CVE-2013-1493 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:C/I:C/A:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
oracle	jre	𝑥 ≤ 1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	1.7.0
oracle	jre	𝑥 ≤ 1.5.0
oracle	jre	1.5.0
oracle	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
sun	jre	1.5.0
oracle	jdk	𝑥 ≤ 1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
oracle	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
sun	jdk	1.6.0
oracle	jre	𝑥 ≤ 1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
oracle	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
sun	jre	1.6.0
oracle	jdk	𝑥 ≤ 1.5.0
oracle	jdk	1.5.0
oracle	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
sun	jdk	1.5.0
oracle	jdk	𝑥 ≤ 1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0
oracle	jdk	1.7.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

openjdk-6

hardy	Fixed 6b27-1.12.3-0ubuntu1~8.04.2 released
lucid	Fixed 6b27-1.12.3-0ubuntu1~10.04.1 released
oneiric	Fixed 6b27-1.12.3-0ubuntu1~11.10.1 released
precise	Fixed 6b27-1.12.3-0ubuntu1~12.04.1 released
quantal	Fixed 6b27-1.12.3-0ubuntu1~12.10.1 released

openjdk-6b18

hardy	dne
lucid	ignored
oneiric	ignored
precise	dne
quantal	dne

openjdk-7

hardy	dne
lucid	dne
oneiric	Fixed 7u15-2.3.7-0ubuntu1~11.10.1 released
precise	Fixed 7u15-2.3.7-0ubuntu1~12.04.1 released
quantal	Fixed 7u15-2.3.7-0ubuntu1~12.10.1 released

openSUSE / SLES Releases

openSUSE Product

Release

java-1_7_0-openjdk

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

java-1_7_0-openjdk-demo

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

java-1_7_0-openjdk-devel

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

java-1_7_0-openjdk-headless

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

java-1.5.0-ibm

RHEL 6

1:1.5.0.16.0-1jpp.1.el6_4

fixed

java-1.5.0-ibm-demo

RHEL 6

1:1.5.0.16.0-1jpp.1.el6_4

fixed

java-1.5.0-ibm-devel

RHEL 6

1:1.5.0.16.0-1jpp.1.el6_4

fixed

java-1.5.0-ibm-javacomm

RHEL 6

1:1.5.0.16.0-1jpp.1.el6_4

fixed

java-1.5.0-ibm-jdbc

RHEL 6

1:1.5.0.16.0-1jpp.1.el6_4

fixed

java-1.5.0-ibm-plugin

RHEL 6

1:1.5.0.16.0-1jpp.1.el6_4

fixed

java-1.5.0-ibm-src

RHEL 6

1:1.5.0.16.0-1jpp.1.el6_4

fixed

java-1.6.0-ibm

RHEL 6

1:1.6.0.13.0-1jpp.3.el6_4

fixed

java-1.6.0-ibm-demo

RHEL 6

1:1.6.0.13.0-1jpp.3.el6_4

fixed

java-1.6.0-ibm-devel

RHEL 6

1:1.6.0.13.0-1jpp.3.el6_4

fixed

java-1.6.0-ibm-javacomm

RHEL 6

1:1.6.0.13.0-1jpp.3.el6_4

fixed

java-1.6.0-ibm-jdbc

RHEL 6

1:1.6.0.13.0-1jpp.3.el6_4

fixed

java-1.6.0-ibm-plugin

RHEL 6

1:1.6.0.13.0-1jpp.3.el6_4

fixed

java-1.6.0-ibm-src

RHEL 6

1:1.6.0.13.0-1jpp.3.el6_4

fixed

java-1.6.0-openjdk

RHEL 6

1:1.6.0.0-1.57.1.11.9.el6_4

fixed

java-1.6.0-openjdk-demo

RHEL 6

1:1.6.0.0-1.57.1.11.9.el6_4

fixed

java-1.6.0-openjdk-devel

RHEL 6

1:1.6.0.0-1.57.1.11.9.el6_4

fixed

java-1.6.0-openjdk-javadoc

RHEL 6

1:1.6.0.0-1.57.1.11.9.el6_4

fixed

java-1.6.0-openjdk-src

RHEL 6

1:1.6.0.0-1.57.1.11.9.el6_4

fixed

java-1.6.0-sun

RHEL 6

1:1.6.0.43-1jpp.1.el6_4

fixed

java-1.6.0-sun-demo

RHEL 6

1:1.6.0.43-1jpp.1.el6_4

fixed

java-1.6.0-sun-devel

RHEL 6

1:1.6.0.43-1jpp.1.el6_4

fixed

java-1.6.0-sun-jdbc

RHEL 6

1:1.6.0.43-1jpp.1.el6_4

fixed

java-1.6.0-sun-plugin

RHEL 6

1:1.6.0.43-1jpp.1.el6_4

fixed

java-1.6.0-sun-src

RHEL 6

1:1.6.0.43-1jpp.1.el6_4

fixed

java-1.7.0-ibm

RHEL 6

1:1.7.0.4.0-1jpp.2.el6_4

fixed

java-1.7.0-ibm-demo

RHEL 6

1:1.7.0.4.0-1jpp.2.el6_4

fixed

java-1.7.0-ibm-devel

RHEL 6

1:1.7.0.4.0-1jpp.2.el6_4

fixed

java-1.7.0-ibm-jdbc

RHEL 6

1:1.7.0.4.0-1jpp.2.el6_4

fixed

java-1.7.0-ibm-plugin

RHEL 6

1:1.7.0.4.0-1jpp.2.el6_4

fixed

java-1.7.0-ibm-src

RHEL 6

1:1.7.0.4.0-1jpp.2.el6_4

fixed

java-1.7.0-openjdk

RHEL 6

1:1.7.0.9-2.3.8.0.el6_4

fixed

java-1.7.0-openjdk-demo

RHEL 6

1:1.7.0.9-2.3.8.0.el6_4

fixed

java-1.7.0-openjdk-devel

RHEL 6

1:1.7.0.9-2.3.8.0.el6_4

fixed

java-1.7.0-openjdk-javadoc

RHEL 6

1:1.7.0.9-2.3.8.0.el6_4

fixed

java-1.7.0-openjdk-src

RHEL 6

1:1.7.0.9-2.3.8.0.el6_4

fixed

java-1.7.0-oracle

RHEL 6

1:1.7.0.17-1jpp.1.el6_4

fixed

java-1.7.0-oracle-devel

RHEL 6

1:1.7.0.17-1jpp.1.el6_4

fixed

java-1.7.0-oracle-javafx

RHEL 6

1:1.7.0.17-1jpp.1.el6_4

fixed

java-1.7.0-oracle-jdbc

RHEL 6

1:1.7.0.17-1jpp.1.el6_4

fixed

java-1.7.0-oracle-plugin

RHEL 6

1:1.7.0.17-1jpp.1.el6_4

fixed

java-1.7.0-oracle-src

RHEL 6

1:1.7.0.17-1jpp.1.el6_4

fixed

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html

http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04117626-1

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022145.html

http://marc.info/?l=bugtraq&m=136439120408139&w=2

http://marc.info/?l=bugtraq&m=136570436423916&w=2

http://rhn.redhat.com/errata/RHSA-2013-0601.html

http://rhn.redhat.com/errata/RHSA-2013-0603.html

http://rhn.redhat.com/errata/RHSA-2013-0604.html

http://rhn.redhat.com/errata/RHSA-2013-1455.html

http://rhn.redhat.com/errata/RHSA-2013-1456.html

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://www.exploit-db.com/exploits/24904

http://www.kb.cert.org/vuls/id/688246

http://www.mandriva.com/security/advisories?name=MDVSA-2013:095

http://www.oracle.com/ocom/groups/public/%40otn/documents/webcontent/1915099.xml

http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

http://www.securityfocus.com/bid/58238

http://www.securitytracker.com/id/1029803

http://www.symantec.com/connect/blogs/latest-java-zero-day-shares-connections-bit9-security-incident

http://www.ubuntu.com/usn/USN-1755-2

http://www.us-cert.gov/ncas/alerts/TA13-064A

https://bugzilla.redhat.com/show_bug.cgi?id=917553

https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19246

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19477

https://twitter.com/jduck1337/status/307629902574800897

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0088

http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html

http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04117626-1

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022145.html

http://marc.info/?l=bugtraq&m=136439120408139&w=2

http://marc.info/?l=bugtraq&m=136570436423916&w=2

http://rhn.redhat.com/errata/RHSA-2013-0601.html

http://rhn.redhat.com/errata/RHSA-2013-0603.html

http://rhn.redhat.com/errata/RHSA-2013-0604.html

http://rhn.redhat.com/errata/RHSA-2013-1455.html

http://rhn.redhat.com/errata/RHSA-2013-1456.html

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://www.exploit-db.com/exploits/24904

http://www.kb.cert.org/vuls/id/688246

http://www.mandriva.com/security/advisories?name=MDVSA-2013:095

http://www.oracle.com/ocom/groups/public/%40otn/documents/webcontent/1915099.xml

http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

http://www.securityfocus.com/bid/58238

http://www.securitytracker.com/id/1029803

http://www.symantec.com/connect/blogs/latest-java-zero-day-shares-connections-bit9-security-incident

http://www.ubuntu.com/usn/USN-1755-2

http://www.us-cert.gov/ncas/alerts/TA13-064A

https://bugzilla.redhat.com/show_bug.cgi?id=917553

https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19246

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19477

https://twitter.com/jduck1337/status/307629902574800897

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0088