Red Hat has released additional security advisories and updated packages to address multiple unspecified vulnerabilities in Oracle Java.
Oracle Java contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
Java SE 7 Update 7 mitigates a widely reported vulnerability, CVE-2012-4681, as described in IntelliShield Alert 26751. The update also mitigates two remote code execution vulnerabilities that are due to unspecified errors in the affected software. The three vulnerabilities can be exploited only through untrusted Java Web Start applications and untrusted Java applets on client deployments of the affected software. In addition, a security-in-depth issue in the Abstract Window Toolkit (AWT) has also been addressed. Direct exploitation of the AWT security-in-depth issue is not possible; however, the issue can be used to aggravate security vulnerabilities that can be directly attacked.
To exploit these vulnerabilities, an unauthenticated, remote attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link. Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
Functional code that exploits these vulnerabilities is publicly available as part of the Metasploit Framework and, reports indicate, the Blackhole Exploit Kit.
The following Java products are vulnerable:
Java Development Kit (JDK) and Java Runtime Environment (JRE) versions 7 update 6 and prior
JDK and JRE versions 6 update 34 and prior
Oracle has released a security alert to address these vulnerabilities at the following link: CVE-2012-4681
Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
Version 5, October 19, 2012, 7:46 AM: HP has released a security bulletin and updated software to address multiple unspecified vulnerabilities in Oracle Java.
Version 4, September 19, 2012, 12:25 PM: Red Hat has released an additional security advisory and updated packages to address the Oracle Java multiple unspecified vulnerabilities update.
Version 3, September 12, 2012, 1:00 PM: IBM has released a security alert and updated software to address the Oracle Java multiple unspecified vulnerabilities update.
Version 2, September 6, 2012, 6:08 PM: Apple has released a security advisory and updated software to address the Oracle Java multiple unspecified vulnerabilities update.
Version 1, September 4, 2012, 4:41 PM: Oracle has released Java SE 7 Update 7 to address multiple security vulnerabilities in multiple Oracle products.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.