From: CERT-EU Sent: jeudi 16 février 2012 11:33 Cc: CERT-EU Subject: Oracle Java SE Critical Patch Update (CERT-EU Security Advisory 2012-0018) Follow Up Flag: Follow up Flag Status: Yellow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0018 Title: Oracle Java SE Critical Patch Update [1] Version history: 16.02.2012 Initial publication Summary ======= A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 14 new security fixes across Java SE products. There are several vulnerabilities fixed by this critical patch update: CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0508, CVE-2012-0504, CVE-2011-3571, CVE-2012-0503, CVE-2012-0505, CVE-2012-0502, CVE-2011-3563, CVE-2011-5035, CVE-2012-0501, CVE-2012-0506. The most critical include: CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0508 CVSS Base Score (of the most critical ones) CVSS v2 Base Score: 10.0 (CRITICAL) (AV:N/AC:L/Au:N/C:C/I:C/A:C) [2]) Affected Versions ================= JDK and JRE 7 Update 2 and earlier Java SE JDK and JRE 6 Update 30 and earlier Java SE JDK and JRE 5.0 Update 33 and earlier Java SE SDK and JRE 1.4.2_35 and earlier Java SE JavaFX 2.0.2 and earlier JavaFX What can you do? ================ Deploy the updated versions of the software [1]. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. Run your applications with non-privileged account. More information ================ [1] Oracle http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html [2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPPNs2OhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4PqehAAsSsHRu6W 4CAcA1qkIWq8QLnkOUQ3yQIaBLKoK0KuuBITicDLPB0Xh3zeNTV3Mh49LMzZ+f8D aj6PX/wP7uJdcQIAgjZfX1voEVbtpBaVgVWi+LbiFjZlMbKd/DLkz2wYzSWyIbqL lW60MUFE9lO9/08jnVdW3jq7Z8EJdH7yZ1UlfJL84xa2peDS8fI7INxbGhrBD/jo oj25dWxYJr2mMO5jqd1cMo15zSCt/8wFXshwdqtg6KePvxl9hz8ep91fF6jdFpRX CHPysvZhUerMm0aIv6Ci+0WFVvMiD6reBhB/VxuYTZ+a4HdvVLuKc7rLWPS6nVXa 3WLg9Ol4G22Sj+J750o5XPmZdm3I1GHdkpEG17y1TRqmp9Ly2BufOTzLRgAOcmJo HuHWd5nQorFI614rvjnqcx/0WriQih/6ZSB5RglnD36kUy+x7Xv6G7UKs122yPZH /W227bejdcabkn60rIG4Y1CkRoyzsumbFKX4NwHO/YHuesh+BkpRcJUmVC+ljaPT ZutrCUnICFlDAd/55O5UqsChYYrUf+qlnmisnUCi7Fn1LHHmLMBvz5Zr2QzHGjl7 qDMlArSETckdjaLnU9Sv528U+POZ5SLiItp8XV9MAs7+yt+vgrjrE/V8TWJ0yHEm E3xN0gsXMYy2mU8xlm7fbIjaA/6B/pbiJ4g= =fT6N -----END PGP SIGNATURE-----