CVE-2014-0423

Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 5.0u55, 6u65, and 7u45 JRockit versions R27.7.7 and R28.2.9 Java SE Embedded version 7u45 OpenJDK version 7

Description The issue allows remote authenticated users to affect confidentiality and availability via unknown vectors related to Beans. It is reportedly an XML External Entity (XXE) vulnerability in DocumentHandler.java, related to Beans decoding, although Oracle has not commented on this. The vulnerability can be exploited by a remote attacker to disrupt confidentiality and integrity of data using the Beans component.

Recommendations For Oracle Java SE versions 5.0u55, 6u65, and 7u45, update to a version that is not affected by this issue. For JRockit versions R27.7.7 and R28.2.9, update to a version that is not affected by this issue. For Java SE Embedded version 7u45, update to a version that is not affected by this issue. For OpenJDK version 7, update to a version that is not affected by this issue. As a temporary workaround, consider disabling the Beans component until a patch is available.