Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious, local users to disclose potentially sensitive information, manipulate certain data, and cause a DoS (Denial of Service) and by attacker to conduct cross-site scripting attacks, disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), which can compromise the vulnerable system.
Release Date: 2012-06-13
Release Date: 2012-06-13
Severity : High
Impact :
· Cross Site Scripting
· Manipulation of data
· Exposure of sensitive information
· DoS
· System access
Software:
· Oracle Java JDK 1.7.x / 7.x
· Oracle Java JRE 1.7.x / 7.x
· Sun Java JDK 1.5.x
· Sun Java JDK 1.6.x / 6.x
· Sun Java JRE 1.4.x
· Sun Java JRE 1.5.x / 5.x
· Sun Java JRE 1.6.x / 6.x
· Sun Java SDK 1.4.x
CVE Reference(s)
CVE-2012-0551
CVE-2012-1711
CVE-2012-1713
CVE-2012-1716
CVE-2012-1717
CVE-2012-1718
CVE-2012-1719
CVE-2012-1720
CVE-2012-1721
CVE-2012-1722
CVE-2012-1723
CVE-2012-1724
CVE-2012-1725
CVE-2012-1726
Description
Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious, local users to disclose potentially sensitive information, manipulate certain data, and cause a DoS (Denial of Service) and by attacker to conduct cross-site scripting attacks, disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), which can compromise the vulnerable system.
1) An error in the 2D subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets or specially crafted data passed to certain APIs.
2) An error in the Deployment subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.
3) An error in the Deployment subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.
4) An error in the Hotspot subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.
5) An error in the Hotspot subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.
6) An error in the Swing subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.
Successful exploitation of vulnerabilities #1 through #6 may allow execution of arbitrary code.
7) An error in the CORBA subcomponent can be exploited to disclose and manipulate some data via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.
8) An error in the Libraries subcomponent can be exploited to disclose and manipulate some data via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.
9) An error in the Deployment subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.
10) An error in the CORBA subcomponent can be exploited to manipulate some data via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.
11) An error in the JAXP subcomponent can be exploited to manipulate some data and cause a DoS via untrusted Java Web Start applications and untrusted Java applets or specially crafted data passed to certain APIs.
12) An error in the Security subcomponent can be exploited to cause a DoS via untrusted Java Web Start applications and untrusted Java applets or specially crafted data passed to certain APIs.
13) An error in the Networking subcomponent can be exploited by local users to manipulate some data and cause a DoS to a server deployment running on Solaris only.
14) An error in the printing functionality due to creating temporary spool files with insecure permissions can be exploited to disclose the contents of printed documents owned by other users.
Solution
Apply updates.
It is currently unclear who reported the rest of the vulnerabilities as the Oracle Java Critical Patch Update for June 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.
Original Advisory
Oracle:
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
NOTE:The Information provided is on "as is" basis, without assurance of any kind.