Oracle Java SE 7 < Update 11 Multiple Vulnerabilities

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a programming platform that is
potentially affected by multiple vulnerabilities.

Description :

The version of Oracle (formerly Sun) Java SE or Java for Business
installed on the remote host is earlier than 7 Update 11 and is,
therefore, potentially affected by the following security issues :

- An unspecified issue exists in the Libraries
component. (CVE-2012-3174)

- An error exists in the 'MBeanInstantiator.findClass'
method that could allow remote, arbitrary code execution.
(CVE-2013-0422)

Note that, according the advisory, these issues apply to client
deployments of Java only and can only be exploited through untrusted
'Java Web Start' applications and untrusted Java applets.

See also :

http://www.zerodayinitiative.com/advisories/ZDI-13-002/
http://www.nessus.org/u?eaf95a3d
http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

Solution :

Update to JDK / JRE 7 Update 11 or later and, if necessary, remove any
affected versions.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 63521 ()

Bugtraq ID: 57246
57312

CVE ID: CVE-2012-3174
CVE-2013-0422