Java update patches 40 bugs

18. June 2013 Security 2

Java
Java has released an update, get it by going to System Preferences > Java > Update (if you have Java installed). Apple has also made updates available that can be downloaded through Software Update.
This Critical Patch Update provides 40 new security fixes.

  • 37 of these vulnerabilities are remotely exploitable without authentication.
  • 34 of the fixes brought with this Critical Patch Update address vulnerabilities that only affect client deployments. The highest CVSS Base Score for these client-only fixes is 10.0.
  • 4 of the vulnerabilities fixed in this Critical Patch Update can affect client and server deployments. The most severe of these vulnerabilities has received a CVSS Base Score of 7.5.
  • One of the vulnerabilities fixed in this Critical patch Update affects the Java installer and can only be exploited locally.

After updating your version should read Java 7 Update 25.
More info on the update here.

Here is the full list of bugs that were squashed:

  • CVE-2013-2470: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2471: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2472: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2473: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2463: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2464: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2465: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2469: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2459: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2468: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2466: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-3743: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are 6 Update 45 and before and 5.0 Update 45 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2462: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2460: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Serviceability). Supported versions that are affected are 7 Update 21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2445: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System hang or frequently repeatable crash (complete DOS).
  • CVE-2013-2448: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2442: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2461: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2467: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are 5.0 Update 45 and before. Difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2407: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2454: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JDBC). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2458: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2444: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before, 5.0 Update 45 and before and JavaFX 2.2.21 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2446: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: CORBA). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2437: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2400: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data.
  • CVE-2013-3744: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 21 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data.
  • CVE-2013-2457: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data.
  • CVE-2013-2453: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data.
  • CVE-2013-2443: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2452: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2455: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2447: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2450: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-2456: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2412: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Serviceability). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-2449: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data.
  • CVE-2013-1571: Vulnerability in the Javadoc component of Oracle Java SE. Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before, 5.0 Update 45 and before and JavaFX 2.2.21 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Javadoc accessible data.
  • CVE-2013-2451: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are 7 Update 21 and before and 6 Update 45 and before. Very difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.
  • CVE-2013-1500: Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 21 and before, 6 Update 45 and before and 5.0 Update 45 and before. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data.Source: Intego

2 thoughts on “Java update patches 40 bugs”

  • 1
    John on June 18, 2013 Reply

    Cool, thank you 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.