CVE-2013-5896
First published: Tue Jan 14 2014(Updated: )
The default Java security properties configuration did not restrict access to sub-packages of the com.sun.corba.se package. An untrusted Java application or applet could use this flaw to trigger denial of service. This update lists whole com.sun.corba.se package as restricted in the java.security file.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/icedtea | <2.4.4 | 2.4.4 |
| redhat/icedtea | <2.3.13 | 2.3.13 |
| redhat/icedtea | <1.12.8 | 1.12.8 |
| redhat/icedtea | <1.13.1 | 1.13.1 |
| Oracle JDK 6 | =1.7.0-update45 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update45 | |
| Oracle JDK 6 | =1.6.0-update65 | |
| Oracle Java Runtime Environment (JRE) | =1.6.0-update65 | |
| Oracle JDK 6 | =1.5.0-update55 | |
| Oracle Java Runtime Environment (JRE) | =1.5.0-update55 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/694ad155b344
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html
- http://marc.info/?l=bugtraq&m=139402697611681&w=2
- http://marc.info/?l=bugtraq&m=139402749111889&w=2
- http://osvdb.org/102015
- http://rhn.redhat.com/errata/RHSA-2014-0026.html
- http://rhn.redhat.com/errata/RHSA-2014-0027.html
- http://rhn.redhat.com/errata/RHSA-2014-0030.html
- http://rhn.redhat.com/errata/RHSA-2014-0097.html
- http://rhn.redhat.com/errata/RHSA-2014-0134.html
- http://rhn.redhat.com/errata/RHSA-2014-0135.html
- http://secunia.com/advisories/56432
- http://secunia.com/advisories/56485
- http://secunia.com/advisories/56486
- http://secunia.com/advisories/56535
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
- http://www.securityfocus.com/bid/64758
- http://www.securityfocus.com/bid/64926
- http://www.securitytracker.com/id/1029608
- http://www.ubuntu.com/usn/USN-2089-1
- http://www.ubuntu.com/usn/USN-2124-1
- https://access.redhat.com/errata/RHSA-2014:0414
- https://bugzilla.redhat.com/show_bug.cgi?id=1053266
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90347
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777
- http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html
- https://rhn.redhat.com/errata/RHSA-2014-0027.html
- https://rhn.redhat.com/errata/RHSA-2014-0026.html
- http://hg.openjdk.java.net/jdk7u/jdk7u/corba/rev/f15d0e49b1d8
- https://rhn.redhat.com/errata/RHSA-2014-0030.html
- https://rhn.redhat.com/errata/RHSA-2014-0097.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025800.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025947.html
- http://mail.openjdk.java.net/pipermail/jdk6-dev/2014-January/003212.html
- https://rhn.redhat.com/errata/RHSA-2014-0135.html
- https://rhn.redhat.com/errata/RHSA-2014-0134.html
- https://rhn.redhat.com/errata/RHSA-2014-0414.html
- https://rhn.redhat.com/errata/RHSA-2014-0705.html
- https://rhn.redhat.com/errata/RHSA-2014-0982.html
Frequently Asked Questions
What is the severity of CVE-2013-5896?
CVE-2013-5896 has been classified as a high-severity vulnerability due to the potential for denial of service through untrusted Java applications.
How do I fix CVE-2013-5896?
To mitigate CVE-2013-5896, users should update to the latest versions of IcedTea or Oracle JDK and JRE as specified in the security advisory.
Which software is affected by CVE-2013-5896?
CVE-2013-5896 affects various outdated versions of IcedTea and Oracle's JDK and JRE.
What type of attack can CVE-2013-5896 facilitate?
CVE-2013-5896 can facilitate denial of service attacks against applications that utilize the vulnerable packages.
Is CVE-2013-5896 still exploitable in recent versions?
No, recent updates to the affected software have restricted access to the vulnerable sub-packages, mitigating the risk.
- agent/type
- agent/first-publish-date
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-5896
- agent/software-canonical-lookup
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.7.0-update45
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.7.0-update45
- version/oracle jdk 6/1.6.0-update65
- version/oracle java runtime environment (jre)/1.6.0-update65
- version/oracle jdk 6/1.5.0-update55
- version/oracle java runtime environment (jre)/1.5.0-update55