JPCERT-AT-2012-0028
JPCERT/CC
2012-08-31 (First edition)
2012-09-03 (Updated)
<<< JPCERT/CC Alert 2012-08-31 >>>
Vulnerabilities in Java SE, August 2012
https://www.jpcert.or.jp/english/at/2012/at120028.html
I. Overview
Multiple vulnerabilities exist in Oracle’s Java SE JDK and JRE. If
these vulnerabilities are exploited, a remote attacker may execute
arbitrary code on systems. For more information, refer to the Oracle
website.
*** Update: Revised on 3 September, 2012 *****************************
Oracle
Java SE Development Kit 7 Update 7 Release Notes
http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html
An exploit code for CVE-2012-4681 is publicly available; it has been
confirmed that exploit kits leveraging this vulnerability has been
found. After testing the exploit code, JPCERT/CC has found that the
code may attackers to execute arbitrary code.
Incidents have also been reported regarding malicious web sites that
leverages this vulnerability.
Oracle
Oracle Security Alert for CVE-2012-4681
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
*** Update: Revised on 3 September, 2012 *****************************
Attack activity targeting this vulnerability may increase in the
future, so we recommend updating the software provided by Oracle as
soon as possible.
II. Products affected
Affected products and versions are as follows:
JDK and JRE 7 Update 6 and earlier
JDK and JRE 6 Update 34 and earlier
* JDK and JRE 6 is not affected by CVE-2012-4681.
III. Test results from JPCERT/CC
JPCERT/CC has tested the exploit code for this vulnerability CVE-2012-4681.
[Test environment]
OS: Windows 7 SP1 (with the August 2012 security update already applied)
Browser: Internet Explorer 9
- Test results with JRE 7 Update 6
JPCERT/CC has confirmed that under the above test environment with
JRE 7 update 6 installed, when executing the exploit code, it
allows the execution of arbitrary code.
It has also been confirmed that this vulnerability does not affect
JRE 7 Update 7.
IV. Solution
Oracle has released an update. Please update to the latest version.
- Java SE JDK and JRE 7 Update 7
- Java SE JDK and JRE 6 Update 35
Java Downloads for All Operating Systems:
http://java.com/en/download/manual.jsp?locale=en
* Oracle has announced that support for Java SE 6 will end in
February 2013. User should update to Java 7 before February 2013.
Java 6 End of Public Updates extended to February 2013
https://blogs.oracle.com/henrik/entry/java_6_eol_h_h
Java 6 Auto-Update to Java 7
http://www.oracle.com/technetwork/java/javase/documentation/autoupdate-1667051.html
V. References
Oracle
Oracle Security Alert for CVE-2012-4681
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Oracle
Java SE Development Kit 7 Update 7 Release Notes
http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html
Oracle
Security Alert for CVE-2012-4681 Released
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
JVNTA12-240A
Vulnerability Found in Oracle Java 7
https://jvn.jp/cert/JVNTA12-240A/index.html
US-CERT Vulnerability Note VU#636312
Oracle Java JRE 1.7 allows untrusted code to set arbitrary Security Manager Permissions
http://www.kb.cert.org/vuls/id/636312
IBM Tokyo SOC Report
Status of Detection of Attacks against Zero-Day Vulnerability of JRE / JDK Version 7
https://www-304.ibm.com/connections/blogs/tokyo-soc/entry/java_0day_20120830?lang=ja
If you have any information regarding this alert, please contact
JPCERT/CC.
________
Revision history
2012-08-31 First edition
2012-09-03 Information added in “I. Overview”
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top