [severity:2/4; BID-60650, CVE-2013-2454]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; BID-60652, CVE-2013-2458]

An attacker can use a vulnerability of AWT, in order to create a denial of service. [severity:2/4; BID-60633, CVE-2013-2444]

An attacker can use a vulnerability of CORBA, in order to obtain information. [severity:2/4; BID-60620, CVE-2013-2446]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; BID-60636, CVE-2013-2437]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-60621, CVE-2013-2400]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-60654, CVE-2013-3744]

An attacker can use a vulnerability of JMX, in order to alter information. [severity:2/4; BID-60632, CVE-2013-2457]

An attacker can use a vulnerability of JMX, in order to alter information. [severity:2/4; BID-60644, CVE-2013-2453]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; BID-60646, CVE-2013-2443]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; BID-60617, CVE-2013-2452]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; BID-60619, CVE-2013-2455, ZDI-13-159]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-60629, CVE-2013-2447]

An attacker can use a vulnerability of Serialization, in order to create a denial of service. [severity:2/4; BID-60638, CVE-2013-2450]

An attacker can use a vulnerability of Serialization, in order to obtain information. [severity:2/4; BID-60641, CVE-2013-2456]

An attacker can use a vulnerability of Serviceability, in order to obtain information. [severity:2/4; BID-60618, CVE-2013-2412]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; BID-60622, CVE-2013-2449]

An attacker can use a vulnerability of Javadoc, in order to alter information (VIGILANCE-VUL-13106). [severity:2/4; BID-60634, CVE-2013-1571, swg21641098, VU#225657]

An attacker can use a vulnerability of Networking, in order to alter information. [severity:2/4; BID-60625, CVE-2013-2451]

An attacker can use a vulnerability of 2D, in order to obtain or alter information. [severity:1/4; BID-60627, CVE-2013-1500]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2013-0401 CVE-2013-0402 CVE-2013-1488

Oracle JRE, JDK, JavaFX: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Oracle JRE, JDK and JavaFX can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Fedora, HP-UX, Domino, Notes, Tivoli System Automation, Junos Space, Junos Space Network Management Platform, Java OpenJDK, openSUSE, Java Oracle, JavaFX, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 42.
Creation date: 17/04/2013.
Identifiers: BID-59088, BID-59089, BID-59124, BID-59128, BID-59131, BID-59137, BID-59141, BID-59145, BID-59149, BID-59153, BID-59154, BID-59159, BID-59162, BID-59165, BID-59166, BID-59167, BID-59170, BID-59172, BID-59175, BID-59178, BID-59179, BID-59184, BID-59185, BID-59187, BID-59190, BID-59191, BID-59194, BID-59195, BID-59203, BID-59206, BID-59208, BID-59212, BID-59213, BID-59219, BID-59220, BID-59228, BID-59234, BID-59243, bulletinoct2015, c03874547, c03898880, CERTA-2013-AVI-256, CVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1558, CVE-2013-1561, CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424, CVE-2013-2425, CVE-2013-2426, CVE-2013-2427, CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432, CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2439, CVE-2013-2440, FEDORA-2013-5922, FEDORA-2013-5958, HPSBUX02908, HPSBUX02922, javacpuapr2013, KLYH95CMCJ, MDVSA-2013:145, MDVSA-2013:161, openSUSE-SU-2013:0745-1, openSUSE-SU-2013:0777-1, openSUSE-SU-2013:0964-1, openSUSE-SU-2013:0993-1, RHSA-2013:0751-01, RHSA-2013:0752-01, RHSA-2013:0757-01, RHSA-2013:0758-01, RHSA-2013:0770-01, RHSA-2013:0822-01, RHSA-2013:0823-01, RHSA-2013:0855-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SA-20130417-1, SE-2012-01, SSRT101305, SUSE-SU-2013:0814-1, SUSE-SU-2013:0835-1, SUSE-SU-2013:0835-2, SUSE-SU-2013:0835-3, SUSE-SU-2013:0871-1, SUSE-SU-2013:0871-2, SUSE-SU-2013:0934-1, swg21644918, swg21645096, swg21645100, VIGILANCE-VUL-12678, ZDI-13-068, ZDI-13-069, ZDI-13-070, ZDI-13-071, ZDI-13-072, ZDI-13-073, ZDI-13-074, ZDI-13-075, ZDI-13-076, ZDI-13-077, ZDI-13-078, ZDI-13-079, ZDI-13-089.

Description of the vulnerability

Several vulnerabilities were announced in Oracle JRE, JDK and JavaFX. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of ICU 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59190, CVE-2013-2383, ZDI-13-070]

An attacker can use a vulnerability of ICU 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59179, CVE-2013-2384, ZDI-13-068]

An attacker can use a vulnerability of ICU 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59166, CVE-2013-1569, ZDI-13-069]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59137, CVE-2013-2434, ZDI-13-071]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59154, CVE-2013-2432]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59167, CVE-2013-2420, ZDI-13-073]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CVE-2013-1491, ZDI-13-078]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59219, CVE-2013-1558]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59124, CVE-2013-2440]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59089, CVE-2013-2435]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59165, CVE-2013-2431]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59191, CVE-2013-2425]

An attacker can use a vulnerability of JAXP, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59141, CVE-2013-1518]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59234, CVE-2013-2414]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59175, CVE-2013-2428, ZDI-13-074]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59128, CVE-2013-2427]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59228, CVE-2013-2422]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59194, CVE-2013-1537]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59170, CVE-2013-1557]

An attacker can use a vulnerability of HotSpot, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59153, CVE-2013-2421]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CVE-2013-0402, ZDI-13-077]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59206, CVE-2013-2426, ZDI-13-075]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59213, CVE-2013-2436, ZDI-13-079]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CVE-2013-1488, ZDI-13-076]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59172, CVE-2013-2394, ZDI-13-072]

An attacker can use a vulnerability of ImageIO, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59243, CVE-2013-2430]

An attacker can use a vulnerability of ImageIO, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59184, CVE-2013-2429]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59208, CVE-2013-1563]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59178, CVE-2013-2439]

An attacker can use a vulnerability of AWT, in order to obtain or alter information. [severity:3/4; CVE-2013-0401, ZDI-13-089]

An attacker can use a vulnerability of ICU 2D, in order to create a denial of service. [severity:2/4; BID-59131, CVE-2013-2419]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-59159, CVE-2013-2424]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; BID-59203, CVE-2013-1561]

An attacker can use a vulnerability of JavaFX, in order to alter information. [severity:2/4; BID-59195, CVE-2013-1564]

An attacker can use a vulnerability of JavaFX, in order to alter information. [severity:2/4; BID-59185, CVE-2013-2438]

An attacker can use a vulnerability of Networking, in order to create a denial of service. [severity:2/4; BID-59187, CVE-2013-2417]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-59145, CVE-2013-2418]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-59088, CVE-2013-2416, SA-20130417-1]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-59220, CVE-2013-2433]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-59149, CVE-2013-1540]

An attacker can use a vulnerability of Hotspot, in order to alter information. [severity:2/4; BID-59162, CVE-2013-2423]

An attacker can use a vulnerability of JAX-WS, in order to obtain information. [severity:1/4; BID-59212, CVE-2013-2415]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2013-0809

Oracle Java JRE: code execution via 2D

Synthesis of the vulnerability

An attacker can invite the victim to display a web page containing a Java applet (or Java Web Start) using the 2D component, in order to execute code on his computer.
Impacted products: Fedora, HP-UX, Domino, Notes, Tivoli System Automation, WebSphere AS Traditional, WebSphere MQ, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 05/03/2013.
Identifiers: BID-58296, c03714148, c03725347, c03735640, CERTA-2013-AVI-163, CVE-2013-0809, FEDORA-2013-3467, FEDORA-2013-3468, HPSBUX02857, HPSBUX02864, HPSBUX02867, IC90659, KLYH95CMCJ, MDVSA-2013:021, MDVSA-2013:095, openSUSE-SU-2013:0430-1, openSUSE-SU-2013:0438-1, openSUSE-SU-2013:0509-1, RHSA-2013:0600-01, RHSA-2013:0601-01, RHSA-2013:0602-01, RHSA-2013:0603-01, RHSA-2013:0604-01, RHSA-2013:0605-01, RHSA-2013:0624-01, RHSA-2013:0625-01, RHSA-2013:0626-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT101103, SSRT101156, SUSE-SU-2013:0434-1, SUSE-SU-2013:0701-1, SUSE-SU-2013:0701-2, SUSE-SU-2013:0710-1, swg21627634, swg21633669, swg21633674, swg21644918, swg21645096, swg21645100, VIGILANCE-VUL-12481, VU#688246, ZDI-13-148.

Description of the vulnerability

An attacker can invite the victim to display a web page containing a Java applet (or Java Web Start) using the 2D component, in order to execute code on his computer.



This vulnerability does not impact servers using Java.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2013-1493

Oracle Java JRE: code execution via 2D

Synthesis of the vulnerability

An attacker can invite the victim to display a web page containing a Java applet (or Java Web Start) using the 2D component, in order to execute code on his computer.
Impacted products: Fedora, HP-UX, Domino, Notes, Tivoli System Automation, WebSphere AS Traditional, WebSphere MQ, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 04/03/2013.
Identifiers: BID-58238, c03714148, c03725347, c03735640, CERTA-2013-AVI-163, CVE-2013-1493, FEDORA-2013-3467, FEDORA-2013-3468, HPSBUX02857, HPSBUX02864, HPSBUX02867, IC90659, KLYH95CMCJ, MDVSA-2013:021, MDVSA-2013:095, openSUSE-SU-2013:0430-1, openSUSE-SU-2013:0438-1, openSUSE-SU-2013:0509-1, RHSA-2013:0600-01, RHSA-2013:0601-01, RHSA-2013:0602-01, RHSA-2013:0603-01, RHSA-2013:0604-01, RHSA-2013:0605-01, RHSA-2013:0624-01, RHSA-2013:0625-01, RHSA-2013:0626-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT101103, SSRT101156, SUSE-SU-2013:0434-1, SUSE-SU-2013:0701-1, SUSE-SU-2013:0701-2, SUSE-SU-2013:0710-1, swg21627634, swg21633669, swg21633674, swg21644918, swg21645096, swg21645100, VIGILANCE-VUL-12478, VU#688246, ZDI-13-142, ZDI-13-149.

Description of the vulnerability

An attacker can invite the victim to display a web page containing a Java applet (or Java Web Start) using the 2D component, in order to execute code on his computer.

 The vulnerability is located in Color Management classes.

This vulnerability does not impact servers using Java.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2013-0169 CVE-2013-1484 CVE-2013-1485

Oracle JRE, JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Oracle JRE and JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Fedora, HP-UX, Domino, Notes, IRAD, Tivoli System Automation, WebSphere AS Traditional, WebSphere MQ, Mandriva Linux, ePO, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 20/02/2013.
Identifiers: BID-57778, BID-58027, BID-58028, BID-58029, BID-58031, c03714148, c03735640, CERTA-2013-AVI-142, CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486, CVE-2013-1487, FEDORA-2013-2764, FEDORA-2013-2813, HPSBUX02857, HPSBUX02867, IC90659, javacpufeb2013update, KLYH95CMCJ, MDVSA-2013:014, MDVSA-2013:095, openSUSE-SU-2013:0375-1, openSUSE-SU-2013:0378-1, RHSA-2013:0273-01, RHSA-2013:0274-01, RHSA-2013:0275-01, RHSA-2013:0531-01, RHSA-2013:0532-01, RHSA-2013:0624-01, RHSA-2013:0625-01, RHSA-2013:0626-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SB10041, SSRT101103, SUSE-SU-2013:0328-1, SUSE-SU-2013:0440-1, SUSE-SU-2013:0440-4, SUSE-SU-2013:0440-6, SUSE-SU-2013:0456-1, SUSE-SU-2013:0456-2, SUSE-SU-2013:0456-3, SUSE-SU-2013:0456-4, SUSE-SU-2013:0701-2, swg21627634, swg21633311, swg21633669, swg21633674, swg21644918, swg21645096, swg21645100, VIGILANCE-VUL-12437, ZDI-13-040, ZDI-13-041, ZDI-13-042.

Description of the vulnerability

Several vulnerabilities were announced in Oracle JRE and JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-58031, CVE-2013-1487]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-58029, CVE-2013-1486]

An attacker can use a vulnerability of Proxy.newProxyInstance and setUncaughtExceptionHandler, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-58027, CVE-2013-1484, ZDI-13-040, ZDI-13-042]

An attacker can use a vulnerability of doPrivilegedWithCombiner, in order to alter information. [severity:2/4; BID-58028, CVE-2013-1485, ZDI-13-041]

An attacker can inject wrongly encrypted messages in a TLS/DTLS session in mode CBC, and measure the delay before the error message reception, in order to progressively guess the clear content of the session (VIGILANCE-VUL-12374). [severity:1/4; BID-57778, CVE-2013-0169]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2013-0169 CVE-2013-1619 CVE-2013-1620

TLS, DTLS: information disclosure in CBC mode, Lucky 13

Synthesis of the vulnerability

An attacker can inject wrongly encrypted messages in a TLS/DTLS session in mode CBC, and measure the delay before the error message reception, in order to progressively guess the clear content of the session.
Impacted products: Bouncy Castle JCE, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, DB2 UDB, Tivoli Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, Mandriva Linux, McAfee Email and Web Security, ePO, MySQL Enterprise, NetScreen Firewall, ScreenOS, Java OpenJDK, OpenSSL, openSUSE, openSUSE Leap, Opera, Java Oracle, Solaris, pfSense, SSL protocol, RHEL, JBoss EAP by Red Hat, Slackware, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Consequences: data reading.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 7.
Creation date: 05/02/2013.
Identifiers: 1639354, 1643316, 1672363, BID-57736, BID-57774, BID-57776, BID-57777, BID-57778, BID-57780, BID-57781, c03710522, c03883001, CERTA-2013-AVI-099, CERTA-2013-AVI-109, CERTA-2013-AVI-339, CERTA-2013-AVI-454, CERTA-2013-AVI-543, CERTA-2013-AVI-657, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CERTFR-2014-AVI-286, CVE-2013-0169, CVE-2013-1619, CVE-2013-1620, CVE-2013-1621, CVE-2013-1622-REJECT, CVE-2013-1623, CVE-2013-1624, DLA-1518-1, DSA-2621-1, DSA-2622-1, ESX400-201310001, ESX400-201310401-SG, ESX400-201310402-SG, ESX410-201307001, ESX410-201307401-SG, ESX410-201307403-SG, ESX410-201307404-SG, ESX410-201307405-SG, ESX410-201312001, ESX410-201312401-SG, ESX410-201312403-SG, ESXi410-201307001, ESXi410-201307401-SG, ESXi510-201401101-SG, FEDORA-2013-2110, FEDORA-2013-2128, FEDORA-2013-2764, FEDORA-2013-2793, FEDORA-2013-2813, FEDORA-2013-2834, FEDORA-2013-2892, FEDORA-2013-2929, FEDORA-2013-2984, FEDORA-2013-3079, FEDORA-2013-4403, FreeBSD-SA-13:03.openssl, GNUTLS-SA-2013-1, HPSBUX02856, HPSBUX02909, IC90385, IC90395, IC90396, IC90397, IC90660, IC93077, JSA10575, JSA10580, JSA10759, Lucky 13, MDVSA-2013:014, MDVSA-2013:018, MDVSA-2013:019, MDVSA-2013:040, MDVSA-2013:050, MDVSA-2013:052, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, openSUSE-SU-2013:0807-1, openSUSE-SU-2016:0640-1, RHSA-2013:0273-01, RHSA-2013:0274-01, RHSA-2013:0275-01, RHSA-2013:0531-01, RHSA-2013:0532-01, RHSA-2013:0587-01, RHSA-2013:0588-01, RHSA-2013:0636-01, RHSA-2013:0782-01, RHSA-2013:0783-01, RHSA-2013:0833-01, RHSA-2013:0834-02, RHSA-2013:0839-02, RHSA-2013:1135-01, RHSA-2013:1144-01, RHSA-2013:1181-01, RHSA-2013:1455-01, RHSA-2013:1456-01, RHSA-2014:0371-01, RHSA-2014:0372-01, RHSA-2014:0896-01, RHSA-2015:1009, SOL14190, SOL15630, SSA:2013-040-01, SSA:2013-042-01, SSA:2013-242-01, SSA:2013-242-03, SSA:2013-287-03, SSRT101104, SSRT101289, SUSE-SU-2013:0328-1, SUSE-SU-2014:0320-1, SUSE-SU-2014:0322-1, swg21633669, swg21638270, swg21639354, swg21640169, VIGILANCE-VUL-12374, VMSA-2013-0006.1, VMSA-2013-0007.1, VMSA-2013-0009, VMSA-2013-0009.1, VMSA-2013-0009.2, VMSA-2013-0009.3, VMSA-2013-0015.

Description of the vulnerability

The TLS protocol uses a block encryption algorithm. In CBC (Cipher Block Chaining) mode, the encryption depends on the previous block.

When an incorrect encrypted message is received, a fatal error message is sent to the sender. However, the duration of the generation of this error message depends on the number of valid bytes, used by a MAC hash.

An attacker can therefore inject wrongly encrypted messages in a TLS/DTLS session in mode CBC, and measure the delay before the error message reception, in order to progressively guess the clear content of the session.

In order to guess a clear block, 2^23 TLS sessions are required. So, to exploit this vulnerability, the TLS client has to permanently open a new session, as soon as the previous one ended with a fatal error.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-1541 CVE-2012-1543 CVE-2012-3213

Oracle JRE, JDK, JavaFX: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Oracle JRE, JDK and JavaFX can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Fedora, HP-UX, IRAD, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, Mandriva Linux, Java OpenJDK, openSUSE, Java Oracle, JavaFX, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 50.
Creation date: 04/02/2013.
Identifiers: 1677352, BID-57670, BID-57681, BID-57682, BID-57683, BID-57684, BID-57685, BID-57686, BID-57687, BID-57688, BID-57689, BID-57690, BID-57691, BID-57692, BID-57693, BID-57694, BID-57695, BID-57696, BID-57697, BID-57699, BID-57700, BID-57701, BID-57702, BID-57703, BID-57704, BID-57705, BID-57706, BID-57707, BID-57708, BID-57709, BID-57710, BID-57711, BID-57712, BID-57713, BID-57714, BID-57715, BID-57716, BID-57717, BID-57718, BID-57719, BID-57720, BID-57721, BID-57722, BID-57723, BID-57724, BID-57725, BID-57726, BID-57727, BID-57728, BID-57729, BID-57730, BID-57731, c03714148, c03725347, c03735640, CERTA-2013-AVI-092, CVE-2012-1541, CVE-2012-1543, CVE-2012-3213, CVE-2012-3342, CVE-2012-4301, CVE-2012-4305, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0436, CVE-2013-0437, CVE-2013-0438, CVE-2013-0439, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0447, CVE-2013-0448, CVE-2013-0449, CVE-2013-0450, CVE-2013-1472, CVE-2013-1473, CVE-2013-1474, CVE-2013-1475, CVE-2013-1476, CVE-2013-1477, CVE-2013-1478, CVE-2013-1479, CVE-2013-1480, CVE-2013-1481, CVE-2013-1482, CVE-2013-1483, CVE-2013-1489, FEDORA-2013-1898, FEDORA-2013-2188, FEDORA-2013-2197, FEDORA-2013-2205, FEDORA-2013-2209, HPSBUX02857, HPSBUX02864, HPSBUX02867, IC90659, javacpufeb2013, MDVSA-2013:010, MDVSA-2013:095, openSUSE-SU-2013:0308-1, openSUSE-SU-2013:0312-1, openSUSE-SU-2013:0377-1, RHSA-2013:0236-01, RHSA-2013:0237-01, RHSA-2013:0245-01, RHSA-2013:0246-01, RHSA-2013:0247-01, RHSA-2013:0624-01, RHSA-2013:0625-01, RHSA-2013:0626-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SE-2012-01, SSRT101103, SSRT101156, SUSE-SU-2013:0315-1, SUSE-SU-2013:0440-1, SUSE-SU-2013:0440-2, SUSE-SU-2013:0440-3, SUSE-SU-2013:0440-4, SUSE-SU-2013:0440-6, SUSE-SU-2013:0456-1, SUSE-SU-2013:0456-2, SUSE-SU-2013:0456-3, SUSE-SU-2013:0456-4, swg21627634, swg21633311, swg21633669, swg21633674, swg21645096, swg21645100, VIGILANCE-VUL-12368, VU#858729, ZDI-13-010, ZDI-13-011, ZDI-13-012, ZDI-13-013, ZDI-13-022, ZDI-13-023.

Description of the vulnerability

Several vulnerabilities were announced in Oracle JRE, JDK and JavaFX. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57681, CVE-2013-0437]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57686, CVE-2013-1478]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57687, CVE-2013-0442]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57689, CVE-2013-0445]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57691, CVE-2013-1480, ZDI-13-022]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57692, CVE-2013-0441]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57694, CVE-2013-1475]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57696, CVE-2013-1476]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57697, CVE-2012-1541]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57699, CVE-2013-0446]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57700, CVE-2012-3342]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57703, CVE-2013-0450]

An attacker can use a vulnerability of JavaFX D3DRendererDelegate, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57706, CVE-2013-1479, ZDI-13-023]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57709, CVE-2013-0425]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57711, CVE-2013-0426]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57713, CVE-2013-0428]

An attacker can use a vulnerability of Scripting NativeJavaConstructor, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57717, CVE-2012-3213, ZDI-13-011]

An attacker can use a vulnerability of Sound PV_ProcessSampleWithSMOD, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57718, CVE-2013-1481, ZDI-13-010]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57721, CVE-2013-0436]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57725, CVE-2013-0439]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57682, CVE-2013-0447]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57683, CVE-2013-1472]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57684, CVE-2012-4301]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57685, CVE-2013-1477]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57688, CVE-2013-1482]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57693, CVE-2013-1483]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57690, CVE-2013-1474]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57695, CVE-2012-4305]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57701, CVE-2013-0444]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57710, CVE-2013-0429]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57714, CVE-2013-0419]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57716, CVE-2013-0423]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57705, CVE-2012-1543, ZDI-13-012, ZDI-13-013]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57720, CVE-2013-0351]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-57722, CVE-2013-0430]

An attacker can use a vulnerability of AWT, in order to obtain or alter information. [severity:3/4; BID-57727, CVE-2013-0432]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; BID-57704, CVE-2013-0449]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-57731, CVE-2013-1473]

An attacker can use a vulnerability of JAX-WS, in order to obtain information. [severity:2/4; BID-57729, CVE-2013-0435]

An attacker can use a vulnerability of JAXP, in order to obtain information. [severity:2/4; BID-57730, CVE-2013-0434]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-57728, CVE-2013-0409]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-57726, CVE-2013-0431]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-57724, CVE-2013-0427]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-57723, CVE-2013-0448]

An attacker can use a vulnerability of Networking, in order to alter information. [severity:2/4; BID-57719, CVE-2013-0433]

An attacker can use a vulnerability of RMI, in order to alter information. [severity:2/4; BID-57715, CVE-2013-0424]

An attacker can use a vulnerability of JSSE, in order to create a denial of service. [severity:2/4; BID-57712, CVE-2013-0440]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; BID-57708, CVE-2013-0438]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; BID-57702, CVE-2013-0443]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:1/4; BID-57707, CVE-2013-1489, SE-2012-01]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-3174

Oracle Java JRE: code execution via MethodHandle

Synthesis of the vulnerability

An attacker can create a malicious applet, using MethodHandle and sun.misc.reflect.Trampoline, in order to execute arbitrary Java code.
Impacted products: Fedora, Tivoli System Automation, WebSphere AS Traditional, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 14/01/2013.
Identifiers: BID-57312, CVE-2012-3174, FEDORA-2013-0853, FEDORA-2013-0868, FEDORA-2013-0888, MDVSA-2013:095, openSUSE-SU-2013:0199-1, RHSA-2013:0156-01, RHSA-2013:0165-01, RHSA-2013:0624-01, RHSA-2013:0625-01, RHSA-2013:0626-01, SUSE-SU-2013:0440-1, swg21627634, swg21645096, swg21645100, VIGILANCE-VUL-12328, ZDI-13-002.

Description of the vulnerability

An attacker can create a malicious applet, using MethodHandle and sun.misc.reflect.Trampoline, in order to execute arbitrary Java code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Oracle JDK: