Oracle Java WebStart BasicService.showDocument() code execution

javase-jre-cve20121713 (76239) The risk level is classified as HighHigh Risk

Description:

Oracle Java WebStart could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the BasicService.showDocument() function. A remote attacker could exploit this vulnerability by persuading a victim to visit a malicious Web page.


Consequences:

Gain Access

Remedy:

Refer to Oracle Java SE Critical Patch Update Advisory - June 2012 for patch, upgrade or suggested workaround information. See References.

For other distributions:
Contact your vendor for patch or upgrade information.

References:

  • HT5319: About the security content of Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9.
  • IBM Security Alerts: Oracle August 2012 Security Alert.
  • IBM Security Bulletin 1615246: WebSphere MQ Security Vulnerability: multiple security vulnerabilities in IBM JRE 5.0.
  • IBM Security Bulletin 1615854: Potential security vulnerability in CLM 3.x products for the Oracle June 2012 CPU (CVE-2012-1713).
  • IBM Security Bulletin 1617572: Potential security exposure when using IBM IMS Audit Management Expert for z/OS due to vulnerabilities in Java JRE5.
  • IBM Security Bulletin 1632668: IBM Tivoli System Automation for Multiplatforms.
  • IBM Security Bulletin 1633991: Tivoli System Automation Application Manager 3.2.2.
  • Oracle Java SE Critical Patch Update Advisory - June 2012: Oracle Java SE Critical Patch Update Advisory - June 2012.
  • ZDI-12-142: Oracle Java WebStart Browser Argument Injection Remote Code Execution Vulnerability.
  • BID-53946: Oracle Java SE CVE-2012-1713 Remote Code Execution Vulnerability
  • CVE-2012-1713: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, 1.4.2_37 and earlier, and JavaFX 2.1 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
  • DSA-2507: openjdk-6 -- several vulnerabilities
  • OSVDB ID: 82874: Oracle Java SE / JRE 2D Sub-component Unspecified Remote Code Execution
  • RHSA-2012-0729: Critical: java-1.6.0-openjdk security update
  • RHSA-2012-0730: Important: java-1.6.0-openjdk security update
  • RHSA-2012-0734: Critical: java-1.6.0-sun security update
  • RHSA-2012-1009: Important: java-1.7.0-openjdk security and bug fix update
  • RHSA-2012-1019: Critical: java-1.7.0-oracle security update
  • RHSA-2012-1238: Critical: java-1.6.0-ibm security update
  • RHSA-2012-1243: Critical: java-1.4.2-ibm security update
  • RHSA-2012-1245: Critical: java-1.5.0-ibm security update
  • RHSA-2012-1289: Critical: java-1.7.0-ibm security update
  • RHSA-2012-1332: Moderate: java-1.4.2-ibm-sap security update
  • SA49472: Oracle Java Multiple Vulnerabilities
  • SA49475: Oracle JavaFX 2D Unspecified Code Execution Vulnerability
  • SA49542: Apple Mac OS X update for Java
  • SA50607: IBM Java 7 Multiple Vulnerabilities
  • SA51169: IBM Rational Products Java Font Parsing Vulnerability
  • SA51342: IBM IMS Audit Management Expert Java Multiple Vulnerabilities
  • SA51379: IBM Security AppScan Source Java Multiple Vulnerabilities
  • SA53006: IBM Tivoli System Automation Application Manager Multiple Vulnerabilities

Platforms Affected:

  • IBM IMS Audit Management Expert for z/OS 1.2.0
  • IBM Java 7.0
  • IBM Rational Quality Manager 3.0.1
  • IBM Rational Quality Manager 3.0.1.1
  • IBM Rational Quality Manager 3.0.1.2
  • IBM Rational Quality Manager 3.0.1.3
  • IBM Rational Quality Manager 3.0.1.4
  • IBM Tivoli System Automation Application Manager 3.2.2
  • IBM Tivoli System Automation for Multiplatforms 3.1
  • IBM Tivoli System Automation for Multiplatforms 3.2
  • IBM Tivoli System Automation for Multiplatforms 3.2.1
  • IBM Tivoli System Automation for Multiplatforms 3.2.2
  • IBM WebSphere MQ 7.0
  • Oracle JavaFX 2.1
  • Oracle JDK 1.1.6.0 Update32
  • Oracle JDK 1.7.0 Update4
  • Oracle JRE 1.1.6.0 Update32
  • Oracle JRE 1.7.0 Update4
  • RedHat Enterprise Linux 5
  • RedHat Enterprise Linux 5 Client
  • RedHat Enterprise Linux 6 Server
  • RedHat Enterprise Linux 6 Workstation
  • RedHat Enterprise Linux Desktop 6
  • RedHat Enterprise Linux Desktop Supplementary 6
  • RedHat Enterprise Linux for SAP
  • RedHat Enterprise Linux HPC Node 6
  • RedHat Enterprise Linux HPC Node Supplementary 6
  • RedHat Enterprise Linux Server Supplementary 6
  • RedHat Enterprise Linux Workstation Supplementary 6
  • RedHat RHEL Desktop Supplementary 5 Client
  • RedHat RHEL Supplementary 5 Server
  • Sun JDK 1.1.5.0 Update35
  • Sun JDK 1.4.2_37
  • Sun JRE 1.1.5.0 Update35
  • Sun JRE 1.4.2_37

Reported:

Jun 12, 2012

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page