java-1.7.0-openjdk-1.7.0.19-2.3.9.1.AXS4
エラータID: AXSA:2013-416:04
以下項目について対処しました。
[Security Fix]
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントは,AWT に関連した要因によって,リモートの攻撃者が任意のコードを実行する脆弱性があります。(CVE-2013-0401)
- Oracle Java の Java Runtime Environment (JRE) コンポーネントには reflection と Library を含む要因によってリモートの攻撃者が任意のコードを実行する脆弱性があります。(CVE-2013-1488)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,JAXP に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1518)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,RMI に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1537)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,RMI に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1557)
- Oracle Java SE のJava Runtime Environment (JRE) コンポーネントには,Beans に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1558)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なおこの脆弱性は CVE-2013-2383, CVE-2013-2384, CVE-2013-2420 と異なる脆弱性です。(CVE-2013-1569)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なおこの脆弱性は CVE-2013-1569, CVE-2013-2384, CVE-2013-2420 と異なる脆弱性です。
(CVE-2013-2383)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なおこの脆弱性は CVE-2013-1569, CVE-2013-2383, CVE-2013-2420 と異なる脆弱性です。(CVE-2013-2384)
- Oracle Java SE の Java Runtime Environment (JRE) には,JAX-WS に関連する要因によって,ローカルのユーザが機密性に影響を及ぼす詳細不明な脆弱性があります。(CVE-2013-2415)
- Oracle JavaSE の Java Runtime Environment (JRE) コンポーネントには,ネットワーキングに関連する要因によって,リモートの攻撃者が可用性に影響を及ぼす詳細不明な脆弱性があります。(CVE-2013-2417)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Deployment に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
(CVE-2013-2418)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連した要因によって,リモートの攻撃者が可用性に影響を及ぼす詳細不明な脆弱性があります。(CVE-2013-2419)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を及ぼす詳細不明な脆弱性があります。なおこの脆弱性は CVE-2013-1569, CVE-2013-2383, CVE-2013-2384 とは異なる脆弱性です。(CVE-2013-2420)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ライブラリに関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を及ぼす詳細不明な脆弱性があります。(CVE-2013-2422)
- Oracle Java SE の Java Runtime Environment (JRE) には,HotSpot に関連する要因によって,リモートの攻撃者が整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2423)
- Oracle Java SE の Java Runtime Environment (JRE) には,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なおこの脆弱性は CVE-2013-1488,CVE-2013-2436 とは異なる脆弱性です。(CVE-2013-2426)
- Oracle Java SE の Java Runtime Environment (JRE) には,ImageIO に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を及ぼす詳細不明な脆弱性があります。(CVE-2013-2429)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ImageIO に関連した要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える脆弱性があります。(CVE-2013-2430)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し,HotSpot に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える脆弱性があります。(CVE-2013-2431)
- Oracle Java SE の Java Runtime Environment (JRE) には,ライブラリに関連する要因によって,リモートの攻撃者が機密性,機密性,可用性に影響を与える 詳細不明な脆弱性があります。
なおこの脆弱性は CVE-2013-1488 と CVE-2013-2426 とは異なる脆弱性です。
(CVE-2013-2436)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
パッケージをアップデートしてください。
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "missing security restrictions."
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to the default java.rmi.server.useCodebaseOnly setting of false, which allows remote attackers to perform "dynamic class downloading" and execute arbitrary code.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "missing security restrictions" in the LogStream.setDefaultStream method.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "checking of [a] glyph table" in the International Components for Unicode (ICU) Layout Engine before 51.2.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2384, and CVE-2013-2420. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "handling of [a] glyph table" in the International Components for Unicode (ICU) Layout Engine before 51.2.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2383, and CVE-2013-2420. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "font layout" in the International Components for Unicode (ICU) Layout Engine before 51.2.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows local users to affect confidentiality via vectors related to JAX-WS. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "processing of MTOM attachments" and the creation of temporary files with weak permissions.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect availability via unknown vectors related to Networking. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an information leak involving InetAddress serialization. CVE has not investigated the apparent discrepancy between vendor reports regarding the impact of this issue.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "font processing errors" in the International Components for Unicode (ICU) Layout Engine before 51.2.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to insufficient "validation of images" in share/native/sun/awt/image/awt_ImageRep.c, possibly involving offsets.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect MethodHandle lookups, which allows remote attackers to bypass Java sandbox restrictions.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper method-invocation restrictions by the MethodUtil trampoline class, which allows remote attackers to bypass the Java sandbox.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect invocation of the defaultReadObject method in the ConcurrentHashMap class, which allows remote attackers to bypass the Java sandbox.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "JPEGImageWriter state corruption" when using native code, which triggers memory corruption.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; JavaFX 2.2.7 and earlier; and OpenJDK 6 and 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "JPEGImageReader state corruption" when using native code.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to bypassing the Java sandbox using "method handle intrinsic frames."
SRPMS
- java-1.7.0-openjdk-1.7.0.19-2.3.9.1.AXS4.src.rpm
MD5: 12970c15acbfcf73d0c2af46453c7ecf
SHA-256: c8c2d28b5698ef07470ab5a0e8650432778e7809170c9e2e4d29bd8710a07147
Size: 65.05 MB
Asianux Server 4 for x86
- java-1.7.0-openjdk-1.7.0.19-2.3.9.1.AXS4.i686.rpm
MD5: 77f0f18fe2f39a312815b73cc1939600
SHA-256: 911b1213325ac26136240e8b4fc5f1210ad1f39fbe43a580de21a4f2341aebf0
Size: 26.74 MB - java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.AXS4.i686.rpm
MD5: 70378c496281e4aa55a55da39c4bb0ac
SHA-256: 0fc97f5e045376e4acb50e432b79a753cb41c8ada87e79a7c356277a9fe34974
Size: 9.37 MB
Asianux Server 4 for x86_64
- java-1.7.0-openjdk-1.7.0.19-2.3.9.1.AXS4.x86_64.rpm
MD5: 2a7ad252edc23b407c10181b3d6b5632
SHA-256: 249a2ccaf7400a86b7290134dde25f48384b2e59cefc661436e0f978a072abf8
Size: 25.55 MB - java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.AXS4.x86_64.rpm
MD5: 95430dc30b0230ae089ef75ec12399cf
SHA-256: f41d2eb14524a378b0830ed1c780d8958585e103b5e47c2b35f7bb22f28efedf
Size: 9.38 MB