CVE-2013-2461

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier; the Oracle JRockit component in Oracle Fusion Middleware R27.7.5 and earlier and R28.2.7 and earlier; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June and July 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass verification of XML signatures via vectors related to a "Missing check for [a] valid DOMCanonicalizationMethod canonicalization algorithm."

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=975126	Issue Tracking Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0963.html	Third Party Advisory
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/abe9ea5a50d2	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	Vendor Advisory
http://secunia.com/advisories/54154	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html	Vendor Advisory
http://www.us-cert.gov/ncas/alerts/TA13-169A	Third Party Advisory US Government Resource
http://marc.info/?l=bugtraq&m=137545592101387&w=2	Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=137545505800971&w=2	Mailing List Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:183	Third Party Advisory
http://advisories.mageia.org/MGASA-2013-0185.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html	Vendor Advisory
http://security.gentoo.org/glsa/glsa-201406-32.xml	Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2014-0012.html	Third Party Advisory
http://seclists.org/fulldisclosure/2014/Dec/23	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/60645	Third Party Advisory VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19582	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19565	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16887	Third Party Advisory
https://access.redhat.com/errata/RHSA-2014:0414	Third Party Advisory
http://www.securityfocus.com/archive/1/534161/100/0/threaded	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sun:jdk:1.6.0:update_4::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_7::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_19::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_13::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_3::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_11::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_10::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_14::::::
	cpe:2.3:a:sun:jdk:1.6.0:::::::*
	cpe:2.3:a:sun:jdk:1.6.0:update_17::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update31::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update32::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update33::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_12::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_15::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update29::::::
	cpe:2.3:a:sun:jdk:1.6.0:update1_b06::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update22::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update23::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update24::::::
	cpe:2.3:a:sun:jdk:1.6.0:update1::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_20::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_21::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_5::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update25::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update27::::::
	cpe:2.3:a:sun:jdk:1.6.0:update2::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_16::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_18::::::
	cpe:2.3:a:sun:jdk:1.6.0:update_6::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update30::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update34::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update26::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update37::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update39::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update41::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update43::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update35::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update38::::::

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:jre:1.7.0:update9::::::
	cpe:2.3:a:oracle:jre:1.7.0:update15::::::
	cpe:2.3:a:oracle:jre:1.7.0:update6::::::
	cpe:2.3:a:oracle:jre:1.7.0:update3::::::
	cpe:2.3:a:oracle:jre:1.7.0:update13::::::
	cpe:2.3:a:oracle:jre:1.7.0:update10::::::
	cpe:2.3:a:oracle:jre:1.7.0:update11::::::
	cpe:2.3:a:oracle:jre:1.7.0:update2::::::
	cpe:2.3:a:oracle:jre:1.7.0:update5::::::
	cpe:2.3:a:oracle:jre:1.7.0:update4::::::
	cpe:2.3:a:oracle:jre:1.7.0:update1::::::
	cpe:2.3:a:oracle:jre:1.7.0:::::::*
	cpe:2.3:a:oracle:jre:1.7.0:update7::::::
	cpe:2.3:a:oracle:jre:1.7.0:update17::::::

Configuration 3 (hide)

OR	cpe:2.3:a:oracle:openjdk:1.7.0:::::::*
	cpe:2.3:a:oracle:jrockit::::::::
	cpe:2.3:a:oracle:jrockit::::::::

Information

Published : 2013-06-18 15:55

Updated : 2022-05-13 07:35

NVD link : CVE-2013-2461

Mitre link : CVE-2013-2461

JSON object : View

CWE

NVD-CWE-noinfo

Products Affected

oracle

jrockit
jdk
openjdk
jre

sun

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html", "name": "http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=975126", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=975126", "tags": ["Issue Tracking", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0963.html", "name": "RHSA-2013:0963", "tags": ["Third Party Advisory"], "refsource": "REDHAT"}, {"url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/abe9ea5a50d2", "name": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/abe9ea5a50d2", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html", "name": "http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://secunia.com/advisories/54154", "name": "54154", "tags": ["Third Party Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html", "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.us-cert.gov/ncas/alerts/TA13-169A", "name": "TA13-169A", "tags": ["Third Party Advisory", "US Government Resource"], "refsource": "CERT"}, {"url": "http://marc.info/?l=bugtraq&m=137545592101387&w=2", "name": "HPSBUX02908", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "HP"}, {"url": "http://marc.info/?l=bugtraq&m=137545505800971&w=2", "name": "HPSBUX02907", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "HP"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:183", "name": "MDVSA-2013:183", "tags": ["Third Party Advisory"], "refsource": "MANDRIVA"}, {"url": "http://advisories.mageia.org/MGASA-2013-0185.html", "name": "http://advisories.mageia.org/MGASA-2013-0185.html", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", "name": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://security.gentoo.org/glsa/glsa-201406-32.xml", "name": "GLSA-201406-32", "tags": ["Third Party Advisory"], "refsource": "GENTOO"}, {"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", "name": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://seclists.org/fulldisclosure/2014/Dec/23", "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FULLDISC"}, {"url": "http://www.securityfocus.com/bid/60645", "name": "60645", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19582", "name": "oval:org.mitre.oval:def:19582", "tags": ["Third Party Advisory"], "refsource": "OVAL"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19565", "name": "oval:org.mitre.oval:def:19565", "tags": ["Third Party Advisory"], "refsource": "OVAL"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16887", "name": "oval:org.mitre.oval:def:16887", "tags": ["Third Party Advisory"], "refsource": "OVAL"}, {"url": "https://access.redhat.com/errata/RHSA-2014:0414", "name": "RHSA-2014:0414", "tags": ["Third Party Advisory"], "refsource": "REDHAT"}, {"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded", "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier; the Oracle JRockit component in Oracle Fusion Middleware R27.7.5 and earlier and R28.2.7 and earlier; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June and July 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass verification of XML signatures via vectors related to a \"Missing check for [a] valid DOMCanonicalizationMethod canonicalization algorithm.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-2461", "ASSIGNER": "secalert_us@oracle.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2013-06-18T22:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update31:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update32:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update33:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update29:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update1_b06:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update23:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update24:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update25:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update27:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update30:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update34:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update26:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update37:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update39:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update41:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update43:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update35:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.6.0:update38:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:openjdk:1.7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "r27.7.5", "versionStartIncluding": "r27.7.1"}, {"cpe23Uri": "cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "r28.2.7", "versionStartIncluding": "r28.0.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-05-13T14:35Z"}

7.5 /10