You are here

Oracle Critical Patch Update Advisory - April 2013

IDs: 
CB-K13/0276, CVE-2013-1537, CVE-2013-2415, CVE-2013-0405, CVE-2013-0406
Keywords: 
CPU, RMI, Solaris, IPSec, NFS, JAX-WS
Description: 

The Oracle Critical Patch Update for April 2013 includes updates for several Oracle products, including Java and Solaris.

Java Vulnerabilities

Most of the vulnerabilities affect only client-side installations of Java, e.g. Java in web browsers. The following two vulnerabilities affect server-side installations:

  • CVE-2013-1537: Java RMI is used Airlock internally only and is not accessible for remote users.
  • CVE-2013-2415: The JAX-WS Java API is used by Airlock. The API may create temporary files with insecure file permissions. The vulnerability does not affect Airlock, since the file system of Airlock is not accessible for untrusted users.

Solaris Vulnerabilities

Most of the vulnerabilities can only be exploited by having local access (Shell) on Airlock. Airlock is not affected by these vulnerabilities because there are no interactive local users other than root on the system. The following two vulnerabilities are potentially remotely exploitable but do also not affect Airlock because the affected service is not used on Airlock:

  • CVE-2013-0405: NFS is not used by Airlock.
  • CVE-2013-0406: IPSec is not used by Airlock.
Resolution: 

 

No action required for Airlock.

It is strongly recommended to apply the Java update to all client installations, or better to disable or even un-install Java from clients.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required