505086 : vulnerable JRE version: 1.6.0_35

Risk 5 : Web Services

An attacker can bypass Java's security restrictions and take unauthorized actions on a victim's computer when the victim visits the attacker's web site.

The Java Runtime Environment (JRE) provides the libraries, the Java Virtual Machine, and other components to run applets and applications written in the Java programming language. In addition, two key deployment technologies are part of the JRE: Java Plug-in, which enables applets to run in popular browsers; and Java Web Start, which deploys standalone applications over a network.

The Java security architecture restricts the resources which untrusted applets may access. The restricted environment is known as a sandbox.

The Java SE Development Kit (JDK) includes the Java Runtime Environment (JRE) and command-line development tools, such as JavaDoc, that are useful for developing applets and applications.

JavaFX is a platform for creating rich client applications. It is designed to provide a lightweight, hardware-accelerated Java UI platform for enterprise business applications.

Vulnerabilities in Oracle JDK and JRE 7.0 update 40, 6.0 update 60, and 5.0 update 51, and JavaFX 2.2.40, and prior

10/18/13 CVE 2013-3829 CVE 2013-4002 CVE 2013-5772 CVE 2013-5774 CVE 2013-5775 CVE 2013-5776 CVE 2013-5777 CVE 2013-5778 CVE 2013-5780 CVE 2013-5782 CVE 2013-5783 CVE 2013-5784 CVE 2013-5787 CVE 2013-5788 CVE 2013-5789 CVE 2013-5790 CVE 2013-5797 CVE 2013-5800 CVE 2013-5801 CVE 2013-5802 CVE 2013-5803 CVE 2013-5804 CVE 2013-5805 CVE 2013-5806 CVE 2013-5809 CVE 2013-5810 CVE 2013-5812 CVE 2013-5814 CVE 2013-5817 CVE 2013-5818 CVE 2013-5819 CVE 2013-5820 CVE 2013-5823 CVE 2013-5824 CVE 2013-5825 CVE 2013-5829 CVE 2013-5830 CVE 2013-5831 CVE 2013-5832 CVE 2013-5838 CVE 2013-5840 CVE 2013-5842 CVE 2013-5843 CVE 2013-5844 CVE 2013-5846 CVE 2013-5848 CVE 2013-5849 CVE 2013-5850 CVE 2013-5851 CVE 2013-5852 CVE 2013-5854 CVE 2013-5875 CVE 2013-5877 Oracle JDK and JRE 7.0 update 40, 6.0 update 60, 5.0 update 51, and JavaFX 2.2.40, and prior, are prone to multiple vulnerabilities, which can be exploited to manipulate certain data, disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system.

Undisclosed IBM Java vulnerabilities

07/22/13 CVE 2013-3006 CVE 2013-3007 CVE 2013-3008 CVE 2013-3009 CVE 2013-3010 CVE 2013-3011 CVE 2013-3012 CVE 2013-4002 The July 2013 IBM Security Update fixed eight undisclosed vulnerabilities in IBM Java.

Vulnerabilities in Oracle JDK and JRE 7.0 update 21, 6.0 update 45, and 5.0 update 45, and JavaFX 2.2.21 and prior

06/20/13 CVE 2013-1500 CVE 2013-1571 CVE 2013-2400 CVE 2013-2407 CVE 2013-2412 CVE 2013-2437 CVE 2013-2442 CVE 2013-2443 CVE 2013-2444 CVE 2013-2445 CVE 2013-2446 CVE 2013-2447 CVE 2013-2448 CVE 2013-2449 CVE 2013-2450 CVE 2013-2451 CVE 2013-2452 CVE 2013-2453 CVE 2013-2454 CVE 2013-2455 CVE 2013-2456 CVE 2013-2457 CVE 2013-2458 CVE 2013-2459 CVE 2013-2460 CVE 2013-2461 CVE 2013-2462 CVE 2013-2463 CVE 2013-2464 CVE 2013-2465 CVE 2013-2466 CVE 2013-2467 CVE 2013-2468 CVE 2013-2469 CVE 2013-2470 CVE 2013-2471 CVE 2013-2472 CVE 2013-2473 CVE 2013-3743 CVE 2013-3744 Oracle JDK and JRE 7.0 update 21, 6.0 update 45, 5.0 update 45, and prior, are prone to multiple vulnerabilities, which can be exploited to disclose certain sensitive information, manipulate certain data, gain escalated privileges, conduct spoofing attacks, cause a DoS (Denial of Service), and compromise a vulnerable system.

Vulnerabilities in Oracle JDK and JRE 7.0 update 17, 6.0 update 43, and 5.0 update 41

05/20/13 CVE 2013-0401 CVE 2013-0402 CVE 2013-1488 CVE 2013-1491 CVE 2013-1518 CVE 2013-1537 CVE 2013-1540 CVE 2013-1557 CVE 2013-1558 CVE 2013-1561 CVE 2013-1563 CVE 2013-1564 CVE 2013-1569 CVE 2013-2383 CVE 2013-2384 CVE 2013-2394 CVE 2013-2414 CVE 2013-2415 CVE 2013-2416 CVE 2013-2417 CVE 2013-2418 CVE 2013-2419 CVE 2013-2420 CVE 2013-2421 CVE 2013-2422 CVE 2013-2423 CVE 2013-2424 CVE 2013-2425 CVE 2013-2426 CVE 2013-2427 CVE 2013-2428 CVE 2013-2429 CVE 2013-2430 CVE 2013-2431 CVE 2013-2432 CVE 2013-2433 CVE 2013-2434 CVE 2013-2435 CVE 2013-2436 CVE 2013-2438 CVE 2013-2439 CVE 2013-2440 Oracle JDK and JRE 7.0 update 17, 6.0 update 43, 5.0 update 41, and prior, are prone to multiple vulnerabilities, which can be exploited by malicious, local users to disclose certain sensitive information and gain escalated privileges and by malicious people to disclose certain sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

Note: There are multiple vulnerabilities in IBM Java due to vulnerable bundled version of Oracle JRE.

Multiple Vulnerabilities Fixed in Oracle JavaFX 2.2.21

04/19/13 CVE 2013-0402 CVE 2013-1491 CVE 2013-1561 CVE 2013-1563 CVE 2013-1564 CVE 2013-2394 CVE 2013-2414 CVE 2013-2427 CVE 2013-2428 CVE 2013-2430 CVE 2013-2432 CVE 2013-2434 CVE 2013-2439 Oracle JavaFX versions 2.2.7 and earlier are prone to multiple vulnerabilities, which can be exploited by malicious people to gain system access and execute arbitrary code with the privileges of a local user; to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

Note: There are multiple vulnerabilities in IBM Java due to vulnerable bundled version of Oracle JRE.

Vulnerabilities in Oracle JDK and JRE 7.0 update 15, 6.0 update 41, and 5.0 update 40

03/21/13 CVE 2013-0809 CVE 2013-1493 Oracle JDK and JRE 7.0 update 15, 6.0 update 41, 5.0 update 40, and prior, are prone to two vulnerabilities, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error within the 2D component.

Note: There are multiple vulnerabilities in IBM Java due to vulnerable bundled version of Oracle JRE.

Vulnerabilities in Oracle JDK and JRE 7.0 update 13, 6.0 update 39, 5.0 update 39, and 1.4.2_41

02/21/13 CVE 2013-0169 CVE 2013-1484 CVE 2013-1485 CVE 2013-1486 CVE 2013-1487 Oracle JDK and JRE 7.0 update 13, 6.0 update 39, 5.0 update 39, 1.4.2_41, and prior, are prone to multiple vulnerabilities, which can be exploited by malicious people to disclose certain sensitive information, manipulate certain data, and compromise a user's system.

Note: There are multiple vulnerabilities in IBM Java due to vulnerable bundled version of Oracle JRE.

Vulnerabilities in Oracle JDK and JRE 7.0 update 11, 6.0 update 38, 5.0 update 38, and 1.4.2_40, and JavaFX 2.2.4 and prior

02/04/13 CVE 2012-1541 CVE 2012-1543 CVE 2012-3213 CVE 2012-3342 CVE 2012-4301 CVE 2012-4305 CVE 2013-0351 CVE 2013-0409 CVE 2013-0419 CVE 2013-0423 CVE 2013-0424 CVE 2013-0425 CVE 2013-0426 CVE 2013-0427 CVE 2013-0428 CVE 2013-0429 CVE 2013-0430 CVE 2013-0431 CVE 2013-0432 CVE 2013-0433 CVE 2013-0434 CVE 2013-0435 CVE 2013-0436 CVE 2013-0437 CVE 2013-0438 CVE 2013-0439 CVE 2013-0440 CVE 2013-0441 CVE 2013-0442 CVE 2013-0443 CVE 2013-0444 CVE 2013-0445 CVE 2013-0446 CVE 2013-0447 CVE 2013-0448 CVE 2013-0449 CVE 2013-0450 CVE 2013-1472 CVE 2013-1473 CVE 2013-1474 CVE 2013-1475 CVE 2013-1476 CVE 2013-1477 CVE 2013-1478 CVE 2013-1479 CVE 2013-1480 CVE 2013-1481 CVE 2013-1482 CVE 2013-1483 CVE 2013-1489 Oracle JDK and JRE 7.0 update 11, 6.0 update 38, 5.0 update 38, and 1.4.2_40, and JavaFX 2.2.4 and prior, are prone to multiple vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

Note: There are multiple vulnerabilities in IBM Java due to vulnerable bundled version of Oracle JRE.

Vulnerabilities in Oracle JDK and JRE 7.0 update 7, 6.0 update 35, 5.0 update 36, and 1.4.2_38, and JavaFX 2.2 and prior

10/18/12 CVE 2012-1531 CVE 2012-1532 CVE 2012-1533 CVE 2012-3143 CVE 2012-3159 CVE 2012-3216 CVE 2012-4416 CVE 2012-5067 CVE 2012-5068 CVE 2012-5069 CVE 2012-5070 CVE 2012-5071 CVE 2012-5072 CVE 2012-5073 CVE 2012-5074 CVE 2012-5075 CVE 2012-5076 CVE 2012-5077 CVE 2012-5078 CVE 2012-5079 CVE 2012-5080 CVE 2012-5081 CVE 2012-5082 CVE 2012-5083 CVE 2012-5084 CVE 2012-5085 CVE 2012-5086 CVE 2012-5087 CVE 2012-5088 CVE 2012-5089 Oracle JDK and JRE 7.0 update 7, 6.0 update 35, 5.0 update 36, and 1.4.2_38, and JavaFX 2.2 and prior, are prone to multiple vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

JRE Font Processing Overflow

08/21/07 JRE prior to 5.0 Update 10 and prior to 1.4.2_15 contain a flaw in the handling of font files. These files can be included with remote launched Java applets and applications. A crafted font file count by used to exploit this flaw and cause a buffer overflow. This buffer overflow if properly exploited could execute arbitrary code with the privileges of the current user.

The vulnerabilities in Oracle JDK and JRE 7.0 update 40, 6.0 update 60, and 5.0 update 51, and JavaFX 2.2.40, and prior were reported in http://secunia.com/advisories/55315/ Secunia Advisory SA55315 and http://secunia.com/advisories/55316/ Secunia Advisory SA55316.

The undisclosed vulnerabilities fixed in the July 2013 IBM Security Update were reported in https://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013 IBM DeveloperWorks.

The vulnerabilities in Oracle JDK and JRE 7.0 update 21, 6.0 update 45, and 5.0 update 45, and JavaFX 2.2.21 and prior were reported in http://secunia.com/advisories/53846/ Secunia Advisory SA53846 and http://secunia.com/advisories/53852/ Secunia Advisory SA53852.

The vulnerabilities in Oracle JDK and JRE 7.0 update 17, 6.0 update 43, and 5.0 update 41 were reported in http://secunia.com/advisories/53008/ Secunia Advisory SA53008.

Multiple Vulnerabilities Fixed in Oracle JavaFX 2.2.21 were reported in http://secunia.com/advisories/53095/ Secunia Advisory SA53095 and http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html Oracle Java SE Critical Patch Update Advisory - April 2013.

The vulnerabilities in Oracle JDK and JRE 7.0 update 15, 6.0 update 41, and 5.0 update 40 were reported in http://secunia.com/advisories/52451/ Secunia Advisory SA52451.

The vulnerabilities in Oracle JDK and JRE 7.0 update 13, 6.0 update 39, 5.0 update 39, and 1.4.2_41 were reported in http://secunia.com/advisories/52257/ Secunia Advisory SA52257.

The vulnerabilities in Oracle JDK and JRE 7.0 update 11, 6.0 update 38, 5.0 update 38, and 1.4.2_40, and JavaFX 2.2.4 and prior were reported in http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html Oracle Java SE Critical Patch Update - February 2013, http://secunia.com/advisories/52064/ Secunia Advisory SA52064, and http://secunia.com/advisories/52065/ Secunia Advisory SA52065.

The vulnerabilities in Oracle JDK and JRE 7.0 update 7, 6.0 update 35, 5.0 update 36, and 1.4.2_38, and JavaFX 2.2 and prior, were reported in http://secunia.com/advisories/50949/ Secunia Advisory SA50949.

The JRE Font Processing Overflow was reported in http://www.securityfocus.com/bid/25340 Bugtraq ID 25340.

For more information on Java security architecture and sandboxes, see the http://java.sun.com/j2se/1.3/docs/guide/security/spec/security-specTOC.fm.html document from Sun.

Solution:

For JDK and JRE version 7.x, http://java.sun.com/javase/downloads/index.jsp upgrade to version higher than 7.0 update 40 when available.

For other versions of JDK and JRE, http://java.sun.com/javase/downloads/index.jsp upgrade to version higher than 6.0 update 60, or 5.0 update 51 when available.

IBM Java updates can be downloaded at the http://www.ibm.com/developerworks/java/jdk/alerts/ IBM Java Security alerts page.

For JavaFX, http://www.oracle.com/technetwork/java/javafx/downloads/index.html upgrade to version higher than 2.2.40 when available.

Mac OS X updates can be downloaded at the http://developer.apple.com/java/download/ Java Download page.

References:
CVSS Information:
Low Attack Complexity, Complete Confidentiality Impact, Complete Integrity Impact, Complete Availability Impact
Credit:
Saint Coorporation : 2011-02-08
New Search
Keywords
Risk Factor
Start Date
End Date
Browse