By Eric P. Maurice-Oracle on Feb 19, 2013
Hi, this is Eric Maurice.
Oracle today released the updated February 2013 Critical Patch Update for Java SE. As discussed in a previous blog entry, the purpose of this update is to deliver 5 additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th. Note that since Critical Patch Updates for Java SE are cumulative, this Critical Patch Update release also includes all previously-released Java SE security fixes.
All but one of the vulnerabilities fixed today apply to client deployment of Java. This means that these 4 vulnerabilities can be exploited through Java Web Start applications on desktops and Java applets in Internet browsers. Three of these vulnerabilities received a CVSS Base Score of 10.0. As I stated before, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running the malicious Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System.
The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE). This fix is for a vulnerability commonly referred as the “Lucky Thirteen” vulnerability in SSL/TLS (CVE-2013-0169). This vulnerability has received a CVSS Base Score of 4.3.
Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible. IT professionals should refer to the advisory located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html and desktop users can install this new version from java.com or through the Java autoupdate.
Finally, note that Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers. As a result, we will be issuing a Critical Patch Update for Java SE on April 16, 2013 at the same time as the normally scheduled Critical Patch Update for all non-Java products. The next scheduled release dates for the Critical Patch Update for Java SE are therefore: April 16, 2013; June 18, 2013; October 15, 2013; and January 14, 2014.
For More Information:
The Advisory for the updated February 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
The advisory for the February 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html