Vulnerabilities > CVE-2013-1474 - JavaFX Remote Security vulnerability in Oracle Java SE
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU. Per http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html "Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.)"
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 12 |
Nessus
NASL family Misc. NASL id ORACLE_JAVA_CPU_FEB_2013_UNIX.NASL description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 13 or 6 Update 39, or is earlier than or equal to 5 Update 38 or 1.4.2 Update 40. It is, therefore, potentially affected by security issues in the following components : - 2D - AWT - Beans - CORBA - Deployment - Install - JavaFX - JAXP - JAX-WS - JMX - JSSE - Libraries - Networking - RMI - Scripting - Sound last seen 2020-06-01 modified 2020-06-02 plugin id 64850 published 2013-02-22 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64850 title Oracle Java SE Multiple Vulnerabilities (February 2013 CPU) (Unix) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(64850); script_version("1.11"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id( "CVE-2012-1541", "CVE-2012-1543", "CVE-2012-3213", "CVE-2012-3342", "CVE-2012-4301", "CVE-2012-4305", "CVE-2013-0351", "CVE-2013-0409", "CVE-2013-0419", "CVE-2013-0423", "CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0429", "CVE-2013-0430", "CVE-2013-0431", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0436", "CVE-2013-0437", "CVE-2013-0438", "CVE-2013-0439", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0445", "CVE-2013-0446", "CVE-2013-0447", "CVE-2013-0448", "CVE-2013-0449", "CVE-2013-0450", "CVE-2013-1472", "CVE-2013-1473", "CVE-2013-1474", "CVE-2013-1475", "CVE-2013-1476", "CVE-2013-1477", "CVE-2013-1478", "CVE-2013-1479", "CVE-2013-1480", "CVE-2013-1481", "CVE-2013-1482", "CVE-2013-1483", "CVE-2013-1489" ); script_bugtraq_id( 57681, 57682, 57683, 57684, 57685, 57686, 57687, 57688, 57689, 57690, 57691, 57692, 57693, 57694, 57695, 57696, 57697, 57699, 57700, 57701, 57702, 57703, 57704, 57705, 57706, 57707, 57708, 57709, 57710, 57711, 57712, 57713, 57714, 57715, 57716, 57717, 57718, 57719, 57720, 57721, 57722, 57723, 57724, 57725, 57726, 57727, 57728, 57729, 57730, 57731 ); script_xref(name:"CERT", value:"858729"); script_xref(name:"EDB-ID", value:"24539"); script_name(english:"Oracle Java SE Multiple Vulnerabilities (February 2013 CPU) (Unix)"); script_summary(english:"Checks version of the JRE"); script_set_attribute(attribute:"synopsis", value: "The remote Unix host contains a programming platform that is potentially affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 13 or 6 Update 39, or is earlier than or equal to 5 Update 38 or 1.4.2 Update 40. It is, therefore, potentially affected by security issues in the following components : - 2D - AWT - Beans - CORBA - Deployment - Install - JavaFX - JAXP - JAX-WS - JMX - JSSE - Libraries - Networking - RMI - Scripting - Sound"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2013/Feb/12"); script_set_attribute(attribute:"see_also", value:"http://www.security-explorations.com/en/SE-2012-01-details.html"); # http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a915dbbd"); script_set_attribute(attribute:"solution", value: "Update to JDK / JRE 7 Update 13 or 6 Update 39 or later and, if necessary, remove any affected versions."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Java Applet JMX Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/19"); script_set_attribute(attribute:"patch_publication_date", value:"2013/02/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk"); script_set_attribute(attribute:"agent", value:"unix"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("sun_java_jre_installed_unix.nasl"); script_require_keys("Host/Java/JRE/Installed"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Check each installed JRE. installs = get_kb_list_or_exit("Host/Java/JRE/Unmanaged/*"); info = ""; vuln = 0; vuln2 = 0; installed_versions = ""; granular = ""; foreach install (list_uniq(keys(installs))) { ver = install - "Host/Java/JRE/Unmanaged/"; if (ver !~ "^[0-9.]+") continue; installed_versions = installed_versions + " & " + ver; if ( ver =~ '^1\\.4\\.2_([0-9]|[0-3][0-9]|40)([^0-9]|$)' || ver =~ '^1\\.5\\.0_([0-9]|[0-2][0-9]|3[0-8])([^0-9]|$)' || ver =~ '^1\\.6\\.0_([0-9]|[0-2][0-9]|3[0-8])([^0-9]|$)' || ver =~ '^1\\.7\\.0_(0[0-9]|1[0-2])([^0-9]|$)' ) { dirs = make_list(get_kb_list(install)); vuln += max_index(dirs); foreach dir (dirs) info += '\n Path : ' + dir; info += '\n Installed version : ' + ver; info += '\n Fixed version : 1.6.0_39 / 1.7.0_13\n'; } else if (ver =~ "^[\d\.]+$") { dirs = make_list(get_kb_list(install)); foreach dir (dirs) granular += "The Oracle Java version "+ver+" at "+dir+" is not granular enough to make a determination."+'\n'; } else { dirs = make_list(get_kb_list(install)); vuln2 += max_index(dirs); } } # Report if any were found to be vulnerable. if (info) { if (report_verbosity > 0) { if (vuln > 1) s = "s of Java are"; else s = " of Java is"; report = '\n' + 'The following vulnerable instance'+s+' installed on the\n' + 'remote host :\n' + info; security_hole(port:0, extra:report); } else security_hole(0); if (granular) exit(0, granular); } else { if (granular) exit(0, granular); installed_versions = substr(installed_versions, 3); if (vuln2 > 1) exit(0, "The Java "+installed_versions+" installs on the remote host are not affected."); else exit(0, "The Java "+installed_versions+" install on the remote host is not affected."); }NASL family Windows NASL id ORACLE_JAVA_CPU_FEB_2013.NASL description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 13 or 6 Update 39, or is earlier than or equal to 5 Update 38 or 1.4.2 Update 40. It is, therefore, potentially affected by security issues in the following components : - 2D - AWT - Beans - CORBA - Deployment - Install - JavaFX - JAXP - JAX-WS - JMX - JSSE - Libraries - Networking - RMI - Scripting - Sound last seen 2020-06-01 modified 2020-06-02 plugin id 64454 published 2013-02-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64454 title Oracle Java SE Multiple Vulnerabilities (February 2013 CPU)
Oval
| accepted | 2013-06-10T04:00:54.799-04:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| definition_extensions |
| ||||
| description | Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU. | ||||
| family | windows | ||||
| id | oval:org.mitre.oval:def:16378 | ||||
| status | accepted | ||||
| submitted | 2013-04-22T10:26:26.748+04:00 | ||||
| title | Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU. | ||||
| version | 4 |
References
- http://marc.info/?l=bugtraq&m=136733161405818&w=2
- http://www.kb.cert.org/vuls/id/858729
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
- http://www.us-cert.gov/cas/techalerts/TA13-032A.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16378