CVE-2013-1537 Information

Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier 6 Update 43 and earlier and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality integrity and availability via vectors related to RMI. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to the default java.rmi.server.useCodebaseOnly setting of false which allows remote attackers to perform \dynamic class downloading\ and execute arbitrary code.

Reference

http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/ http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/ http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880 http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/f098e2297ff1 http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/096ed306159f http://lists.apple.com/archives/security-announce/2013/Apr/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00007.html http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html http://marc.info/?l=bugtraq&m=137283787217316&w=2 http://rhn.redhat.com/errata/RHSA-2013-0752.html http://rhn.redhat.com/errata/RHSA-2013-0757.html http://rhn.redhat.com/errata/RHSA-2013-0758.html http://rhn.redhat.com/errata/RHSA-2013-1455.html http://rhn.redhat.com/errata/RHSA-2013-1456.html http://seclists.org/fulldisclosure/2013/Feb/18 http://security.gentoo.org/glsa/glsa-201406-32.xml http://www.mandriva.com/security/advisories?name=MDVSA-2013:145 http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 http://www.mandriva.com/security/advisories?name=MDVSA-2013:161 http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.htmlrmichanges http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html http://www.security-explorations.com/en/SE-2012-01-details.html http://www.securityfocus.com/bid/59194 http://www.ubuntu.com/usn/USN-1806-1 http://www.us-cert.gov/ncas/alerts/TA13-107A https://bugzilla.redhat.com/show_bug.cgi?id=952387 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A16578 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A19385 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A19550 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130