CVE-2014-0373

15.01.2014, 16:08

Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability.  NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to throwing of an incorrect exception when SnmpStatusException should have been used in the SNMP implementation, which allows attackers to escape the sandbox.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Score

CVSS 3.x

EPSS Score

Percentile: 87%

Affected Products (NVD)

Vendor	Product	Version
oracle	jre	1.7.0
oracle	jdk	1.5.0
oracle	jre	1.5.0
oracle	jdk	1.6.0
oracle	jre	1.6.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

openjdk-6

lucid	Fixed 6b30-1.13.1-1ubuntu2~0.10.04.1 released
precise	Fixed 6b30-1.13.1-1ubuntu2~0.12.04.1 released
quantal	Fixed 6b30-1.13.1-1ubuntu2~0.12.10.1 released
raring	ignored
saucy	Fixed 6b30-1.13.1-1ubuntu2~0.13.10.1 released

openjdk-7

lucid	dne
precise	Fixed 7u51-2.4.4-0ubuntu0.12.04.2 released
quantal	Fixed 7u51-2.4.4-0ubuntu0.12.10.2 released
raring	Fixed 7u51-2.4.4-0ubuntu0.13.04.2 released
saucy	Fixed 7u51-2.4.4-0ubuntu0.13.10.1 released

openSUSE / SLES Releases

openSUSE Product

Release

java-1_7_0-openjdk

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

java-1_7_0-openjdk-demo

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

java-1_7_0-openjdk-devel

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

java-1_7_0-openjdk-headless

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

java-1.5.0-ibm

RHEL 6

1:1.5.0.16.5-1jpp.1.el6_5

fixed

java-1.5.0-ibm-demo

RHEL 6

1:1.5.0.16.5-1jpp.1.el6_5

fixed

java-1.5.0-ibm-devel

RHEL 6

1:1.5.0.16.5-1jpp.1.el6_5

fixed

java-1.5.0-ibm-javacomm

RHEL 6

1:1.5.0.16.5-1jpp.1.el6_5

fixed

java-1.5.0-ibm-jdbc

RHEL 6

1:1.5.0.16.5-1jpp.1.el6_5

fixed

java-1.5.0-ibm-plugin

RHEL 6

1:1.5.0.16.5-1jpp.1.el6_5

fixed

java-1.5.0-ibm-src

RHEL 6

1:1.5.0.16.5-1jpp.1.el6_5

fixed

java-1.6.0-ibm

RHEL 6

1:1.6.0.15.1-1jpp.1.el6_5

fixed

java-1.6.0-ibm-demo

RHEL 6

1:1.6.0.15.1-1jpp.1.el6_5

fixed

java-1.6.0-ibm-devel

RHEL 6

1:1.6.0.15.1-1jpp.1.el6_5

fixed

java-1.6.0-ibm-javacomm

RHEL 6

1:1.6.0.15.1-1jpp.1.el6_5

fixed

java-1.6.0-ibm-jdbc

RHEL 6

1:1.6.0.15.1-1jpp.1.el6_5

fixed

java-1.6.0-ibm-plugin

RHEL 6

1:1.6.0.15.1-1jpp.1.el6_5

fixed

java-1.6.0-ibm-src

RHEL 6

1:1.6.0.15.1-1jpp.1.el6_5

fixed

java-1.6.0-openjdk

RHEL 6

1:1.6.0.0-3.1.13.1.el6_5

fixed

java-1.6.0-openjdk-demo

RHEL 6

1:1.6.0.0-3.1.13.1.el6_5

fixed

java-1.6.0-openjdk-devel

RHEL 6

1:1.6.0.0-3.1.13.1.el6_5

fixed

java-1.6.0-openjdk-javadoc

RHEL 6

1:1.6.0.0-3.1.13.1.el6_5

fixed

java-1.6.0-openjdk-src

RHEL 6

1:1.6.0.0-3.1.13.1.el6_5

fixed

java-1.7.0-ibm

RHEL 6

1:1.7.0.6.1-1jpp.1.el6_5

fixed

java-1.7.0-ibm-demo

RHEL 6

1:1.7.0.6.1-1jpp.1.el6_5

fixed

java-1.7.0-ibm-devel

RHEL 6

1:1.7.0.6.1-1jpp.1.el6_5

fixed

java-1.7.0-ibm-jdbc

RHEL 6

1:1.7.0.6.1-1jpp.1.el6_5

fixed

java-1.7.0-ibm-plugin

RHEL 6

1:1.7.0.6.1-1jpp.1.el6_5

fixed

java-1.7.0-ibm-src

RHEL 6

1:1.7.0.6.1-1jpp.1.el6_5

fixed

java-1.7.0-openjdk

RHEL 6

1:1.7.0.51-2.4.4.1.el6_5

fixed

java-1.7.0-openjdk-demo

RHEL 6

1:1.7.0.51-2.4.4.1.el6_5

fixed

java-1.7.0-openjdk-devel

RHEL 6

1:1.7.0.51-2.4.4.1.el6_5

fixed

java-1.7.0-openjdk-javadoc

RHEL 6

1:1.7.0.51-2.4.4.1.el6_5

fixed

java-1.7.0-openjdk-src

RHEL 6

1:1.7.0.51-2.4.4.1.el6_5

fixed

java-1.7.0-oracle

RHEL 6

1:1.7.0.51-1jpp.1.el6_5

fixed

java-1.7.0-oracle-devel

RHEL 6

1:1.7.0.51-1jpp.1.el6_5

fixed

java-1.7.0-oracle-javafx

RHEL 6

1:1.7.0.51-1jpp.1.el6_5

fixed

java-1.7.0-oracle-jdbc

RHEL 6

1:1.7.0.51-1jpp.1.el6_5

fixed

java-1.7.0-oracle-plugin

RHEL 6

1:1.7.0.51-1jpp.1.el6_5

fixed

java-1.7.0-oracle-src

RHEL 6

1:1.7.0.51-1jpp.1.el6_5

fixed

java-1.7.1-ibm

RHEL 7

1:1.7.1.1.0-1jpp.2.el7_0

fixed

java-1.7.1-ibm-demo

RHEL 7

1:1.7.1.1.0-1jpp.2.el7_0

fixed

java-1.7.1-ibm-devel

RHEL 7

1:1.7.1.1.0-1jpp.2.el7_0

fixed

java-1.7.1-ibm-jdbc

RHEL 7

1:1.7.1.1.0-1jpp.2.el7_0

fixed

java-1.7.1-ibm-plugin

RHEL 7

1:1.7.1.1.0-1jpp.2.el7_0

fixed

java-1.7.1-ibm-src

RHEL 7

1:1.7.1.1.0-1jpp.2.el7_0

fixed

References

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/496c51673dec

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html

http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html

http://marc.info/?l=bugtraq&m=139402697611681&w=2

http://marc.info/?l=bugtraq&m=139402749111889&w=2

http://rhn.redhat.com/errata/RHSA-2014-0026.html

http://rhn.redhat.com/errata/RHSA-2014-0027.html

http://rhn.redhat.com/errata/RHSA-2014-0030.html

http://rhn.redhat.com/errata/RHSA-2014-0097.html

http://rhn.redhat.com/errata/RHSA-2014-0134.html

http://rhn.redhat.com/errata/RHSA-2014-0135.html

http://rhn.redhat.com/errata/RHSA-2014-0136.html

http://secunia.com/advisories/56432

http://secunia.com/advisories/56485

http://secunia.com/advisories/56535

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

http://www.securityfocus.com/bid/64758

http://www.securityfocus.com/bid/64922

http://www.securitytracker.com/id/1029608

http://www.ubuntu.com/usn/USN-2089-1

http://www.ubuntu.com/usn/USN-2124-1

https://access.redhat.com/errata/RHSA-2014:0414

https://bugzilla.redhat.com/show_bug.cgi?id=1051699

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/496c51673dec

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html

http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html

http://marc.info/?l=bugtraq&m=139402697611681&w=2

http://marc.info/?l=bugtraq&m=139402749111889&w=2

http://rhn.redhat.com/errata/RHSA-2014-0026.html

http://rhn.redhat.com/errata/RHSA-2014-0027.html

http://rhn.redhat.com/errata/RHSA-2014-0030.html

http://rhn.redhat.com/errata/RHSA-2014-0097.html

http://rhn.redhat.com/errata/RHSA-2014-0134.html

http://rhn.redhat.com/errata/RHSA-2014-0135.html

http://rhn.redhat.com/errata/RHSA-2014-0136.html

http://secunia.com/advisories/56432

http://secunia.com/advisories/56485

http://secunia.com/advisories/56535

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

http://www.securityfocus.com/bid/64758

http://www.securityfocus.com/bid/64922

http://www.securitytracker.com/id/1029608

http://www.ubuntu.com/usn/USN-2089-1

http://www.ubuntu.com/usn/USN-2124-1

https://access.redhat.com/errata/RHSA-2014:0414

https://bugzilla.redhat.com/show_bug.cgi?id=1051699

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777