Oracle has provide his Java Critical Patch Update (CPU) for October 2012 how has been released on Tuesday, October 16. This CPU contains 30 security vulnerability fixes and concern “Java Runtime Environment” and “JavaFX” components. On the 30 security vulnerabilities all of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 15 vulnerabilities have a CVSS base score upper or equal to 7.0.
As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.
Affected products are:
- JDK and JRE 7 Update 7 and earlier
- JDK and JRE 6 Update 35 and earlier
- JDK and JRE 5.0 Update 36 and earlier
- SDK and JRE 1.4.2_38 and earlier
- JavaFX 2.2 and earlier
CVE-2012-5083, CVE-2012-1531, CVE-2012-5086, CVE-2012-5087, CVE-2012-1533, CVE-2012-1532, CVE-2012-5076, CVE-2012-3143, CVE-2012-5088 and CVE-2012-5078 have a CVSS base score of 10.0. CVE-2012-5089, CVE-2012-5084 and CVE-2012-5080 have a CVSS base score of 7.6. CVE-2012-3159 and CVE-2012-5068 have a CVSS base score of 7.5. CVE-2012-4416, CVE-2012-5074 and CVE-2012-5071 have a CVSS base score of 6.4. CVE-2012-5069 has a CVSS base score of 5.8. CVE-2012-5067, CVE-2012-5070, CVE-2012-5075, CVE-2012-5073, CVE-2012-5079, CVE-2012-5072, CVE-2012-5081 and CVE-2012-5082 have a CVSS base score of 5.0. CVE-2012-3216 and CVE-2012-5077 have a CVSS base score of 2.6. CVE-2012-5085 has a CVSS base score of 0.0.