The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Oracle Java: multiple vulnerabilities of October 2013

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Java.
Severity of this alert: 3/4.
Number of vulnerabilities in this bulletin: 51.
Creation date: 16/10/2013.
Références of this alert: 1663589, 1663930, 1664550, 1670264, 1671933, BID-63079, BID-63082, BID-63089, BID-63095, BID-63098, BID-63101, BID-63102, BID-63103, BID-63106, BID-63110, BID-63111, BID-63112, BID-63115, BID-63118, BID-63120, BID-63121, BID-63122, BID-63124, BID-63126, BID-63127, BID-63128, BID-63129, BID-63130, BID-63131, BID-63132, BID-63133, BID-63134, BID-63135, BID-63136, BID-63137, BID-63139, BID-63140, BID-63141, BID-63142, BID-63143, BID-63144, BID-63145, BID-63146, BID-63147, BID-63148, BID-63149, BID-63150, BID-63151, BID-63152, BID-63153, BID-63154, BID-63155, BID-63156, BID-63157, BID-63158, c04031205, c04031212, CERTA-2013-AVI-586, CERTFR-2014-AVI-117, CERTFR-2014-AVI-199, cpuoct2013, CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775, CVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805, CVE-2013-5806, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851, CVE-2013-5852, CVE-2013-5854, FEDORA-2013-19285, FEDORA-2013-19338, HPSBUX02943, HPSBUX02944, MDVSA-2013:266, MDVSA-2013:267, openSUSE-SU-2013:1663-1, openSUSE-SU-2013:1968-1, RHSA-2013:1440-01, RHSA-2013:1447-01, RHSA-2013:1451-01, RHSA-2013:1505-01, RHSA-2013:1507-01, RHSA-2013:1508-01, RHSA-2013:1509-01, RHSA-2013:1793-01, RHSA-2014:1319-01, RHSA-2014:1818-01, RHSA-2014:1821-01, RHSA-2014:1822-01, RHSA-2014:1823-01, RHSA-2015:0269-01, RHSA-2015:0675-01, RHSA-2015:0773-01, SB10058, SE-2012-01, SOL16872, SOL48802597, SUSE-SU-2013:1666-1, SUSE-SU-2013:1669-1, SUSE-SU-2013:1677-2, SUSE-SU-2013:1677-3, VIGILANCE-VUL-13601, VMSA-2014-0002, ZDI-13-244, ZDI-13-245, ZDI-13-246, ZDI-13-247, ZDI-13-248.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Java.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63103, CVE-2013-5782]

An attacker can use a vulnerability of Libraries via LDAP Deserialization, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63121, CVE-2013-5830, ZDI-13-248]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63118, CVE-2013-5809]

An attacker can use a vulnerability of 2D via FileImageInputStream, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63137, CVE-2013-5829, ZDI-13-247]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63143, CVE-2013-5814]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63139, CVE-2013-5824]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63145, CVE-2013-5788]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63155, CVE-2013-5787]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63156, CVE-2013-5789]

An attacker can use a vulnerability of JNDI via LdapCtx, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63146, CVE-2013-5817, ZDI-13-244]

An attacker can use a vulnerability of Libraries via ObjectOutputStream, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63150, CVE-2013-5842, ZDI-13-246]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63151, CVE-2013-5843]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63158, CVE-2013-5832]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63153, CVE-2013-5850]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63131, CVE-2013-5838]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63112, CVE-2013-5805]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63122, CVE-2013-5806]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63127, CVE-2013-5846]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63132, CVE-2013-5810]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63136, CVE-2013-5844]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63140, CVE-2013-5777]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63130, CVE-2013-5852]

An attacker can use a vulnerability of JAXP, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63135, CVE-2013-5802]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63144, CVE-2013-5775]

An attacker can use a vulnerability of Javadoc, in order to obtain or alter information. [severity:3/4; BID-63149, CVE-2013-5804]

An attacker can use a vulnerability of Deployment, in order to obtain information, or to trigger a denial of service. [severity:3/4; BID-63126, CVE-2013-5812]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:3/4; BID-63120, CVE-2013-3829]

An attacker can use a vulnerability of Swing NumberFormatter and RealTimeSequencer, in order to obtain or alter information. [severity:3/4; BID-63154, CVE-2013-5783, ZDI-13-245]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; BID-63101, CVE-2013-5825]

An attacker can use a vulnerability of JAXP, in order to trigger a denial of service. [severity:2/4; CVE-2013-4002]

An attacker can use a vulnerability of Security, in order to trigger a denial of service. [severity:2/4; BID-63110, CVE-2013-5823]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; BID-63134, CVE-2013-5778]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; BID-63147, CVE-2013-5801]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63152, CVE-2013-5776]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63157, CVE-2013-5818]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63141, CVE-2013-5819]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63129, CVE-2013-5831]

An attacker can use a vulnerability of JAX-WS, in order to alter information. [severity:2/4; BID-63133, CVE-2013-5820]

An attacker can use a vulnerability of JAXP, in order to obtain information. [severity:2/4; BID-63142, CVE-2013-5851]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; BID-63148, CVE-2013-5840]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-63128, CVE-2013-5774]

An attacker can use a vulnerability of Deployment, in order to alter information. [severity:2/4; BID-63124, CVE-2013-5848]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:2/4; BID-63115, CVE-2013-5780]

An attacker can use a vulnerability of JGSS, in order to obtain information. [severity:2/4; BID-63111, CVE-2013-5800]

An attacker can use a vulnerability of AWT, in order to obtain information. [severity:2/4; BID-63106, CVE-2013-5849]

An attacker can use a vulnerability of BEANS, in order to obtain information. [severity:2/4; BID-63102, CVE-2013-5790]

An attacker can use a vulnerability of SCRIPTING, in order to alter information. [severity:2/4; BID-63098, CVE-2013-5784]

An attacker can use a vulnerability of Javadoc, in order to alter information. [severity:2/4; BID-63095, CVE-2013-5797]

An attacker can use a vulnerability of jhat, in order to alter information. [severity:1/4; BID-63089, CVE-2013-5772]

An attacker can use a vulnerability of JGSS, in order to trigger a denial of service. [severity:1/4; BID-63082, CVE-2013-5803]

An attacker can use a vulnerability of JavaFX, in order to obtain information. [severity:1/4; BID-63079, CVE-2013-5854]
Full Vigil@nce bulletin... (Free trial)

This computer threat announce impacts software or systems such as BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, DB2 UDB, Domino, Notes, Tivoli System Automation, WebSphere MQ, ePO, Java OpenJDK, openSUSE, Java Oracle, Puppet, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this computer vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 51 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity alert.

Solutions for this threat

Oracle Java: version 7.0u45.
The version 7.0u45 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java: version 6.0u65.
The version 6.0u65 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Oracle Java: version 5.0u55.
The version 5.0u55 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html

IBM Notes: patch for Java.
A patch will be provided.

IcedTea: version 2.4.3.
The version 2.4.3 is fixed:
  http://icedtea.classpath.org/download/source/icedtea-2.4.3.tar.gz

IcedTea: version 1.12.7.
The version 1.12.7 is fixed:
  http://icedtea.classpath.org/download/source/icedtea6-1.12.7.tar.gz

IcedTea: version 1.11.14.
The version 1.11.14 is fixed:
  http://icedtea.classpath.org/download/source/icedtea6-1.11.14.tar.gz

AIX: fixed versions for IBM Java.
The following versions are fixed:
IBM SDK, Java 2 Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 4 and later
  32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK
  64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 6 Service Refresh 15 and later
  32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK
  64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK
IBM SDK, Java Technology Edition, Version 7 Service Refresh 6 and later
  32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK
  64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK

F5 BIG-IP: fixed versions for Oracle Java.
Fixed versions are indicated in information sources.

Fedora: new java-1.7.0-openjdk packages.
New packages are available:
  java-1.7.0-openjdk-1.7.0.60-2.4.3.0.fc18
  java-1.7.0-openjdk-1.7.0.60-2.4.3.0.fc19

HP-UX: version Java6 1.6.0.21.00.
The version Java6 1.6.0.21.00 is fixed:
  http://www.hp.com/java

HP-UX: version Java7 1.7.0.08.00.
The version Java7 1.7.0.08.00 is fixed:
  http://www.hp.com/java

IBM DB2 Recovery Expert: version 4.1.0.0 IF4.
The version 4.1.0.0 IF4 is fixed:
  http://www-933.ibm.com/support/fixcentral/

IBM Domino: patch for Java.
A patch will be provided.

IBM Tivoli System Automation for Multiplatforms: patch for Java.
A patch is available in information sources.

Mandriva: new java-1.6.0-openjdk packages.
New packages are available:
  java-1.6.0-openjdk-1.6.0.0-35.b24.7mdvmes5.2

Mandriva: new java-1.7.0-openjdk packages.
New packages are available:
  java-1.7.0-openjdk-1.7.0.60-2.4.3.1.mbs1

McAfee ePO: version 4.6.7.
The version 4.6.7 is fixed:
  http://www.mcafee.com/us/downloads

McAfee ePO: version 5.1.0.
The version 5.1.0 is fixed:
  http://www.mcafee.com/us/downloads

openSUSE 11.4: new java-1_6_0-openjdk packages.
New packages are available:
  java-1_6_0-openjdk-1.6.0.0_b27.1.12.7-45.1

Puppet Enterprise: version 3.7.0.
The version 3.7.0 is fixed:
  http://puppetlabs.com/

Red Hat JBoss Data Grid: version 6.4.1.
The version 6.4.1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=6.4.1

Red Hat JBoss Data Virtualization: version 6.1.0.
The version 6.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=distributions&version=6.1.0

Red Hat JBoss Enterprise Application Platform: new Xerces-J2 packages.
New packages are available, included Xerces-J and many related packages, as indicated in information sources.
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions&version=6.3
Target RHEL distributions ranges from 5 to 7.

Red Hat JBoss Operations Network: version 3.3 update 1.
The version 3.3 update 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3

Red Hat Network Satellite: new java-1.6.0-ibm packages.
New packages are available:
  java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5
  java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6

RHEL 5: new java-1.7.0-openjdk packages.
New packages are available:
  java-1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10

RHEL 6.4: new java-1.7.0-openjdk packages.
New packages are available:
  java-1.7.0-openjdk-1.7.0.45-2.4.3.2.el6_4

RHEL: new java-1.5.0-ibm packages.
New packages are available:
  java-1.5.0-ibm-1.5.0.16.4-1jpp.1.el5_10
  java-1.5.0-ibm-1.5.0.16.4-1jpp.1.el6_4

RHEL: new java-1.6.0-ibm packages.
New packages are available:
  java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el5_10
  java-1.6.0-ibm-1.6.0.15.0-1jpp.1.el6_4

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  java-1.6.0-openjdk-1.6.0.0-1.42.1.11.14.el5_10
  java-1.6.0-openjdk-1.6.0.0-1.65.1.11.14.el6_4

RHEL: new java-1.7.0-ibm packages.
New packages are available:
  java-1.7.0-ibm-1.7.0.6.0-1jpp.1.el5_10
  java-1.7.0-ibm-1.7.0.6.0-1jpp.1.el6_4

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  java-1.7.0-oracle-1.7.0.45-1jpp.1.el5_10
  java-1.7.0-oracle-1.7.0.45-1jpp.2.el6_4

RHEL: new xerces-j2 packages.
New packages are available:
  RHEL 6: xerces-j2 2.7.1-12.7.el6_5
  RHEL 7: xerces-j2 2.11.0-17.el7_0

SUSE LE 10: new java-1_5_0-ibm packages.
New packages are available:
  java-1_5_0-ibm-1.5.0_sr16.4-0.5.1

SUSE LE 11: new java-1_7_0-ibm packages.
New packages are available:
  java-1_7_0-ibm-1.7.0_sr6.0-0.7.1

SUSE LE: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 10 : java-1_6_0-ibm-1.6.0_sr15.0-0.14.1
  SUSE LE 11 : java-1_6_0-ibm-1.6.0_sr15.0-0.5.1

SUSE: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 12.2 : java-1_7_0-openjdk-1.7.0.6-3.48.2
  openSUSE 12.3 : java-1_7_0-openjdk-1.7.0.6-8.24.2
  SUSE LE 11 : java-1_7_0-openjdk-1.7.0.6-0.21.1

VMware vCenter: version 5.5 Update 1.
The version 5.5 Update 1 is fixed:
  https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_5

WebSphere MQ: APAR for IBM JRE.
A patch is available:
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+MQ&release=7.1.*&platform=All&function=aparId&apars=IC99261

WebSphere MQ: version 7.5.0.3.
The version 7.5.0.3 is fixed:
  http://www-304.ibm.com/support/docview.wss?uid=swg27038184
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides computer vulnerability patches. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.