Potential Vulnerabilities in Oracle's Java

Potentially Vulnerable Component

Oracle (formerly Sun) JRE 1.6.0_32

Potential Vulnerability Information

March 22, 2013

Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013. http://www.osvdb.org/show/osvdb/91472

March 22, 2013

Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Joshua Drake during a Pwn2Own competition at CanSecWest 2013. http://www.osvdb.org/show/osvdb/91204

March 22, 2013
Oracle Java Browser Plugin Revoked Certificate Verfication Failure Weakness

Oracle Java contains a flaw in the browser plugin. The issue is due to the program not properly verifying certificates that have been revoked. This may allow a remote attacker to more easily convince a user into clicking and installing a malicious file.

March 22, 2013

Heap-based buffer overflow in Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013. http://www.osvdb.org/show/osvdb/91205

March 22, 2013

Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. http://www.osvdb.org/show/osvdb/91206

March 12, 2013
Java Pwn2Own multiple vulnerabilities

Four new unpatched vulnerabilities in Java were publicized in March 2013, during the Pwn2Own competition at the 2013 CanSecWest security conference. Details and fixes are not available at this time, but will be disclosed in the future by HP/TippingPoint. http://www.zerodayinitiative.com/advisories/upcoming/
CVE-2013-0401, CVE-2013-0402, CVE-2013-1491, CVE-2013-1488

March 05, 2013
Oracle Security Alert for CVE-2013-1493

This Security Alert addresses security issues CVE-2013-1493 (US-CERT VU#688246) and another vulnerability affecting Java running in web browsers. Due to the severity of these vulnerabilities, and the reported exploitation of CVE-2013-1493 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. CVE-2013-1493 CVE-2013-0809

February 25, 2013
Updated Release of the February 2013 Oracle Java SE Critical Patch Update

Java JDK, JRE, and SDK contain multiple vulnerabilities. For details, see http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html. Note: This Critical Patch Update includes all fixes provided in the Oracle Java SE Critical Patch Update February 2013, distributed on February 1, 2013, plus an additional five fixes which had been previously planned for delivery. References: CVE-2013-1487, CVE-2013-1486, CVE-2013-1484, CVE-2013-1485, CVE-2013-0169

February 04, 2013
Oracle Java SE Critical Patch Update Advisory - February 2013

Java JDK, JRE, and SDK contain multiple vulnerabilities. For details, see http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html. Details of issues fixed by Feb 2013 Java SE CPU http://marc.info/?l=full-disclosure&m=135997954729967&w=2 References: CVE-2013-0437, CVE-2013-1478, CVE-2013-0442, CVE-2013-0445, CVE-2013-1480, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2012-1541, CVE-2013-0446, CVE-2012-3342, CVE-2013-0450, CVE-2013-1479, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2012-3213, CVE-2013-1481, CVE-2013-0436, CVE-2013-0439, CVE-2013-0447, CVE-2013-1472, CVE-2012-4301, CVE-2013-1477, CVE-2013-1482, CVE-2013-1483, CVE-2013-1474, CVE-2012-4305, CVE-2013-0444, CVE-2013-0429, CVE-2013-0419, CVE-2013-0423, CVE-2012-1543, CVE-2013-0351, CVE-2013-0430, CVE-2013-0432, CVE-2013-0449, CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409, CVE-2013-0431, CVE-2013-0427, CVE-2013-0448, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440, CVE-2013-0438, CVE-2013-0443, CVE-2013-1489

January 31, 2013

Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 51," a different vulnerability than CVE-2013-0431. NOTE: as of 20130130, this vulnerability does not contain any independently-verifiable details, and there is no vendor acknowledgement. A CVE identifier is being assigned because this vulnerability has received significant public attention, and the original researcher has an established history of releasing vulnerability reports that have been fixed by vendors. NOTE: this issue also exists in SE 6, but it cannot be exploited without a separate vulnerability.

December 10, 2012

Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash3 algorithm, a different vulnerability than CVE-2012-2739.

October 22, 2012
Oracle Java SE Critical Patch Update Advisory - October 2012

Java JDK, JRE, and SDK contain multiple vulnerabilities. For details, see http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html References: CVE-2012-5083, CVE-2012-1531, CVE-2012-5086, CVE-2012-5087, CVE-2012-1533, CVE-2012-1532, CVE-2012-5076, CVE-2012-3143, CVE-2012-5088, CVE-2012-5078, CVE-2012-5089, CVE-2012-5084, CVE-2012-5080, CVE-2012-3159, CVE-2012-5068, CVE-2012-4416, CVE-2012-5074, CVE-2012-5071, CVE-2012-5069, CVE-2012-5067, CVE-2012-5070, CVE-2012-5075, CVE-2012-5073, CVE-2012-5079, CVE-2012-5072, CVE-2012-5081, CVE-2012-5082, CVE-2012-3216, CVE-2012-5077, CVE-2012-5085

September 25, 2012
SE-2012-01 Critical security issue affecting Java SE 5/6/7

Java SE 5u22 and earlier, 6u35 and earlier, and 7u7 and earlier contain a critical vulnerability that allows an attacker to a execute complete Java security sandbox bypass. Later versions of Java SE may be vulnerable. This issue is different than the other issue with SE-2012-01 reference number. Fix is not yet available from the vendor.

September 04, 2012
Oracle Security Alert for CVE-2012-4681

This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software. These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment. CVE-2012-4681 (7u6 and earlier) CVE-2012-1682 (7u6 and earlier) CVE-2012-3136 (7u6 and earlier) CVE-2012-0547 (7u6 and earlier, 6u34 and earlier)

August 20, 2012
SA45173 - Sun Java JRE Insecure Executable Loading Vulnerability

ACROS Security has discovered a vulnerability in Sun Java, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application loading an executable file in an insecure manner when an out of memory condition occurs. This can be exploited to execute arbitrary programs by tricking a user into e.g. opening a HTML file, which loads an applet located on a remote WebDAV or SMB share. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 6 update 26 (build 1.6.0_26-b03). Other versions may also be affected.

August 20, 2012
Java Hash Collision Denial Of Service Vulnerability

Java is prone to a denial-of-service vulnerability. An attacker can exploit this issue by sending specially crafted forms in HTTP POST requests. Successful exploits will allow attackers to cause a denial-of-service condition. Java 7 and prior are vulnerable. Additional information: CAInternal20120104-01: Security Notice for hash collision vulnerabilities
http://www.nruns.com/_downloads/advisory28122011.pdf   http://www.kb.cert.org/vuls/id/903934

August 20, 2012
SE-2012-01 Security vulnerabilities in Java SE

Security Explorations has reported multiple critical security vulnerabilities in Java Platform, Standard Edition. Most of these issues remain unpatched. For details, see http://marc.info/?l=full-disclosure&m=133961363811593&w=2   http://www.security-explorations.com/en/SE-2012-01.html

August 20, 2012
Oracle Java SE Critical Patch Update Advisory - June 2012

Java JDK, JRE, and SDK contain multiple vulnerabilities. For details, see http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html. References: CVE-2012-1713, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1725, CVE-2012-1716, CVE-2012-1711, CVE-2012-1726, CVE-2012-0551, CVE-2012-1719, CVE-2012-1724, CVE-2012-1718, CVE-2012-1720, CVE-2012-1717

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required


We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile

  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.

    Rate Your Chat Experience.


agent is typing