June 2013 Critical Patch Update for Java SE Released

Hello, this is Eric Maurice again.

Oracle today released the June 2013 Critical Patch Update for Java SE.  This Critical Patch Update provides 40 new security fixes.  37 of these vulnerabilities are remotely exploitable without authentication.

34 of the fixes brought with this Critical Patch Update address vulnerabilities that only affect client deployments.  The highest CVSS Base Score for these client-only fixes is 10.0. 

 4 of the vulnerabilities fixed in this Critical Patch Update can affect client and server deployments.  The most severe of these vulnerabilities has received a CVSS Base Score of 7.5. 

One of the vulnerabilities fixed in this Critical patch Update affects the Java installer and can only be exploited locally. 

Finally, one of the fixes included in this Critical Patch Update affects the Javadoc tool and the documents it creates.  Some HTML pages that were created by any 1.5 or later versions of the Javadoc tool are vulnerable to frame injection.  This means that this vulnerability (CVE-2013-1571, also known as CERT/CC VU#225657) can only be exploited through Javadoc-generated HTML files hosted on a web server.  If exploited, this vulnerability can result in granting a malicious attacker the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to malicious web pages through their web browsers.  This vulnerability has received a CVSS Base Score of 4.3.  With the release of this Critical Patch Update, Oracle has fixed the Javadoc tool so that it doesn’t produce vulnerable pages anymore, and additionally produced a utility, the “Java API Documentation Updater Tool,” to fix previously produced (and vulnerable) HTML files.  More information about this vulnerability is available on the CERT/CC web site at http://www.kb.cert.org/vuls/id/225657. 

Oracle recommends that this Critical Patch Update be applied as soon as possible because it includes fixes for a number of severe vulnerabilities.  Note that the vulnerabilities fixed in this Critical Patch Update affect various components and, as a result, may not affect the security posture of all Java users in the same way. 

Desktop users can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version.  As a reminder, security fixes delivered through the Critical Patch Update for Java SE are cumulative: in other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.

For More Information:

The Advisory for the June 2013 Critical Patch Update for Java is located at http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html