Multiple vulnerabilities in Oracle JavaFX
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU43399
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2012-5078
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2012-5080. Per: http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html "Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.)"
MitigationInstall update from vendor's website.
Vulnerable software versionsJavaFX: 1.2 - 2.1
CPE2.3- cpe:2.3:a:oracle:javafx:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:javafx:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:javafx:1.2.3:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html
https://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
https://www.securityfocus.com/bid/56066
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16308
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU43400
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2012-5082
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2 and earlier allows remote attackers to affect availability via unknown vectors. Per: http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html "Applies to client deployment of Java only. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.)"
MitigationInstall update from vendor's website.
Vulnerable software versionsJavaFX: 1.2 - 2.1
CPE2.3- cpe:2.3:a:oracle:javafx:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:javafx:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:javafx:1.2.3:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html
https://osvdb.org/86370
https://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
https://www.securityfocus.com/bid/56078
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15827
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
