(Apple Issues Fix for OS X) Oracle Java SE Multiple Flaws Let Remote Users Execute Arbitrary Code and Deny Service

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Java Runtime Environment (JRE)

Vendors: Oracle, Sun

(Apple Issues Fix for OS X) Oracle Java SE Multiple Flaws Let Remote Users Execute Arbitrary Code and Deny Service

SecurityTracker Alert ID: 1026884

SecurityTracker URL: http://securitytracker.com/id/1026884

CVE Reference: CVE-2011-3563, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507 (Links to External Site)

Updated: May 14 2012

Original Entry Date: Apr 4 2012

Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 1.4.2_35 and prior, 5.0 Update 33 and prior; 6 Update 30 and prior; 7 Update 2 and prior

Description: Multiple vulnerabilities were reported in Oracle Java SE. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions.

A remote user can send specially crafted data to execute arbitrary code on the target system or cause complete denial of service conditions. The Java 2D [CVE-2012-0497, CVE-2012-0498, CVE-2012-0499], deploy [CVE-2012-0500], and install [CVE-2012-0504] components are affected.

JavaFX is also affected [CVE-2012-0508].

A remote user can partially access and modify data and partially deny service on the target system. The I18n [CVE-2012-0503] and serialization [CVE-2012-0505] components are affected.

A remote user can partially access data and partially deny service on the target system. The AWT [CVE-2012-0502] and sound [CVE-2011-3563] components are affected.

A remote user can cause partial denial of service conditions on the target system. The JRE component is affected [CVE-2012-0501].

A remote user can partially modify data on the target system. The CORBA component is affected [CVE-2012-0506].

A remote user can partially access and modify data and partially deny service on the target system [CVE-2012-0507]. The Concurrancy component is affected.

The following researchers reported these vulnerabilities:

Alin Rad Pop (binaryproof) via Tipping Point's Zero Day Initiative; an Anonymous Reporter via iDefense; an Anonymous Reporter of TippingPoint's Zero Day Initiative; TELUS Security Labs; Chris Ries via TippingPoint; Doug Lea of OSWEGO State University of New York; Jeroen Frijters; Peter Vreugdenhil of TippingPoint DVLabs; and Timo Warns of PRESENSE Technologies.

Impact: A remote user can execute arbitrary code on the target system.

A remote user can cause denial of service conditions.

Solution: Apple has issued a fix for CVE-2011-3563, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, and CVE-2012-0507.

This update includes a fix for the vulnerability [CVE-2012-0507] being actively exploited by the Flashback malware.

Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.dmg
Its SHA-1 digest is: f76807153bc0ca253e4a466a2a8c0abf1e180667

For OS X Lion systems
The download file is named: JavaForOSX.dmg
Its SHA-1 digest is: 176ac1f8e79b4245301e84b616de5105ccd13e16

The Apple advisory is available at:

http://support.apple.com/kb/HT5228

[Editor's note: Apple has also released 'APPLE-SA-2012-04-12-1 Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8' to deactivate the Java browser plugin and Java Web Start if unused for 35 days and to provide a Flashback malware removal tool for 10.6.8 and 10.7.3. The advisory is available at: http://support.apple.com/kb/HT5247]

[Editor's note: Apple has also released 'APPLE-SA-2012-04-13-1 Flashback malware removal tool' to provide a Flashback malware removal tool for 10.7.x systems that do not have Java installed. The advisory is available at: http://support.apple.com/kb/HT5254]

[Editor's note: Apple has also released 'APPLE-SA-2012-05-14-1 Flashback Removal Security Update' to provide a Flashback malware removal tool for 10.5.x systems.]

Vendor URL: www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html (Links to External Site)

Cause: Not specified

Underlying OS: UNIX (OS X)

Message History: This archive entry is a follow-up to the message listed below.

Feb 14 2012

Oracle Java SE Multiple Flaws Let Remote Users Execute Arbitrary Code and Deny Service

Source Message Contents


[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page