PT-2014-2972 · Oracle+6 · Java Se Embedded+8

Published

2014-01-15

·

Updated

2024-06-15

·

CVE-2013-5878

CVSS v2.0

7.5

High

VectorAV:N/AC:L/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 6u65 through 7u45 Java SE Embedded version 7u45 OpenJDK version 7
Description The issue affects confidentiality, integrity, and availability via unknown vectors related to Security. It is claimed that the Security component does not properly handle null XML namespace (xmlns) attributes during XML document canonicalization, which allows attackers to escape the sandbox.
Recommendations For Oracle Java SE versions 6u65 through 7u45, update to a version that is not affected by this issue. For Java SE Embedded version 7u45, update to a version that is not affected by this issue. For OpenJDK version 7, update to a version that is not affected by this issue. As a temporary workaround, consider restricting the use of the Security component until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Related Identifiers

CESA-2014_0026
CESA-2014_0097
CVE-2013-5878
HPSBUX02972
HPSBUX02973
MGASA-2014-0023
OPENSUSE-SU-2024:10534-1
RHSA-2014:0026
RHSA-2014:0027
RHSA-2014:0030
RHSA-2014:0097
RHSA-2014:0134
RHSA-2014:0135
RHSA-2014:0414
RHSA-2014:0705
RHSA-2014:0982
RHSA-2014_0026
RHSA-2014_0027
RHSA-2014_0030
RHSA-2014_0097
RHSA-2014_0134
RHSA-2014_0135
RHSA-2014_0414
RHSA-2014_0705
SUSE-SU-2014_0215-1
SUSE-SU-2014_0246-1
SUSE-SU-2014_0266-1
SUSE-SU-2014_0266-2
SUSE-SU-2014_0266-3

Affected Products

Centos
Hp-Ux
Ibm Aix
Java Platform
Java Se
Java Se Embedded
Openjdk
Red Hat
Suse