Oracle Java Critical Patch Update (April 2013)

Original Release Date: June 18, 2013
Last Revised: March 6, 2014
Number: ASA-2013-309
Risk Level: Medium
Advisory Version: 3.0
Advisory Status: Interim

1. Overview:

New Java Critical Patch Updates or Security Alerts have been issued by Oracle on Oracle's Critical Patch Updates and Security Alerts website. Specific updates or alerts pertaining to this advisory are described below. The Oracle Advisory covering content outlined in this Avaya Security Advisory may be found in Oracle Java SE Critical Patch Update Advisory - April 2013 and contains the following security issues.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2383 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2384 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1569 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2434 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2432 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2420 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1491 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Beans). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1558 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2440 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2435 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are 7 Update 17 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2431 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are 7 Update 17 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2425 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1518 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2414 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2428 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2427 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2422 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through untrusted Java Web Start applications and untrusted Java applets. It can also be exploited by supplying data to APIs in the specified Component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1537 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1557 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: HotSpot). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2421 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-0402 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2426 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2436 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1488 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2394 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2430 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2429 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and JavaFX 2.2.7 and before. Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1563 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before, 5.0 Update 41 and before and JavaFX 2.2.7 and before. Difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2439 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-0401 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java Runtime Environment. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2419 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2424 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1561 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before and JavaFX 2.2.7 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1564 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are 7 Update 17 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2438 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are 7 Update 17 and before, 6 Update 43 and before and 5.0 Update 41 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java Runtime Environment. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2417 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through launching executables using the Java launcher. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2418 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2416 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2433 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 17 and before and 6 Update 43 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1540 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are 7 Update 17 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data. Note: Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2423 to this issue.

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are 7 Update 17 and before. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data. Note: Applies to client and server deployment of Java. This issue cannot be exploited by untrusted applets and Java Web Start applications. Local access is required to leverage this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-2415 to this issue.

2. Avaya System Products using affected versions of Java:

Some Avaya system products are delivered with the Java Standard Edition (SE) platform. Actions to be taken on these products are described below.

Product: Affected Version(s): Risk Level: Actions:
Avaya Aura® Application Enablement Services 5.x, 6.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Aura® Application Server 5300:
  • SIP Core
2.0, 3.0 without SP6 Low For 2.0 upgrade to 3.0 and install Service Pack 6 or later.
For 3.0 install Service Pack 6 or later.
Avaya CMS R15, R16, R16.x, R17 Low For R16.x and earlier upgrade to R16eg.h or later.
For R17 upgrade to R17fb.m or later.
Avaya Aura® Communication Manager 5.2.1 Low Upgrade to 6.0 or later.
Avaya Communication Server 1000:
  • CS1000E
  • CS1000M
  • CS1000E/CS1000M Signaling Server
6.x, 7.x Low See recommended actions and mitigating factors table below. This advisory will not be addressed as no further releases are planned.
Avaya Aura® Conferencing 7.0 Medium Upgrade to 7.2 or later.
Avaya Aura® Conferencing Standard Edition 6.x Low See recommended actions and mitigating factors table below. This advisory will not be addressed as no further releases are planned. It is recommended that customers consider migrating to Avaya Aura® Conferencing 7.0 or later.
Avaya Aura® Experience Portal 6.x Low Upgrade to 7.0 or later.
Avaya IP Office Server Edition 8.1, 9.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya IP Office Application Server 8.x, 9.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya IR 4.x Low See recommended actions and Mitigating Factors table below. This advisory will not be addressed as no further releases are planned. It is recommended that customers migrate to Avaya Aura® Experience Portal. Please contact your Avaya representative for information on the migration and ordering process.
Avaya Meeting Exchange 5.x, 6.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Message Networking 5.2.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Aura® Messaging 6.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Messaging Application Server 5.2.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Message Storage Server 5.2.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Aura® Presence Services 6.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Proactive Contact 4.x, 5.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Aura® Session Manager 1.1, 5.x, 6.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Aura® SIP Enablement Services 5.x Low See recommended actions and mitigating factors table below. This advisory will not be addressed as no further releases are planned.
Avaya Aura® System Manager 5.x, 6.x Low This issue will be addressed in accordance with section five of Avaya's Product Security Vulnerability Response Policy
Avaya Voice Portal 5.x Low See recommended actions and Mitigating Factors table below. This advisory will not be addressed as there will be no further releases. It is recommended to upgrade to Avaya Aura® Experience Portal.

Recommended Actions:
Avaya strongly recommends following networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the System Product operating system or application should not modify unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.

Mitigating Factors:

When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products:

Vulnerability Mitigating Factors
CVE-2013-1537
CVE-2013-1557
These are rated a medium risk for Conferencing because of the potential to execute arbitrary code.
They are a low risk for all other listed products as connections to applications using RMI are not allowed by default.
CVE-2013-2415
This is rated a low risk for all products as JAX-WS is not used by default.
CVE-2013-0401
CVE-2013-0402
CVE-2013-1488
CVE-2013-1491
CVE-2013-1518
CVE-2013-1540
CVE-2013-1558
CVE-2013-1561
CVE-2013-1563
CVE-2013-1564
CVE-2013-1569
CVE-2013-2383
CVE-2013-2384
CVE-2013-2394
CVE-2013-2414
CVE-2013-2416
CVE-2013-2417
CVE-2013-2418
CVE-2013-2419
CVE-2013-2420
CVE-2013-2421
CVE-2013-2422
CVE-2013-2423
CVE-2013-2424
CVE-2013-2425
CVE-2013-2426
CVE-2013-2427
CVE-2013-2428
CVE-2013-2429
CVE-2013-2430
CVE-2013-2431
CVE-2013-2432
CVE-2013-2433
CVE-2013-2434
CVE-2013-2435
CVE-2013-2436
CVE-2013-2438
CVE-2013-2439
CVE-2013-2440
These are rated a low risk for all products as untrusted Java applications are not allowed to execute by default or would require local user access and would not provide additional capability.

3. Avaya Software-Only Products:

Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.

In the case of this advisory, Avaya software-only products are not affected by the vulnerability directly but the underlying platform may be. Customers should determine on which operating system the product was installed and then follow that vendor's guidance.

Product: Actions:
Secure Access Link Gateway Depending on the Operating System provided by customers, the affected version of Java may be installed on the underlying Operating System supporting the Secure Access Link Gateway.

4. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

5. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

6. Revision History:

V 1.0 - June 18, 2013 - Initial Statement issued.
V 2.0 - June 19, 2013 - No change, increment version and republish only.
V 3.0 - March 6, 2014 - Updated CMS, Conferencing, EP, IR and VP actions, and IPO and IPOAS affected versions.

Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com.

© 2013 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.