National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-0435)

National Cyber Awareness System

Vulnerability Summary for CVE-2013-0435

Original release date:02/02/2013

Last revised:03/08/2013

Source: US-CERT/NIST

Overview

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality via vectors related to JAX-WS. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper restriction of com.sun.xml.internal packages and "Better handling of UI elements."

Description

Per http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html "Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.)"

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Technical Alert: TA13-032A

Name: TA13-032A

Hyperlink:http://www.us-cert.gov/cas/techalerts/TA13-032A.html

US-CERT Vulnerability Note: VU#858729

Name: VU#858729

Hyperlink:http://www.kb.cert.org/vuls/id/858729

External Source: CONFIRM

Name: http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

Type: Advisory

Hyperlink:http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

External Source: REDHAT

Name: RHSA-2013:0247

Hyperlink:http://rhn.redhat.com/errata/RHSA-2013-0247.html

External Source: REDHAT

Name: RHSA-2013:0246

Hyperlink:http://rhn.redhat.com/errata/RHSA-2013-0246.html

External Source: REDHAT

Name: RHSA-2013:0245

Hyperlink:http://rhn.redhat.com/errata/RHSA-2013-0245.html

External Source: REDHAT

Name: RHSA-2013:0237

Hyperlink:http://rhn.redhat.com/errata/RHSA-2013-0237.html

External Source: REDHAT

Name: RHSA-2013:0236

Hyperlink:http://rhn.redhat.com/errata/RHSA-2013-0236.html

External Source: SUSE

Name: openSUSE-SU-2013:0377

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00001.html

External Source: SUSE

Name: openSUSE-SU-2013:0312

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00014.html

External Source: CONFIRM

Name: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/c1fa21042291

Hyperlink:http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/c1fa21042291

External Source: CONFIRM

Name: http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/icedtea6-1.11.6/NEWS

Hyperlink:http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/icedtea6-1.11.6/NEWS

External Source: CONFIRM

Name: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=906892

Hyperlink:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=906892

Vulnerable software and versions

Configuration 1

* cpe:/a:oracle:jre:1.7.0

* cpe:/a:oracle:jre:1.7.0:update1

* cpe:/a:oracle:jre:1.7.0:update2

* cpe:/a:oracle:jre:1.7.0:update3

* cpe:/a:oracle:jre:1.7.0:update4

* cpe:/a:oracle:jre:1.7.0:update5

* cpe:/a:oracle:jre:1.7.0:update6

* cpe:/a:oracle:jre:1.7.0:update7

* cpe:/a:oracle:jre:1.7.0:update9

* cpe:/a:oracle:jre:1.7.0:update10

* cpe:/a:oracle:jre:1.7.0:update11

Configuration 2

* cpe:/a:oracle:jdk:1.7.0

* cpe:/a:oracle:jdk:1.7.0:update1

* cpe:/a:oracle:jdk:1.7.0:update2

* cpe:/a:oracle:jdk:1.7.0:update3

* cpe:/a:oracle:jdk:1.7.0:update4

* cpe:/a:oracle:jdk:1.7.0:update5

* cpe:/a:oracle:jdk:1.7.0:update6

* cpe:/a:oracle:jdk:1.7.0:update7

* cpe:/a:oracle:jdk:1.7.0:update9

* cpe:/a:oracle:jdk:1.7.0:update10

* cpe:/a:oracle:jdk:1.7.0:update11

Configuration 3

* cpe:/a:oracle:jre:1.6.0:update_38

* cpe:/a:oracle:jre:1.6.0:update_37

* cpe:/a:oracle:jre:1.6.0:update_35

* cpe:/a:oracle:jre:1.6.0:update_34

* cpe:/a:oracle:jre:1.6.0:update_33

* cpe:/a:oracle:jre:1.6.0:update_32

* cpe:/a:oracle:jre:1.6.0:update_31

* cpe:/a:oracle:jre:1.6.0:update_30

* cpe:/a:oracle:jre:1.6.0:update_29

* cpe:/a:oracle:jre:1.6.0:update_27

* cpe:/a:oracle:jre:1.6.0:update_26

* cpe:/a:oracle:jre:1.6.0:update_25

* cpe:/a:oracle:jre:1.6.0:update_24

* cpe:/a:oracle:jre:1.6.0:update_23

* cpe:/a:oracle:jre:1.6.0:update_22

* cpe:/a:sun:jre:1.6.0:update_21

* cpe:/a:sun:jre:1.6.0:update_20

* cpe:/a:sun:jre:1.6.0:update_19

* cpe:/a:sun:jre:1.6.0:update_18

* cpe:/a:sun:jre:1.6.0:update_17

* cpe:/a:sun:jre:1.6.0:update_16

* cpe:/a:sun:jre:1.6.0:update_15

* cpe:/a:sun:jre:1.6.0:update_14

* cpe:/a:sun:jre:1.6.0:update_13

* cpe:/a:sun:jre:1.6.0:update_12

* cpe:/a:sun:jre:1.6.0:update_11

* cpe:/a:sun:jre:1.6.0:update_10

* cpe:/a:sun:jre:1.6.0:update_9

* cpe:/a:sun:jre:1.6.0:update_7

* cpe:/a:sun:jre:1.6.0:update_6

* cpe:/a:sun:jre:1.6.0:update_5

* cpe:/a:sun:jre:1.6.0:update_4

* cpe:/a:sun:jre:1.6.0:update_3

* cpe:/a:sun:jre:1.6.0:update_2

* cpe:/a:sun:jre:1.6.0:update_1

* cpe:/a:sun:jre:1.6.0

Configuration 4

* cpe:/a:oracle:jdk:1.6.0:update_38

* cpe:/a:oracle:jdk:1.6.0:update_37

* cpe:/a:oracle:jdk:1.6.0:update_35

* cpe:/a:oracle:jdk:1.6.0:update_34

* cpe:/a:oracle:jdk:1.6.0:update_33

* cpe:/a:oracle:jdk:1.6.0:update_32

* cpe:/a:oracle:jdk:1.6.0:update_31

* cpe:/a:oracle:jdk:1.6.0:update_30

* cpe:/a:oracle:jdk:1.6.0:update_29

* cpe:/a:oracle:jdk:1.6.0:update_27

* cpe:/a:oracle:jdk:1.6.0:update_26

* cpe:/a:oracle:jdk:1.6.0:update_25

* cpe:/a:oracle:jdk:1.6.0:update_24

* cpe:/a:oracle:jdk:1.6.0:update_23

* cpe:/a:oracle:jdk:1.6.0:update_22

* cpe:/a:sun:jdk:1.6.0:update_21

* cpe:/a:sun:jdk:1.6.0:update_20

* cpe:/a:sun:jdk:1.6.0:update_19

* cpe:/a:sun:jdk:1.6.0:update_18

* cpe:/a:sun:jdk:1.6.0:update_17

* cpe:/a:sun:jdk:1.6.0:update_16

* cpe:/a:sun:jdk:1.6.0:update_15

* cpe:/a:sun:jdk:1.6.0:update_14

* cpe:/a:sun:jdk:1.6.0:update_13

* cpe:/a:sun:jdk:1.6.0:update_12

* cpe:/a:sun:jdk:1.6.0:update_11

* cpe:/a:sun:jdk:1.6.0:update_10

* cpe:/a:sun:jdk:1.6.0:update_7

* cpe:/a:sun:jdk:1.6.0:update_6

* cpe:/a:sun:jdk:1.6.0:update_5

* cpe:/a:sun:jdk:1.6.0:update_4

* cpe:/a:sun:jdk:1.6.0:update_3

* cpe:/a:sun:jdk:1.6.0:update2

* cpe:/a:sun:jdk:1.6.0:update1_b06

* cpe:/a:sun:jdk:1.6.0:update1

* cpe:/a:sun:jdk:1.6.0

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Insufficient Information (NVD-CWE-noinfo)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0435