CVE-2014-0423

15.01.2014, 16:08

Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote authenticated users to affect confidentiality and availability via unknown vectors related to Beans.  NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that this issue is an XML External Entity (XXE) vulnerability in DocumentHandler.java, related to Beans decoding.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:S/C:P/I:N/A:P
oracle	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 74%

Vendor	Product	Version
oracle	jrockit	r27.7.7
oracle	jrockit	r28.2.9
oracle	jre	1.7.0
oracle	jdk	1.6.0
oracle	jre	1.6.0
oracle	jdk	1.5.0
oracle	jre	1.5.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

openjdk-6

saucy	Fixed 6b30-1.13.1-1ubuntu2~0.13.10.1 released
raring	ignored
quantal	Fixed 6b30-1.13.1-1ubuntu2~0.12.10.1 released
precise	Fixed 6b30-1.13.1-1ubuntu2~0.12.04.1 released
lucid	Fixed 6b30-1.13.1-1ubuntu2~0.10.04.1 released

openjdk-7

saucy	Fixed 7u51-2.4.4-0ubuntu0.13.10.1 released
raring	Fixed 7u51-2.4.4-0ubuntu0.13.04.2 released
quantal	Fixed 7u51-2.4.4-0ubuntu0.12.10.2 released
precise	Fixed 7u51-2.4.4-0ubuntu0.12.04.2 released
lucid	dne

References

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/995b32f013f5

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html

http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html

http://marc.info/?l=bugtraq&m=139402697611681&w=2

http://marc.info/?l=bugtraq&m=139402697611681&w=2

http://marc.info/?l=bugtraq&m=139402749111889&w=2

http://marc.info/?l=bugtraq&m=139402749111889&w=2

http://rhn.redhat.com/errata/RHSA-2014-0026.html

http://rhn.redhat.com/errata/RHSA-2014-0027.html

http://rhn.redhat.com/errata/RHSA-2014-0030.html

http://rhn.redhat.com/errata/RHSA-2014-0097.html

http://rhn.redhat.com/errata/RHSA-2014-0134.html

http://rhn.redhat.com/errata/RHSA-2014-0135.html

http://rhn.redhat.com/errata/RHSA-2014-0136.html

http://secunia.com/advisories/56432

http://secunia.com/advisories/56485

http://secunia.com/advisories/56486

http://secunia.com/advisories/56487

http://secunia.com/advisories/56535

http://secunia.com/advisories/59283

http://secunia.com/advisories/60568

http://www-01.ibm.com/support/docview.wss?uid=swg21677388

http://www-01.ibm.com/support/docview.wss?uid=swg21679287

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

http://www.securityfocus.com/bid/64758

http://www.securityfocus.com/bid/64914

http://www.securitytracker.com/id/1029608

http://www.ubuntu.com/usn/USN-2089-1

http://www.ubuntu.com/usn/USN-2124-1

https://access.redhat.com/errata/RHSA-2014:0414

https://bugzilla.redhat.com/show_bug.cgi?id=1053066

https://exchange.xforce.ibmcloud.com/vulnerabilities/90340

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/995b32f013f5

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html

http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html

http://marc.info/?l=bugtraq&m=139402697611681&w=2

http://marc.info/?l=bugtraq&m=139402697611681&w=2

http://marc.info/?l=bugtraq&m=139402749111889&w=2

http://marc.info/?l=bugtraq&m=139402749111889&w=2

http://rhn.redhat.com/errata/RHSA-2014-0026.html

http://rhn.redhat.com/errata/RHSA-2014-0027.html

http://rhn.redhat.com/errata/RHSA-2014-0030.html

http://rhn.redhat.com/errata/RHSA-2014-0097.html

http://rhn.redhat.com/errata/RHSA-2014-0134.html

http://rhn.redhat.com/errata/RHSA-2014-0135.html

http://rhn.redhat.com/errata/RHSA-2014-0136.html

http://secunia.com/advisories/56432

http://secunia.com/advisories/56485

http://secunia.com/advisories/56486

http://secunia.com/advisories/56487

http://secunia.com/advisories/56535

http://secunia.com/advisories/59283

http://secunia.com/advisories/60568

http://www-01.ibm.com/support/docview.wss?uid=swg21677388

http://www-01.ibm.com/support/docview.wss?uid=swg21679287

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

http://www.securityfocus.com/bid/64758

http://www.securityfocus.com/bid/64914

http://www.securitytracker.com/id/1029608

http://www.ubuntu.com/usn/USN-2089-1

http://www.ubuntu.com/usn/USN-2124-1

https://access.redhat.com/errata/RHSA-2014:0414

https://bugzilla.redhat.com/show_bug.cgi?id=1053066

https://exchange.xforce.ibmcloud.com/vulnerabilities/90340

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777