Oracle has provide a Java Critical Patch Update (CPU) Special Update for February 2013 how has been released on Tuesday, February 19. On the 5 security vulnerabilities, fixed in this CPU, all of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 3 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 13 and earlier
  • JDK and JRE 6 Update 39 and earlier
  • JDK and JRE 5.0 Update 39 and earlier
  • SDK and JRE 1.4.2_41 and earlier

CVE-2013-1487, CVE-2013-1486 and CVE-2013-1484 have a CVSS base score of 10.0.

CVE-2013-1485 has a CVSS base score of 5.0.

CVE-2013-0169 has a CVSS base score of 4.3.