English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Oracle Java Multiple Vulnerabilities


Secunia ID

SA53008

CVE-ID

CVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1558, CVE-2013-1561, CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424, CVE-2013-2425, CVE-2013-2426, CVE-2013-2427, CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432, CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2439, CVE-2013-2440

Release Date

17 Apr 2013

Last Change

30 May 2013

Criticality

Highly Critical

Solution Status

Vendor Patch

Software

Oracle Java JDK 1.5.x / 5.x
Oracle Java JDK 1.7.x / 7.x
Oracle Java JRE 1.7.x / 7.x
Sun Java JDK 1.6.x / 6.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x

Where

From remote

Impact
DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.

Privilege escalation

This covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users.

This typically includes cases where a local user on a client or server system can gain access to the administrator or root account thus taking full control of the system.

Security Bypass

This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.

The actual impact varies significantly depending on the design and purpose of the affected application.

Description

Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious, local users to disclose certain sensitive information and gain escalated privileges and by malicious people to disclose certain sensitive information, manipulate certain data, bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) An error in the 2D component within the fontmanager native component when handling Ligature Substitution subtables embedded in a "mort" table can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

2) An error in the 2D component within the fontmanager native component when handling the "LookupCount" sum in GSUB tables within a TTF file can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

3) An error in the 2D component within the fontmanager native component when handling Ligature Substitution subtables embedded in a "mort" table can be exploited to cause a stack-based buffer overflow via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

4) An error in the 2D component within the "glyph_AddPoint()" function (t2k.dll) when rendering Type1 or Type2 fonts can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

5) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

6) An integer overflow error in the 2D component within the "sun.awt.image.ImageRepresentation.setICMpixels()" function when handling the scanlineStride argument can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

7) A boundary error in the 2D component when handling CFF-based OpenType fonts can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

8) An unspecified error in the Beans component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

9) An unspecified error in the Deployment component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

10) An unspecified error in the Deployment component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

11) An unspecified error in the Hotspot component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

12) An unspecified error in the Install component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

13) An unspecified error in the JAXP component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

14) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

15) An error in the JavaFX component within the JavaFX WebPage class when handling a descendant class can be exploited via untrusted Java Web Start applications and untrusted Java applets to overwrite the "getPage()" method and potentially execute arbitrary code.

16) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

17) An unspecified error in the Libraries component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

18) An unspecified error in the RMI component of the client and server deployment can be exploited to potentially execute arbitrary code.

19) An unspecified error in the RMI component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

20) An unspecified error in the HotSpot component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

21) An error within the JavaFX component when parsing a flv file containing two video tags using the On2 VP6 codec can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

22) An error in the Libraries component within the java.util.concurrent.ConcurrentHashMap class when handling the "segmentShift" and "segmentMask" fields can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

23) An error in the Libraries component within the usage of MethodHandles can be exploited via untrusted Java Web Start applications and untrusted Java applets to bypass the restrictions of "restrictReceiver()" and potentially execute arbitrary code.

24) An error in the Libraries component within the java.sql.DriverManager when a "toString()" is called within a doPrivileged block can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

25) A boundary error in the 2D component within t2k.dll when handling Type1 fonts can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

26) An unspecified error in the ImageIO component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

27) An unspecified error in the ImageIO component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

28) An unspecified error in the Install component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code.

29) An unspecified error in the Install component of the client deployment can be exploited by a local user to gain escalated privileges.

30) An error within the Proxy class of sun.awt.datatransfer.TransferableProxy can be exploited to execute arbitrary code.

31) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to cause a DoS.

32) An unspecified error in the JMX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data.

33) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data.

34) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data.

35) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data.

36) An unspecified error in the Networking component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to cause a DoS.

37) An unspecified error in the Deployment component of the client deployment can be exploited by a local user to gain escalated privileges.

38) An error in the "launchApp()" function within deployJava1.dll can be exploited to cause memory corruption.

39) An unspecified error in the Deployment component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data.

40) An unspecified error in the Deployment component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data.

41) A type confusion error when handling fields of classes can be exploited to bypass certain access restrictions via reflection and subsequently disable the security manager.

42) An unspecified error in the JAX-WS component of the client and server deployment can be exploited by local users to disclose certain data.

The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 17 and prior
* JDK and JRE 6 Update 43 and prior
* JDK and JRE 5.0 Update 41 and prior

Solution

Apply updates.

JDK and JRE 7 Update 17 and prior:
Update to version 7 update 21.

JDK and JRE 6 Update 43 and prior:
Update to version 6 update 45.

JDK and JRE 5.0 Update 41 and prior:
Update to version 5 update 45.

Reported by

1-4, 25) Alin Rad Pop via ZDI
6, 15) Vitaliy Toropov via ZDI
7) Joshua J. Drake, Accuvant Labs via ZDI
21) VUPEN Security via ZDI
22, 23, 30) Ben Murphy via ZDI
24) James Forshaw (tyranid) via ZDI
38) A. Antukh, SEC Consult Vulnerability Lab
41) Jeroen Frijters

It is currently unclear who reported the remaining vulnerabilities as the Oracle Java SE Critical Patch Update for April 2013 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory

Oracle:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
http://www.oracle.com/technetwork/topics/security/javacpuapr2013verbose-1928687.html

SEC-Consult:
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130417-1_Java_ActiveX_Control_Memory_Corruption.txt
http://archives.neohapsis.com/archives/fulldisclosure/2013-04/0244.html

Jeroen Frijters:
http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-13-068/
http://www.zerodayinitiative.com/advisories/ZDI-13-069/
http://www.zerodayinitiative.com/advisories/ZDI-13-070/
http://www.zerodayinitiative.com/advisories/ZDI-13-071/
http://www.zerodayinitiative.com/advisories/ZDI-13-072/
http://www.zerodayinitiative.com/advisories/ZDI-13-073/
http://www.zerodayinitiative.com/advisories/ZDI-13-074/
http://www.zerodayinitiative.com/advisories/ZDI-13-075/
http://www.zerodayinitiative.com/advisories/ZDI-13-076/
http://www.zerodayinitiative.com/advisories/ZDI-13-077/
http://www.zerodayinitiative.com/advisories/ZDI-13-078/
http://www.zerodayinitiative.com/advisories/ZDI-13-079/
http://www.zerodayinitiative.com/advisories/ZDI-13-089/