Oracle Java Critical Patch Update June 2013 Review

Oracle has provide his Java Critical Patch Update (CPU) for June 2013 who has been released on Tuesday, June 18. On the 40 security vulnerabilities fixed in this CPU, 37 of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 21 and earlier
  • JDK and JRE 6 Update 45 and earlier
  • JDK and JRE 5.0 Update 45 and earlier
  • JavaFX 2.2.21 and earlier

11 of the vulnerabilities have a CVSS base score of 10.0, 20 of the vulnerabilities have a high CVSS base score (CVSS => 7.0), 18 of the vulnerabilities have a medium CVSS base score (CVSS >= 4.0 < 7.0) and 2 of the vulnerabilities has a low CVSS base score (CVSS < 4.0). Also 33 of the vulnerabilities affects Java SE 6 and 38 of the vulnerabilities are affecting Java SE 7.

Oracle Java Critical Patch Update April 2013 Review

Oracle has provide his Java Critical Patch Update (CPU) for April 2013 who has been released on Tuesday, April 16. On the 42 security vulnerabilities fixed in this CPU, 39 of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0.

This update fix the vulnerabilities exploited by James Forshaw (tyranid), Joshua J. Drake and VUPEN Security during Pwn20wn 2013. But this update is also fixing vulnerabilities reported by Adam Gowdiak of Security Explorations and other security researchers.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 17 and earlier
  • JDK and JRE 6 Update 43 and earlier
  • JDK and JRE 5.0 Update 41 and earlier
  • JavaFX 2.2.7 and earlier

Proposed updates are:

  • JDK and JRE 7 Update 21
  • JDK and JRE 6 Update 45
  • JDK and JRE 5.0 Update 43
  • JavaFX 2.2.21

19 (45,24%) of the vulnerabilities have a CVSS base score of 10.0, 28 (66,67%) of the vulnerabilities have a high CVSS base score (CVSS => 7.0), 13 (30,95%) of the vulnerabilities have a medium CVSS base score (CVSS >= 4.0 < 7.0) and 1 (2,38%) of the vulnerabilities has a low CVSS base score (CVSS < 4.0). Also 25 (59,52%) of the vulnerabilities affects Java SE 6 and 42 (100%) of the vulnerabilities are affecting Java SE 7.

Also some modifications have been done in the Security Levels provided by Oracle. Previously five levels were existing (Very-High, High, Medium, Low and Custom), in the new provided version only three levels are still existing (Very-High, High and Medium).

Oracle-Java-Update-21-Security-Levels

 

But, there is always a but with Oracle, they don’t seem to have enable, by default, the check for revocation using Certificate Revocation Lists (CRLs) despite that some bad guys are using valid stollen and revoked certificates to sign malware’s.

Oracle-Java-Update-21-CRLs-Checks

So we advise you to update asap, enable the CRL check, if you still have Oracle Java plug-in installed !

Oracle Java Critical Patch Update February 2013 – Special Update Review

Oracle has provide a Java Critical Patch Update (CPU) Special Update for February 2013 how has been released on Tuesday, February 19. On the 5 security vulnerabilities, fixed in this CPU, all of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 3 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 13 and earlier
  • JDK and JRE 6 Update 39 and earlier
  • JDK and JRE 5.0 Update 39 and earlier
  • SDK and JRE 1.4.2_41 and earlier

CVE-2013-1487, CVE-2013-1486 and CVE-2013-1484 have a CVSS base score of 10.0.

CVE-2013-1485 has a CVSS base score of 5.0.

CVE-2013-0169 has a CVSS base score of 4.3.

Oracle Java Critical Patch Update February 2013 Review

Oracle has provide his Java Critical Patch Update (CPU) for February 2013 how has been released on Friday, February 1. Initial release date was planned for 19 February but Oracle has push this update earlier due to the active exploitation of one of the critical vulnerabilities in the wild. On the 50 security vulnerabilities, fixed in this CPU, 49 of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 34 vulnerabilities have a CVSS base score upper or equal to 7.0.

It is actually not clear which of these vulnerability is exploited in the wild, but it could be related to CVE-2013-1489, an issue publicly reported and regarding Java SE7 security features introduced in Java SE7 Update 10.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 11 and earlier
  • JDK and JRE 6 Update 38 and earlier
  • JDK and JRE 5.0 Update 38 and earlier
  • SDK and JRE 1.4.2_40 and earlier
  • JavaFX 2.2.4 and earlier

CVE-2012-1541CVE-2012-3213CVE-2012-3342CVE-2012-4301CVE-2013-0425CVE-2013-0426CVE-2013-0428CVE-2013-0436CVE-2013-0437CVE-2013-0439CVE-2013-0441CVE-2013-0442CVE-2013-0445CVE-2013-0446CVE-2013-0447CVE-2013-0450CVE-2013-1472CVE-2013-1475CVE-2013-1476CVE-2013-1477CVE-2013-1478CVE-2013-1479CVE-2013-1480CVE-2013-1481CVE-2013-1482 and CVE-2013-1483 have a CVSS base score of 10.0.

CVE-2012-4305 and CVE-2013-1474 have a CVSS base score of 9.3.

CVE-2012-1543, CVE-2013-0419, CVE-2013-0423, CVE-2013-0429 and CVE-2013-0444 have a CVSS base score of 7.6.

CVE-2013-0351 has a CVSS base score of 7.5.

CVE-2013-0430 has a CVSS base score of 6.9.

CVE-2013-0432 has a CVSS base score of 6.4.

CVE-2013-0409, CVE-2013-0424, CVE-2013-0427, CVE-2013-0431, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0440, CVE-2013-0448, CVE-2013-0449 and CVE-2013-1473 have a CVSS base score of 5.0.

CVE-2013-0438 has a CVSS base score of 4.3.

CVE-2013-0443 has a CVSS base score of 4.0.

CVE-2013-1489 has a CVSS base score of 0.0.