Oracle Java 7 Security Manager Bypass Vulnerability (CVE-2013-0422)
IBM PSIRT 270004PFE3 firstname.lastname@example.org |
0 Comments | 8,046 Visits
A new Java zero-day vulnerability, CVE-2013-0422, was publicly reported on January 10, 2013. Details about this issue are available in a Vulnerability Note published by CERT/CC Carnegie Mellon and also available in Alert (TA13-010A) published by the United States Computer Emergency Readiness Team (US-CERT).
This vulnerability can only be exploited as a client-side attack specifically targeting the browser software located on a user's desktop; for more information about client-side attacks see “Client-Side Attacks: An Overview”. This vulnerability is not applicable to Java running on servers, desktop applications, nor embedded applications.
The IBM Software Development Kit (SDK) and IBM Java Runtime Environment (JRE) are not vulnerable to this exploit.
If you are using Oracle's JDK or JRE 7 Update 10 or earlier, see Oracle Security Alert for CVE-2013-0422 for patch information.
Please check back for updates.