jdel6654
VIP Member
Oracle Java \"In the Wild\" Zero Day Exploit
If you are an Oracle support subscriber, you most likely received noticed from Oracle of a java zero-day security exploit (aka "In the Wild"). The warning was significant enough to warrant an advisory from the US government.
"
Oracle Security Alert for CVE-2013-0422
Dear Oracle Security Alert Subscriber,
Oracle Security Alert for CVE-2013-0422 was released on January 13, 2013.
This Security Alert addresses security issue CVE-2013-0422 (US-CERT Alert TA13-010A) affecting Java running in web browsers on desktops.
The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices.
Oracle strongly recommends applying Security Alert fixes as soon as possible.
The Security Alert Advisory is the starting point for relevant information. It includes the list of products affected, a summary of the security vulnerability, and a pointer to obtain the latest patches. Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied.
Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Advisory is available at the following location:
Oracle Critical Patch Updates and Security Alerts:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Oracle Security Alert CVE-2013-0422:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
"
Since E1 is pure html/javascript, the threat to JDE clients seems limited.
What is somewhat confusing to me is that Oracle released another bulletin that talks about a fix for many of their applications.
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
If you are an Oracle support subscriber, you most likely received noticed from Oracle of a java zero-day security exploit (aka "In the Wild"). The warning was significant enough to warrant an advisory from the US government.
"
Oracle Security Alert for CVE-2013-0422
Dear Oracle Security Alert Subscriber,
Oracle Security Alert for CVE-2013-0422 was released on January 13, 2013.
This Security Alert addresses security issue CVE-2013-0422 (US-CERT Alert TA13-010A) affecting Java running in web browsers on desktops.
The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices.
Oracle strongly recommends applying Security Alert fixes as soon as possible.
The Security Alert Advisory is the starting point for relevant information. It includes the list of products affected, a summary of the security vulnerability, and a pointer to obtain the latest patches. Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied.
Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Advisory is available at the following location:
Oracle Critical Patch Updates and Security Alerts:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Oracle Security Alert CVE-2013-0422:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
"
Since E1 is pure html/javascript, the threat to JDE clients seems limited.
What is somewhat confusing to me is that Oracle released another bulletin that talks about a fix for many of their applications.
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
