CVE-2013-0425 – OpenJDK: logging insufficient access control checks (Libraries, 6664509)
https://notcve.org/view.php?id=CVE-2013-0425
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0428 and CVE-2013-0426. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect "access control checks" in the logging API that allow remote attackers to bypass Java sandbox restrictions. Vulnerabilidad sin especificar en el componente Java Runtime Environment (JRE) en Oracle Java SE 7 a la Update 11, 6 a la Update 38, y v5.0 a la Update 38, y v1.4.2_40 y anteriores, permite que atacantes remotos comprometan la integridad, confidencialidad y disponibilidad a través de vectores no especificados relacionados con "Libraries". Vulnerabilidad distinta de CVE-2013-0428 y CVE-2013-0426. • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=907344 http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/icedtea6-1.11.6/NEWS http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/ce105dd2e4de http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00034.html http://marc.info/?l=bugtraq&m=136439120408139& •
CVE-2012-2739
https://notcve.org/view.php?id=CVE-2012-2739
Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 and 8 before build 39, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. Oracle Java SE anteriores a 7 Update 6, y OpenJDK 7 anteriores a 7u6 build 12 y 8 anteriores a build 39, calculan los valores de hash sin restringir la posibilidad de provocar colisiones hash previsibles, lo que permite a atacantes dependientes de contexto provocar una denegación de servicio (consumo de CPU) a través de la manipulación de una entrada para la aplicación que mantiene la tabla de valores hash. • http://armoredbarista.blogspot.de/2012/02/investigating-hashdos-issue.html http://mail.openjdk.java.net/pipermail/core-libs-dev/2012-May/010238.html http://www.kb.cert.org/vuls/id/903934 http://www.nruns.com/_downloads/advisory28122011.pdf http://www.ocert.org/advisories/ocert-2011-003.html http://www.openwall.com/lists/oss-security/2012/06/15/12 http://www.openwall.com/lists/oss-security/2012/06/17/1 https://bugzilla.redhat.com/show_bug.cgi?id=750533 • CWE-310: Cryptographic Issues •
CVE-2012-5373
https://notcve.org/view.php?id=CVE-2012-5373
Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash3 algorithm, a different vulnerability than CVE-2012-2739. Oracle Java SE 7 y anteriores, y OpenJDK 7 y anteriores, calcula los valores hash sin restringir la posibilidad de provocar colisiones hash previsibles, lo que permite a atacantes dependientes de contexto provocar una denegación de servicio (consumo de CPU) a través de la manipulación de una entrada a la aplicación que mantiene la tabla de valores hash, como se demostró con un ataque universal multicollision contra el algoritmo MurmurHash3, una vulnerabilidad diferente a CVE-2012-2739. • http://2012.appsec-forum.ch/conferences/#c17 http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf http://www.ocert.org/advisories/ocert-2012-001.html http://www.securityfocus.com/bid/56673 https://bugzilla.redhat.com/show_bug.cgi?id=880705 https://exchange.xforce.ibmcloud.com/vulnerabilities/80299 https://www.131002.net/data/talks/appsec12_slides.pdf • CWE-310: Cryptographic Issues •
CVE-2012-3202
https://notcve.org/view.php?id=CVE-2012-3202
Multiple unspecified vulnerabilities in the Oracle JRockit component in Oracle Fusion Middleware 28.2.4 and earlier, and 27.7.3 and earlier, when using JDK/JRE 5 or 6, allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: this overlaps CVE-2012-5083, CVE-2012-1531, CVE-2012-5081, and CVE-2012-5085. Múltiples vulnerabilidades no especificadas en el componente Oracle JRockit en Oracle Fusion Middleware v28.2.4 y anteriores, y v27.7.3 y versiones anteriores, cuando se utiliza JDK/JRE v5 o v6, permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores desconocidos. NOTE: esto solapa CVE-2012-5083, CVE-2012-1531, CVE-2012-5081, and CVE-2012-5085. • http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html http://www.securityfocus.com/bid/56050 •
CVE-2012-5079 – OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919)
https://notcve.org/view.php?id=CVE-2012-5079
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries, a different vulnerability than CVE-2012-5073. Vulnerabilidad no especificada en el componente Java Runtime Environment (JRE) en Oracle Java SE 7 Update 7 y versiones anteriores, 6 Update 35 y versiones anteriores, 5.0 Update 36 y versiones anteriores y 1.4.2_38 y versiones anteriores permite a atacantes remotos afectar la integridad a través de vectores desconocidos relacionados con Libraries, una vulnerabilidad diferente a CVE-2012-5073. • http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00022.html http://marc.info/?l=bugtraq&m=135542848327757&w=2 http://marc.info/?l=bugtraq&m=135758563611658&w=2 http://rhn.redhat •