US-CERT Alert TA13-064A: Oracle Java Contains Multiple Vulnerabilities

tronayne · 03-07-2013, 06:16 AM

National Cyber Awareness System
TA13-064A: Oracle Java Contains Multiple Vulnerabilities

Original release date: March 05, 2013

Systems Affected

* Any system using Oracle Java 7, 6, 5 (1.7, 1.6, 1.5) including
* Java Platform Standard Edition 7 (Java SE 7)
* Java Platform Standard Edition 6 (Java SE 6)
* Java Platform Standard Edition 6 (Java SE 5)
* Java SE Development Kit (JDK 7)
* Java SE Development Kit (JDK 6)
* Java SE Development Kit (JDK 5)
* Java SE Runtime Environment (JRE 7)
* Java SE Runtime Environment (JRE 6)
* Java SE Runtime Environment (JRE 5)
* OpenJDK 6 and 6u
* IcedTea 1.x (IcedTea6 1.x)

All versions of Java 7 through update 15, Java 6 through update 41, and
Java 5.0 through update 40 are affected. Web browsers using
the Java 5, 6 or 7 plug-in are at high risk.

See http://www.linuxquestions.org/questi...5/#post4906617.

Go to http://www.oracle.com/technetwork/ja...ads/index.html to download either the JDK or JRE tar.gz (note that JRE in included with JDK).

Hope this helps some.

Alien Bob · 03-07-2013, 08:25 AM

... OpenJDK 7u is not listed there, nor the IcedTea 2.x which was used to build it. Still, I suppose that an update to OpenJDK is coming soon.

Eric

tronayne · 03-07-2013, 08:39 AM

US-CERT doesn't report OpenJDK, might be nice, but they don't; the concern is for the widest installed base affecting pretty much everybody. The FOSS projects you see at US-CERT would include MySQL, for example, but nothing else I can think of off-hand.

We're on our own, gotta rely on distributions (like today's sudo update), alas.

Alien Bob · 03-07-2013, 08:53 AM

Quote:

Originally Posted by tronayne

US-CERT doesn't report OpenJDK, might be nice, but they don't; the concern is for the widest installed base affecting pretty much everybody. The FOSS projects you see at US-CERT would include MySQL, for example, but nothing else I can think of off-hand.

We're on our own, gotta rely on distributions (like today's sudo update), alas.

The following text was part of your post - I assume it was copied from the US-CERT page:

Code:

* OpenJDK 6 and 6u
* IcedTea 1.x (IcedTea6 1.x)

That is why I said that OpenJDK 7u (being the version of the package I compile and distribute) is not on the list.

Eric

sizemj · 03-07-2013, 09:14 AM

Yep JRE 7 update 17 came out on Monday to address this. Java and Swiss cheese have a lot in Common : )

http://www.oracle.com/technetwork/ja...ads/index.html

tronayne · 03-07-2013, 09:33 AM

Well, duh! Probably ought to read the entire thing, eh?

So, I suppose that when Oracle releases the open guys get notified and do their thing and, yup, US-CERT picks up on all of it. Usually seems to take a couple of days for the notices to get sent out, think they check (closer than I do, huh?) and get everything into one bundle before the do their thing.

The important thing is not how dumb I am but that the notice gets sent, everybody gets to download and fiddle-faddle around and that you do not want the Java Plug-in enabled in any browser unless you absolutely need it for some (trusted) web site or other.