jdk-1.6.0_45
エラータID: AXSA:2013-395:04
以下項目について対処しました。
[Security Fix]
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントは,AWT に関連した要因によって,リモートの攻撃者が任意のコードを実行する脆弱性があります。(CVE-2013-0401)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連した要因によって,リモートの攻撃者が任意のコードを実行する脆弱性があります。(CVE-2013-1491)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,JAXP に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1518)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,RMI に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1537)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Deployment に関連する要因によって,リモートの攻撃者が整合性に影響を与える脆弱性があります。
なお,この脆弱性は CVE-2013-2433 とは異なる脆弱性です。(CVE-2013-1540)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,RMI に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1557)
- Oracle Java SE のJava Runtime Environment (JRE) コンポーネントには,Beans に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1558)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Install に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1563)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なおこの脆弱性は CVE-2013-2383, CVE-2013-2384, CVE-2013-2420 と異なる脆弱性です。(CVE-2013-1569)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なおこの脆弱性は CVE-2013-1569, CVE-2013-2384, CVE-2013-2420 と異なる脆弱性です。
(CVE-2013-2383)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なおこの脆弱性は CVE-2013-1569, CVE-2013-2383, CVE-2013-2420 と異なる脆弱性です。(CVE-2013-2384)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なおこの脆弱性は CVE-2013-2432 と CVE-2013-1491 とは異なる脆弱性です。(CVE-2013-2394)
- Oracle JavaSE の Java Runtime Environment (JRE) コンポーネントには,ネットワーキングに関連する要因によって,リモートの攻撃者が可用性に影響を及ぼす詳細不明な脆弱性があります。(CVE-2013-2417)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Deployment に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
(CVE-2013-2418)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連した要因によって,リモートの攻撃者が可用性に影響を及ぼす詳細不明な脆弱性があります。(CVE-2013-2419)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を及ぼす詳細不明な脆弱性があります。なおこの脆弱性は CVE-2013-1569, CVE-2013-2383, CVE-2013-2384 とは異なる脆弱性です。(CVE-2013-2420)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ライブラリに関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を及ぼす詳細不明な脆弱性があります。(CVE-2013-2422)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,JMX に関連した要因によって,リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2424)
- Oracle Java SE の Java Runtime Environment (JRE) には,ImageIO に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を及ぼす詳細不明な脆弱性があります。(CVE-2013-2429)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ImageIO に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える脆弱性があります。(CVE-2013-2430)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なお,この脆弱性は CVE-2013-2394 と CVE-2013-1491 とは異なる脆弱性です。
(CVE-2013-2432)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Deployment に関連した要因によって,リモートの攻撃者が整合性に影響を与える詳細不明な脆弱性があります。
なお,この脆弱性は CVE-2013-1540 とは異なる脆弱性です。 (CVE-2013-2433)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには, Deployment に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なお,この脆弱性は CVE-2013-2440 とは異なる脆弱性です。 (CVE-2013-2435)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Install に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2439)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Deployment に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なお,この脆弱性は CVE-2013-2435 とは異なる脆弱性です。(CVE-2013-2440)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
バグフィックスが施された jdk-1.6.0_45 がリリースされました。
詳細については、以下の URL を参照してください。
http://www.oracle.com/technetwork/java/javase/6u45-relnotes-1932876.html
解決策 1. 以下の URL から JDK 6 Update 45 をダウンロードしてください。
http://www.oracle.com/technetwork/java/javase/downloads/jdk6downloads-19...
[Asianux Server 3]
jdk-6u45-linux-i586-rpm.bin
[Asianux Server 3 for x86-64]
jdk-6u45-linux-x64-rpm.bin
2. 以下のコマンドを実行してインストールしてください。
[Asianux Server 3]
# sh jdk-6u45-linux-i586-rpm.bin
[Asianux Server 3 for x86-64]
# sh jdk-6u45-linux-x64-rpm.bin
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via vectors related to 2D, as demonstrated by Joshua Drake during a Pwn2Own competition at CanSecWest 2013.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "missing security restrictions."
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to the default java.rmi.server.useCodebaseOnly setting of false, which allows remote attackers to perform "dynamic class downloading" and execute arbitrary code.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2433.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "missing security restrictions" in the LogStream.setDefaultStream method.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "checking of [a] glyph table" in the International Components for Unicode (ICU) Layout Engine before 51.2.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2384, and CVE-2013-2420. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "handling of [a] glyph table" in the International Components for Unicode (ICU) Layout Engine before 51.2.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2383, and CVE-2013-2420. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "font layout" in the International Components for Unicode (ICU) Layout Engine before 51.2.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2432 and CVE-2013-1491.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect availability via unknown vectors related to Networking. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an information leak involving InetAddress serialization. CVE has not investigated the apparent discrepancy between vendor reports regarding the impact of this issue.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "font processing errors" in the International Components for Unicode (ICU) Layout Engine before 51.2.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to insufficient "validation of images" in share/native/sun/awt/image/awt_ImageRep.c, possibly involving offsets.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper method-invocation restrictions by the MethodUtil trampoline class, which allows remote attackers to bypass the Java sandbox.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality via vectors related to JMX. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient class access checks" when "creating new instances" using MBeanInstantiator.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "JPEGImageWriter state corruption" when using native code, which triggers memory corruption.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; JavaFX 2.2.7 and earlier; and OpenJDK 6 and 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "JPEGImageReader state corruption" when using native code.
<a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2432">CVE-2013-24...
<a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2433">CVE-2013-24...
<a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2435">CVE-2013-24...
<a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2439">CVE-2013-24...
<a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2440">CVE-2013-24...