Vulnerability CVE-2013-1489

Vulnerability Name:

CVE-2013-1489 (CCN-81802)

Assigned:

2013-01-27

Published:

2013-01-27

Updated:

2017-09-19

Summary:

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability.
Per: http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

"This issue (CVE-2013-1489) has been discussed publicly and is sometimes known as the "Java Security Slider vulnerability". It has a CVSS of 0 because it does not directly result in an exploitation, but may be combined with other vulnerabilities to allow blind exploitation. When the Security Slider is set to the default (high) all unsigned applets must be authorized via a dialog box by a browser user in order to execute. This provides the browser operator the opportunity to prevent execution of suspicious applets that may result in successful exploits. However, when CVE-2013-1489 is combined with vulnerabilities that can be used to cause direct impacts, the effect can be that the impact can be caused "silently" without the authorization dialog box."

CVSS v3 Severity:

10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

0.0 Low (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:N)
0.0 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Gain Access

References:

Source: MISC
Type: UNKNOWN
http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53

Source: MITRE
Type: CNA
CVE-2013-1489

Source: HP
Type: UNKNOWN
HPSBUX02857

Source: HP
Type: UNKNOWN
HPSBMU02874

Source: CCN
Type: RHSA-2013-0237
Critical: java-1.7.0-oracle security update

Source: REDHAT
Type: UNKNOWN
RHSA-2013:0237

Source: FULLDISC
Type: UNKNOWN
20130127 [SE-2012-01] An issue with new Java SE 7 security features

Source: CCN
Type: SA52064
Oracle Java Multiple Vulnerabilities

Source: CCN
Type: SA54291
Avaya Call Management System (CMS) Java Multiple Vulnerabilities

Source: MISC
Type: UNKNOWN
http://thenextweb.com/insider/2013/01/28/new-vulnerability-bypasses-oracles-attempt-to-stop-malware-drive-by-downloads-via-java-applets/

Source: CCN
Type: IBM Security Bulletin 1628927
Rational Host On-Demand clients affected by vulnerabilities in IBM JRE

Source: CCN
Type: IBM Security Bulletin 1633170
Potential security vulnerabilities with JavaTM SDKs

Source: CCN
Type: IBM Security Bulletin 1635864
IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE 6.0

Source: CCN
Type: IBM Security Bulletin 1640206
IBM Tivoli Monitoring clients affected by vulnerabilities in IBM JRE executed under a security manager

Source: CCN
Type: IBM Security Bulletin 1650822
Java Security Vulnerabilitys addressed in IBM Tivoli Netcool OMNIbus

Source: MISC
Type: UNKNOWN
http://www.informationweek.com/security/application-security/java-security-work-remains-bug-hunter-sa/240147150

Source: CERT-VN
Type: US Government Resource
VU#858729

Source: CCN
Type: Oracle Critical Patch Update
Oracle Java SE Critical Patch Update Advisory - February 2013

Source: CONFIRM
Type: Vendor Advisory
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

Source: MISC
Type: UNKNOWN
http://www.scmagazine.com.au/News/330453,java-still-unsafe-new-flaws-discovered.aspx

Source: CCN
Type: BID-57707
Oracle Java SE CVE-2013-1489 Unsigned Java Code Security Bypass Vulnerability

Source: CERT
Type: US Government Resource
TA13-032A

Source: MISC
Type: UNKNOWN
http://www.zdnet.com/java-update-doesnt-prevent-silent-exploits-at-all-7000010422/

Source: CCN
Type: ASA-2013-191
Oracle Java Critical Update Combined CVEs (February 2013)

Source: XF
Type: UNKNOWN
oracle-javacpufeb2013-cve20131489(81802)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:15906

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:19171

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:jdk:1.7.0:update10:*:*:*:windows:*:*

OR cpe:/a:oracle:jdk:1.7.0:update11:*:*:*:windows:*:*

OR cpe:/a:oracle:jre:1.7.0:update10:*:*:*:windows:*:*

OR cpe:/a:oracle:jre:1.7.0:update11:*:*:*:windows:*:*

AND

cpe:/a:google:chrome:-:*:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_explorer:-:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:*

OR cpe:/a:opera:opera_browser:-:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:rhel_extras:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:jre:1.7.0:update11:*:*:*:*:*:*

AND

cpe:/a:avaya:call_management_system_server:-:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_netcool/omnibus:7.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:6.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_netcool/omnibus:7.3.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_netcool/omnibus:7.4.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:19171	V	HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities	2015-04-20
oval:org.mitre.oval:def:23784	P	ELSA-2013:0237: java-1.7.0-oracle security update (Critical)	2014-05-26
oval:org.mitre.oval:def:20947	P	RHSA-2013:0237: java-1.7.0-oracle security update (Critical)	2014-02-17
oval:org.mitre.oval:def:15906	V	Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: Deployment) 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability.	2013-06-10
oval:com.redhat.rhsa:def:20130237	P	RHSA-2013:0237: java-1.7.0-oracle security update (Critical)	2013-02-04
oval:com.ubuntu.precise:def:20131489000	V	CVE-2013-1489 on Ubuntu 12.04 LTS (precise) - medium.	2013-01-31

BACK