Oracle Patches Java Security Vulnerabilities
Posted on by Derek Erwin
Yesterday, Oracle issued a critical patch update for multiple security vulnerabilities in Java with the release of Java SE 7u51. Oracle’s Java update fixes 36 vulnerabilities, 34 of which are remotely exploitable without authentication.
Oracle notes:
These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Supported versions that are affected: Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE 7u45 on OS X, Java SE 7u45 on Firefox, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45, and JavaFX 2.2.45.
As typical of Oracle’s Java updates, which occur quarterly instead of monthly, a colossal 36 bugs were fixed in this update. So it’s important that you update to Java SE 7u51 immediately to mitigate potential threats.
Following is a complete list of all 36 vulnerabilities resolved in the Oracle Java SE update:
- CVE-2013-5870 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JavaFX accessible data as well as read access to a subset of Java SE, JavaFX accessible data and ability to cause a partial denial of service (partial DOS) of Java SE, JavaFX.
- CVE-2013-5878 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data as well as read access to a subset of Java SE, Java SE Embedded accessible data and ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
- CVE-2013-5884 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: CORBA). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
- CVE-2013-5887 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE.
- CVE-2013-5888 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data and ability to cause a partial denial of service (partial DOS) of Java SE.
- CVE-2013-5889 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2013-5893 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2013-5895 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, JavaFX accessible data.
- CVE-2013-5896 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: CORBA). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
- CVE-2013-5898 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data.
- CVE-2013-5899 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data.
- CVE-2013-5902 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data and ability to cause a partial denial of service (partial DOS) of Java SE.
- CVE-2013-5904 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data and ability to cause a partial denial of service (partial DOS) of Java SE.
- CVE-2013-5905 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Install). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data and ability to cause a partial denial of service (partial DOS) of Java SE.
- CVE-2013-5906 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Install). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data and ability to cause a partial denial of service (partial DOS) of Java SE.
- CVE-2013-5907 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2013-5910 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
- CVE-2014-0368 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
- CVE-2014-0373 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Serviceability). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data and ability to cause a partial denial of service (partial DOS) of Java SE.
- CVE-2014-0375 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data.
- CVE-2014-0376 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
- CVE-2014-0382 : Vulnerability in the Java SE, JavaFX component of Oracle Java SE (subcomponent: JavaFX). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JavaFX.
- CVE-2014-0385 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Install). Difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2014-0387 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2014-0403 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data.
- CVE-2014-0408 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Hotspot). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2014-0410 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2014-0411 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: JSSE). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JRockit, Java SE Embedded accessible data as well as read access to a subset of Java SE, JRockit, Java SE Embedded accessible data.
- CVE-2014-0415 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2014-0416 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAAS). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, Java SE Embedded accessible data.
- CVE-2014-0417 : Vulnerability in the Java SE, JavaFX, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2014-0418 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data and ability to cause a partial denial of service (partial DOS) of Java SE.
- CVE-2014-0422 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JNDI). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
- CVE-2014-0423 : Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: Beans). Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, JRockit, Java SE Embedded accessible data and ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded.
- CVE-2014-0424 : Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data and ability to cause a partial denial of service (partial DOS) of Java SE.
- CVE-2014-0428 : Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: CORBA). Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
Users can go to Oracle’s website to download Java SE 7u51 as advised. Windows and Mac OS X users can also use automatic updates to get the latest release. Users running Java SE with a browser can download the latest release from Java.com.