The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Oracle Java: multiple vulnerabilities of January 2014

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Severity of this alert: 3/4.
Number of vulnerabilities in this bulletin: 36.
Creation date: 15/01/2014.
Références of this alert: 1663938, 1670264, 1671242, 1671245, 1674922, 1675938, 1679983, 4006386, 7014224, BID-64863, BID-64875, BID-64882, BID-64890, BID-64894, BID-64899, BID-64901, BID-64903, BID-64906, BID-64907, BID-64910, BID-64912, BID-64914, BID-64915, BID-64916, BID-64917, BID-64918, BID-64919, BID-64920, BID-64921, BID-64922, BID-64923, BID-64924, BID-64925, BID-64926, BID-64927, BID-64928, BID-64929, BID-64930, BID-64931, BID-64932, BID-64933, BID-64934, BID-64935, BID-64936, BID-64937, c04166777, c04166778, CERTA-2014-AVI-030, CERTFR-2014-AVI-199, CERTFR-2014-AVI-480, CERTFR-2016-AVI-300, cpujan2014, CVE-2013-5870, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5893, CVE-2013-5895, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0382, CVE-2014-0385, CVE-2014-0387, CVE-2014-0403, CVE-2014-0408, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, ESA-2014-002, FEDORA-2014-0885, FEDORA-2014-0945, FEDORA-2014-1048, FEDORA-2014-2071, FEDORA-2014-2088, HPSBUX02972, HPSBUX02973, JSA10659, MDVSA-2014:011, openSUSE-SU-2014:0174-1, openSUSE-SU-2014:0177-1, openSUSE-SU-2014:0180-1, RHSA-2014:0026-01, RHSA-2014:0027-01, RHSA-2014:0030-01, RHSA-2014:0097-01, RHSA-2014:0134-01, RHSA-2014:0135-01, RHSA-2014:0136-01, RHSA-2014:0982-01, SOL17381, SSRT101454, SSRT101455, SUSE-SU-2014:0246-1, SUSE-SU-2014:0266-1, SUSE-SU-2014:0266-2, SUSE-SU-2014:0266-3, SUSE-SU-2014:0451-1, USN-2124-1, USN-2124-2, VIGILANCE-VUL-14087, ZDI-14-013, ZDI-14-038.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64915, CVE-2014-0410]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64899, CVE-2014-0415]

An attacker can use a vulnerability of 2D TTF Font Parsing, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64894, CVE-2013-5907, ZDI-14-013, ZDI-14-038]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64935, CVE-2014-0428]

An attacker can use a vulnerability of JNDI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64921, CVE-2014-0422]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64901, CVE-2014-0385]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64931, CVE-2013-5889]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64910, CVE-2014-0408]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64863, CVE-2013-5893]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64932, CVE-2014-0417]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64882, CVE-2014-0387]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64919, CVE-2014-0424]

An attacker can use a vulnerability of Serviceability, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64922, CVE-2014-0373]

An attacker can use a vulnerability of Security, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64927, CVE-2013-5878]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64890, CVE-2013-5904]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64929, CVE-2013-5870]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:2/4; BID-64920, CVE-2014-0403]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:2/4; BID-64916, CVE-2014-0375]

An attacker can use a vulnerability of Beans, in order to obtain information, or to trigger a denial of service. [severity:2/4; BID-64914, CVE-2014-0423]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64934, CVE-2013-5905]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64903, CVE-2013-5906]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64923, CVE-2013-5902]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64917, CVE-2014-0418]

An attacker can use a vulnerability of Deployment, in order to trigger a denial of service. [severity:2/4; BID-64875, CVE-2013-5887]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; BID-64928, CVE-2013-5899]

An attacker can use a vulnerability of CORBA, in order to trigger a denial of service. [severity:2/4; BID-64926, CVE-2013-5896]

An attacker can use a vulnerability of CORBA, in order to obtain information. [severity:2/4; BID-64924, CVE-2013-5884]

An attacker can use a vulnerability of JAAS, in order to alter information. [severity:2/4; BID-64937, CVE-2014-0416]

An attacker can use a vulnerability of JAXP, in order to alter information. [severity:2/4; BID-64907, CVE-2014-0376]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-64930, CVE-2014-0368]

An attacker can use a vulnerability of Security, in order to alter information. [severity:2/4; BID-64933, CVE-2013-5910]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:2/4; BID-64906, CVE-2013-5895]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64925, CVE-2013-5888]

An attacker can use a vulnerability of JavaFX, in order to trigger a denial of service. [severity:2/4; BID-64936, CVE-2014-0382]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:2/4; BID-64912, CVE-2013-5898]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:2/4; BID-64918, CVE-2014-0411]
Full Vigil@nce bulletin... (Request your free trial)

This security note impacts software or systems such as Avamar, BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, Domino, Notes, IRAD, Tivoli System Automation, WebSphere AS Traditional, WebSphere MQ, Junos Space, Java OpenJDK, openSUSE, Java Oracle, JavaFX, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this threat announce is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 36 vulnerabilities.

An attacker with a expert ability can exploit this computer weakness announce.

Solutions for this threat

Oracle Java: version 7u51.
The version 7u51 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java: version 6u71.
The version 6u71 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Oracle Java: version 5.0u61.
The version 5.0u61 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html

IcedTea: versions 2.3.13 and 2.4.4.
Versions 2.3.13 and 2.4.4 are fixed:
  http://icedtea.classpath.org/download/source/icedtea-2.3.13.tar.gz
  http://icedtea.classpath.org/download/source/icedtea-2.4.4.tar.gz

IcedTea: versions 1.12.8 and 1.13.1.
Versions 1.12.8 and 1.13.1 are fixed:
  http://icedtea.classpath.org/download/source/icedtea6-1.12.8.tar.gz
  http://icedtea.classpath.org/download/source/icedtea6-1.13.1.tar.gz

IcedTea: version 1.11.15.
The version 1.11.15 is fixed:
  http://icedtea.classpath.org/download/source/icedtea6-1.11.15.tar.gz

IcedTea-Web: version 1.4.2.
The version 1.4.2 is fixed:
  http://icedtea.wildebeest.org/download/source/icedtea-web-1.4.2.tar.gz

AIX: fixed versions for Java.
The following versions are fixed:
IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 4:
  32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK
  64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 6 Service Refresh 15:
  32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK
  64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 7 Service Refresh 6:
  32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK
  64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK

EMC Avamar: solution for JRE.
The solution is indicated in information sources.

F5 BIG-IP: fixed versions for OpenJDK.
Fixed versions are indicated in information sources.

Fedora: new icedtea-web packages.
New packages are available:
  icedtea-web-1.4.2-0.fc19
  icedtea-web-1.4.2-0.fc20

Fedora: new java-1.7.0-openjdk packages.
New packages are available:
  java-1.7.0-openjdk-1.7.0.60-2.4.4.0.fc19
  java-1.7.0-openjdk-1.7.0.60-2.4.4.0.fc20

HP-UX: Java version 6.0.22.
The version 6.0.22 is fixed:
  http://www.hp.com/java

HP-UX: Java version 7.0.09.
The version 7.0.09 is fixed:
  https://h20565.www2.hpe.com/portal/site/hpsc/public/psi/home/?sp4ts.oid=4268160

IBM Domino: patch for Java.
A patch will be provided.

IBM Notes: patch for Java.
A patch will be provided.

IBM Rational Application Developer: solution for Java.
The solution is indicated in information sources.

IBM Tivoli System Automation: patch for Java.
A patch is available in information sources.

Junos Space: version 14.1R1.
The version 14.1R1 is fixed:
  http://www.juniper.net/support/downloads/?p=space#sw

Mandriva: new java-1.7.0-openjdk packages.
New packages are available:
  java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mbs1

NetIQ Sentinel: version 7.1.2.
The version 7.1.2 is fixed:
  https://www.netiq.com/

openSUSE: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 12.3 : java-1_7_0-openjdk-1.7.0.6-8.32.5
  openSUSE 13.1 : java-1_7_0-openjdk-1.7.0.6-24.13.5

Red Hat Satellite: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.0-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.0-1jpp.1.el6

RHEL: new java-1.5.0-ibm packages.
New packages are available:
  java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el5_10
  java-1.5.0-ibm-1.5.0.16.5-1jpp.1.el6_5

RHEL: new java-1.6.0-ibm packages.
New packages are available:
  java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el5_10
  java-1.6.0-ibm-1.6.0.15.1-1jpp.1.el6_5

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el5_10
  java-1.6.0-openjdk-1.6.0.0-3.1.13.1.el6_5

RHEL: new java-1.7.0-ibm packages.
New packages are available:
  java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el5_10
  java-1.7.0-ibm-1.7.0.6.1-1jpp.1.el6_5

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el5_10
  java-1.7.0-openjdk-1.7.0.51-2.4.4.1.el6_5

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  java-1.7.0-oracle-1.7.0.51-1jpp.1.el5_10
  java-1.7.0-oracle-1.7.0.51-1jpp.1.el6_5

SUSE LE 10: new java-1_5_0-ibm packages.
New packages are available:
  java-1_5_0-ibm-1.5.0_sr16.5-0.6.1

SUSE LE 11: new java-1_6_0-ibm packages.
New packages are available:
  java-1_6_0-ibm-1.6.0_sr15.1-0.6.1

SUSE LE 11: new java-1_7_0-ibm packages.
New packages are available:
  java-1_7_0-ibm-1.7.0_sr6.1-0.8.1

SUSE Manager 1.7 for SLE 11 SP2: new java-1_6_0-ibm packages.
New packages are available:
  SUSE Manager 1.7 for SLE 11 SP2: java-1_6_0-ibm 1.6.0_sr15.1-0.6.1

Ubuntu: new openjdk-6-jre packages.
New packages are available:
  Ubuntu 12.04 LTS: openjdk-6-jre 6b30-1.13.1-1ubuntu2~0.12.04.3
  Ubuntu 10.04 LTS: openjdk-6-jre 6b30-1.13.1-1ubuntu2~0.10.04.2

WebSphere Application Server: solution for Java.
The solution is indicated in information sources.

WebSphere MQ: patches for Java.
IBM WebSphere MQ includes a Java Runtime Environment.
Applicable patches are indicated in information sources. An installation procedure in included.

WebSphere MQ: version 7.0.1.13.
The version 7.0.1.13 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg21960691
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer security patch. The technology watch team tracks security threats targeting the computer system.