製品・ソフトウェアに関する情報

JVN脆弱性詳細

Oracle Java SE の Java Runtime Environment におけるセキュリティ・レベルを回避される脆弱性

Title	Oracle Java SE の Java Runtime Environment におけるセキュリティ・レベルを回避される脆弱性
Summary	Oracle Java SE の Java Runtime Environment (JRE) は、Windows 上で稼働する Internet Explorer、Firefox、Opera、および Google Chrome で使用される場合、Java コントロール・パネルのセキュリティ・レベル「非常に高」を回避され、警告メッセージが表示されることなく、無署名の Java コードを実行される脆弱性が存在します。
Possible impacts	第三者により、Java コントロール・パネルのセキュリティ・レベル「非常に高」を回避され、警告メッセージが表示されることなく、無署名の Java コードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 1, 2013, midnight
Registration Date	Feb. 4, 2013, 4:24 p.m.
Last Update	June 17, 2013, 5:01 p.m.

CVSS2.0 : 危険
Score	10
Vector	AV:N/AC:L/Au:N/C:C/I:C/A:C

Affected System

オラクル

JDK 7 Update 10

JDK 7 Update 11

JRE 7 Update 10

JRE 7 Update 11

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-1489	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1489
National Vulnerability Database (NVD)
2	CVE-2013-1489	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1489

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	Name	URL
HP Security Bulletin
1	HPSBMU02874 SSRT101184	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c03748879
2	HPSBUX02857 SSRT101103	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c03714148
Oracle Critical Patch Update
3	Oracle Java SE Critical Patch Update Advisory - February 2013	http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
4	Text Form of Oracle Java SE Critical Patch Update - February 2013 Risk Matrices	http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
Red Hat Security Advisory
5	RHSA-2013:0237	http://rhn.redhat.com/errata/RHSA-2013-0237.html
SECURITY BLOG
6	February 2013 Critical Patch Update for Java SE Released	https://blogs.oracle.com/security/entry/february_2013_critical_patch_update

その他

No	Name	URL
IPA 緊急対策情報
1	Oracle Java の脆弱性対策について(CVE-2013-0437等)	http://www.ipa.go.jp/security/ciadr/vul/20130204-jre.html
JPCERT 注意喚起
2	JPCERT-AT-2013-0007	https://www.jpcert.or.jp/at/2013/at130007.txt
JVN
3	JVNTA13-032A	http://jvn.jp/cert/JVNTA13-032A
US-CERT Technical Cyber Security Alert
4	TA13-032A	http://www.us-cert.gov/cas/techalerts/TA13-032A.html
US-CERT Vulnerability Note
5	VU#858729	http://www.kb.cert.org/vuls/id/858729

Change Log

No	Changed Details	Date of change
0	[2013年02月04日] 掲載 [2013年02月18日] ベンダ情報：レッドハット (RHSA-2013:0237) を追加 [2013年06月17日] ベンダ情報：ヒューレット・パッカード (HPSBMU02874 SSRT101184) を追加ベンダ情報：ヒューレット・パッカード (HPSBUX02857 SSRT101103) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-1489

Summary	Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability.
Publication Date	Jan. 31, 2013, 11:55 p.m.
Registration Date	Jan. 26, 2021, 3:36 p.m.
Last Update	Nov. 21, 2024, 10:49 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:oracle:jdk:1.7.0:update11::::windows::*
cpe:2.3:a:oracle:jdk:1.7.0:update10::::windows::*
cpe:2.3:a:oracle:jre:1.7.0:update11::::windows::*
cpe:2.3:a:oracle:jre:1.7.0:update10::::windows::*
execution environment
1	cpe:2.3:a:google:chrome:-:::::::*
2	cpe:2.3:a:microsoft:internet_explorer:-:::::::*
3	cpe:2.3:a:mozilla:firefox::::::::
4	cpe:2.3:a:opera:opera_browser:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53
2	http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53
3	http://marc.info/?l=bugtraq&m=136439120408139&w=2
4	http://marc.info/?l=bugtraq&m=136439120408139&w=2
5	http://marc.info/?l=bugtraq&m=136439120408139&w=2
6	http://marc.info/?l=bugtraq&m=136439120408139&w=2
7	http://marc.info/?l=bugtraq&m=136733161405818&w=2
8	http://marc.info/?l=bugtraq&m=136733161405818&w=2
9	http://marc.info/?l=bugtraq&m=136733161405818&w=2
10	http://marc.info/?l=bugtraq&m=136733161405818&w=2
11	http://rhn.redhat.com/errata/RHSA-2013-0237.html
12	http://rhn.redhat.com/errata/RHSA-2013-0237.html
13	http://seclists.org/fulldisclosure/2013/Jan/241
14	http://seclists.org/fulldisclosure/2013/Jan/241
15	http://thenextweb.com/insider/2013/01/28/new-vulnerability-bypasses-oracles-attempt-to-stop-malware-drive-by-downloads-via-java-applets/
16	http://thenextweb.com/insider/2013/01/28/new-vulnerability-bypasses-oracles-attempt-to-stop-malware-drive-by-downloads-via-java-applets/
17	http://www.informationweek.com/security/application-security/java-security-work-remains-bug-hunter-sa/240147150
18	http://www.informationweek.com/security/application-security/java-security-work-remains-bug-hunter-sa/240147150
19	http://www.kb.cert.org/vuls/id/858729	US Government Resource
20	http://www.kb.cert.org/vuls/id/858729	US Government Resource
21	http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html	Vendor Advisory
22	http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html	Vendor Advisory
23	http://www.scmagazine.com.au/News/330453%2Cjava-still-unsafe-new-flaws-discovered.aspx
24	http://www.scmagazine.com.au/News/330453%2Cjava-still-unsafe-new-flaws-discovered.aspx
25	http://www.us-cert.gov/cas/techalerts/TA13-032A.html	US Government Resource
26	http://www.us-cert.gov/cas/techalerts/TA13-032A.html	US Government Resource
27	http://www.zdnet.com/java-update-doesnt-prevent-silent-exploits-at-all-7000010422/
28	http://www.zdnet.com/java-update-doesnt-prevent-silent-exploits-at-all-7000010422/
29	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15906
30	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15906
31	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19171
32	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19171

Common Vulnerabilities List

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:oracle:jdk:1.7.0:update11::::windows::*
cpe:2.3:a:oracle:jdk:1.7.0:update10::::windows::*
cpe:2.3:a:oracle:jre:1.7.0:update11::::windows::*
cpe:2.3:a:oracle:jre:1.7.0:update10::::windows::*
execution environment
1	cpe:2.3:a:google:chrome:-:::::::*
2	cpe:2.3:a:microsoft:internet_explorer:-:::::::*
3	cpe:2.3:a:mozilla:firefox::::::::
4	cpe:2.3:a:opera:opera_browser:-:::::::*