CVE-2013-2461HIGH
Description
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier; the Oracle JRockit component in Oracle Fusion Middleware R27.7.5 and earlier and R28.2.7 and earlier; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June and July 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass verification of XML signatures via vectors related to a "Missing check for [a] valid DOMCanonicalizationMethod canonicalization algorithm."
References
http://advisories.mageia.org/MGASA-2013-0185.html
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/abe9ea5a50d2
http://marc.info/?l=bugtraq&m=137545505800971&w=2
http://marc.info/?l=bugtraq&m=137545592101387&w=2
http://rhn.redhat.com/errata/RHSA-2013-0963.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://secunia.com/advisories/54154
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2013:183
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.securityfocus.com/bid/60645
http://www.us-cert.gov/ncas/alerts/TA13-169A
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
https://access.redhat.com/errata/RHSA-2014:0414
https://bugzilla.redhat.com/show_bug.cgi?id=975126
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16887
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19565
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19582
Details
Source: MITRE
Published: 2013-06-18
Updated: 2019-07-18
Type: NVD-CWE-noinfo
Risk Information
CVSS v2.0
Base Score: 7.5
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 10
Severity: HIGH
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:oracle:jdk:1.6.0:update_22:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_23:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_24:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_25:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_26:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_27:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_29:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_30:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_31:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_32:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_33:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_34:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_35:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_37:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_38:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_39:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_41:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update_43:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update1_b06:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update2:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*
Configuration 2
OR
cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
Configuration 3
OR
cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:* versions from r27.7.1 to r27.7.5 (inclusive)
cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:* versions from r28.0.0 to r28.2.7 (inclusive)
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 89668 | VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2013-0012) (remote check) | Nessus | Misc. | critical |
| 79011 | RHEL 5 / 6 : java-1.6.0-sun (RHSA-2014:0414) | Nessus | Red Hat Local Security Checks | critical |
| 77326 | Juniper NSM < 2012.2R9 Multiple Java and Apache Vulnerabilities (JSA10642) | Nessus | Misc. | critical |
| 76303 | GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT) | Nessus | Gentoo Local Security Checks | critical |
| 75101 | openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:1288-1) | Nessus | SuSE Local Security Checks | critical |
| 72139 | GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT) | Nessus | Gentoo Local Security Checks | critical |
| 71861 | IBM Domino 9.x < 9.0.1 Multiple Vulnerabilities (credentialed check) | Nessus | Windows | critical |
| 71859 | IBM Domino 9.x < 9.0.1 Multiple Vulnerabilities (uncredentialed check) | Nessus | Misc. | critical |
| 70744 | IBM Notes 8.5.x < 8.5.3 FP5 Multiple Vulnerabilities | Nessus | Windows | critical |
| 70743 | IBM Domino 8.5.x < 8.5.3 FP5 Multiple Vulnerabilities | Nessus | Windows | critical |
| 70742 | IBM Domino 8.5.x < 8.5.3 FP 5 Multiple Vulnerabilities | Nessus | Misc. | critical |
| 70612 | VMware Security Updates for vCenter Server (VMSA-2013-0012) | Nessus | Misc. | critical |
| 69765 | Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-207) | Nessus | Amazon Linux Local Security Checks | critical |
| 69762 | Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-204) | Nessus | Amazon Linux Local Security Checks | critical |
| 69305 | Oracle JRockit R27 < R27.7.6 / R28 < R28.2.8 Unspecified Vulnerability (July 2013 CPU) | Nessus | Windows | high |
| 69084 | Debian DSA-2727-1 : openjdk-6 - several vulnerabilities | Nessus | Debian Local Security Checks | critical |
| 69071 | SuSE 11.3 Security Update : java-1_7_0-openjdk (SAT Patch Number 8090) | Nessus | SuSE Local Security Checks | critical |
| 69031 | Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-1908-1) | Nessus | Ubuntu Local Security Checks | critical |
| 69029 | SuSE 11.2 Security Update : java-1_6_0-openjdk (SAT Patch Number 8084) | Nessus | SuSE Local Security Checks | critical |
| 68926 | Ubuntu 12.04 LTS / 12.10 / 13.04 : icedtea-web update (USN-1907-2) | Nessus | Ubuntu Local Security Checks | critical |
| 68925 | Ubuntu 12.10 / 13.04 : openjdk-7 vulnerabilities (USN-1907-1) | Nessus | Ubuntu Local Security Checks | critical |
| 68889 | Debian DSA-2722-1 : openjdk-7 - several vulnerabilities | Nessus | Debian Local Security Checks | critical |
| 68842 | Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2013-1014) | Nessus | Oracle Linux Local Security Checks | critical |
| 68837 | Oracle Linux 5 : java-1.7.0-openjdk (ELSA-2013-0958) | Nessus | Oracle Linux Local Security Checks | critical |
| 68836 | Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2013-0957) | Nessus | Oracle Linux Local Security Checks | critical |
| 67185 | Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x i386/x86_64 (20130703) | Nessus | Scientific Linux Local Security Checks | critical |
| 67184 | RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2013:1014) | Nessus | Red Hat Local Security Checks | critical |
| 67183 | CentOS 5 / 6 : java-1.6.0-openjdk (CESA-2013:1014) | Nessus | CentOS Local Security Checks | critical |
| 67012 | Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:183) | Nessus | Mandriva Local Security Checks | critical |
| 66951 | Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20130620) | Nessus | Scientific Linux Local Security Checks | critical |
| 66950 | Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20130620) | Nessus | Scientific Linux Local Security Checks | critical |
| 66948 | RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0963) | Nessus | Red Hat Local Security Checks | critical |
| 66947 | CentOS 5 : java-1.7.0-openjdk (CESA-2013:0958) | Nessus | CentOS Local Security Checks | critical |
| 66946 | CentOS 6 : java-1.7.0-openjdk (CESA-2013:0957) | Nessus | CentOS Local Security Checks | critical |
| 66943 | Oracle Java SE Multiple Vulnerabilities (June 2013 CPU) (Unix) | Nessus | Misc. | critical |
| 66940 | RHEL 5 : java-1.7.0-openjdk (RHSA-2013:0958) | Nessus | Red Hat Local Security Checks | critical |
| 66939 | RHEL 6 : java-1.7.0-openjdk (RHSA-2013:0957) | Nessus | Red Hat Local Security Checks | critical |
| 6877 | Oracle Java SE Multiple Vulnerabilities (June 2013 CPU Update) | Nessus Network Monitor | Web Clients | critical |
| 66932 | Oracle Java SE Multiple Vulnerabilities (June 2013 CPU) | Nessus | Windows | critical |
| 66929 | Mac OS X : Java for Mac OS X 10.6 Update 16 | Nessus | MacOS X Local Security Checks | critical |
| 66928 | Mac OS X : Java for OS X 2013-004 | Nessus | MacOS X Local Security Checks | critical |