SUSE-SU-2013:1677

RHSA-2013:1507

RHSA-2013:1508

RHSA-2013:1509

RHSA-2013:1793

56338

IV51087

IV51088

http://www-01.ibm.com/support/docview.wss?uid=swg21655201

http://www-01.ibm.com/support/docview.wss?uid=swg21655202

ibm-java-cve20134041-priv-escalation(86416)

https://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2013

IBM Java 5 SR16-FP4 has been released which fixes lots of bugs and security issues.

More information can be found on :

http://www.ibm.com/developerworks/java/jdk/alerts/

CVEs fixed: CVE-2013-4041, CVE-2013-5375, CVE-2013-5372, CVE-2013-5843, CVE-2013-5830, CVE-2013-5829, CVE-2013-5842, CVE-2013-5782, CVE-2013-5817, CVE-2013-5809, CVE-2013-5814, CVE-2013-5802, CVE-2013-5804, CVE-2013-5783, CVE-2013-3829, CVE-2013-4002, CVE-2013-5774, CVE-2013-5825, CVE-2013-5840, CVE-2013-5801, CVE-2013-5778, CVE-2013-5849, CVE-2013-5790, CVE-2013-5780, CVE-2013-5797, CVE-2013-5803

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Network Satellite Server 5.4, 5.5 and 5.6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Network Satellite Server 5.4, 5.5 and 5.6. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets.

Several flaws were fixed in the IBM Java 2 Runtime Environment.
(CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5457, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851)

Users of Red Hat Network Satellite Server 5.4, 5.5 and 5.6 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR15 release. For this update to take effect, Red Hat Network Satellite Server must be restarted ('/usr/sbin/rhn-satellite restart'), as well as all running instances of IBM Java.

The remote host has a version of IBM Notes (formerly Lotus Notes) 8.0.x / 8.5.x / 9.0.x that is bundled with an IBM Java version prior to 1.6 SR15 FP1. It is, therefore, affected by the vulnerabilities mentioned in the Oracle Java Critical Patch Update advisories for October 2013 and January 2014.

The remote host has a version of IBM Domino (formerly Lotus Domino) 8.0.x / 8.5.x / 9.0.x that is bundled with an IBM Java version prior to 1.6 SR15 FP1. It is, therefore, affected by the vulnerabilities mentioned in the Oracle Java Critical Patch Update advisories for October 2013 and January 2014.

According to its version, the IBM Domino (formerly IBM Lotus Domino) on the remote host is 9.x prior to 9.0.1 Fix Pack 1 (FP1). It is, therefore, affected by the following vulnerabilities :

  - A stack overflow issue exists due to the insecure     '-z execstack' flag being used during compilation, which     could aid remote attackers in executing arbitrary code.
    Note that this issue only affects installs on 32-bit     hosts running Linux. (CVE-2014-0892)

  - Note that the fixes in the Oracle Java CPUs for     October 2013 and January 2014 are included in the fixed     IBM Java release, which is included in the fixed IBM     Domino release. (CVE-2013-0408, CVE-2013-3829,     CVE-2013-4002, CVE-2013-4041, CVE-2013-5372,     CVE-2013-5375, CVE-2013-5456, CVE-2013-5457,     CVE-2013-5458, CVE-2013-5772, CVE-2013-5774,     CVE-2013-5776, CVE-2013-5778, CVE-2013-5780,     CVE-2013-5782, CVE-2013-5783, CVE-2013-5784,     CVE-2013-5787, CVE-2013-5788, CVE-2013-5789,     CVE-2013-5790, CVE-2013-5797, CVE-2013-5800,     CVE-2013-5801, CVE-2013-5802, CVE-2013-5803,     CVE-2013-5804, CVE-2013-5805, CVE-2013-5806,     CVE-2013-5809, CVE-2013-5812, CVE-2013-5814,     CVE-2013-5817, CVE-2013-5818, CVE-2013-5819,     CVE-2013-5820, CVE-2013-5823, CVE-2013-5824,     CVE-2013-5825, CVE-2013-5829, CVE-2013-5830,     CVE-2013-5831, CVE-2013-5832, CVE-2013-5838,     CVE-2013-5840, CVE-2013-5842, CVE-2013-5843,     CVE-2013-5848, CVE-2013-5849, CVE-2013-5850,     CVE-2013-5851, CVE-2013-5878, CVE-2013-5884,     CVE-2013-5887, CVE-2013-5888, CVE-2013-5889,     CVE-2013-5893, CVE-2013-5896, CVE-2013-5898,     CVE-2013-5899, CVE-2013-5902, CVE-2013-5904,     CVE-2013-5907, CVE-2013-5910, CVE-2014-0368,     CVE-2014-0373, CVE-2014-0375, CVE-2014-0376,     CVE-2014-0387, CVE-2014-0403, CVE-2014-0410,     CVE-2014-0411, CVE-2014-0415, CVE-2014-0416,     CVE-2014-0417, CVE-2014-0418, CVE-2014-0422,     CVE-2014-0423, CVE-2014-0424, CVE-2014-0428,     CVE-2014-0892)

IBM Java 7 SR6 has been released and fixes lots of bugs and security issues.

More information can be found on:
http://www.ibm.com/developerworks/java/jdk/alerts/

IBM Java 6 SR15 has been released and fixes lots of bugs and security issues.

More information can be found on:
http://www.ibm.com/developerworks/java/jdk/alerts/

Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5774, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5814, CVE-2013-5817, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5849)

All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP4 release. All running instances of IBM Java must be restarted for this update to take effect.

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5457, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851)

All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR15 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-3829, CVE-2013-4041, CVE-2013-5372, CVE-2013-5375, CVE-2013-5456, CVE-2013-5457, CVE-2013-5458, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851)

All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR6 release. All running instances of IBM Java must be restarted for the update to take effect.

ID	Name	Product	Family	Severity
83601	SUSE SLES10 Security Update : IBM Java 5 (SUSE-SU-2013:1669-1)	Nessus	SuSE Local Security Checks	critical
78984	RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1793)	Nessus	Red Hat Local Security Checks	critical
73970	IBM Notes 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities	Nessus	Windows	critical
73969	IBM Domino 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities (credentialed check)	Nessus	Windows	critical
73968	IBM Domino 9.x < 9.0.1 Fix Pack 1 Multiple Vulnerabilities (uncredentialed check)	Nessus	Misc.	high
71020	SuSE 11.2 / 11.3 Security Update : IBM Java 7 (SAT Patch Numbers 8565 / 8566)	Nessus	SuSE Local Security Checks	critical
70960	SuSE 11.2 / 11.3 Security Update : IBM Java 6 (SAT Patch Numbers 8549 / 8550)	Nessus	SuSE Local Security Checks	critical
70793	RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2013:1509)	Nessus	Red Hat Local Security Checks	critical
70792	RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2013:1508)	Nessus	Red Hat Local Security Checks	critical
70791	RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2013:1507)	Nessus	Red Hat Local Security Checks	critical

CVE-2013-4041

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins