CVE-2013-1493

CVSS V2 High 10 CVSS V3 None

Description

The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February 2013.

Overview

CVE ID
CVE-2013-1493

Assigner
secalert_us@oracle.com

Vulnerability Status
Modified

Published Version
2013-03-05T22:06:35

Last Modified Date
2022-05-13T14:52:52

Weakness Enumerations

CWE	URL
CWE-119	http://cwe.mitre.org/data/definitions/119.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
cpe:2.3:a:oracle:jre::update15::::::*	1	OR	1.7.0
cpe:2.3:a:oracle:jre:1.7.0:::::::*	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update1::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update10::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update11::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update13::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update2::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update3::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update4::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update5::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update6::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update7::::::	1	OR
cpe:2.3:a:oracle:jre:1.7.0:update9::::::	1	OR
cpe:2.3:a:oracle:jre::update40::::::*	1	OR	1.5.0
cpe:2.3:a:oracle:jre:1.5.0:update36::::::	1	OR
cpe:2.3:a:oracle:jre:1.5.0:update38::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:::::::*	1	OR
cpe:2.3:a:sun:jre:1.5.0:update1::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update10::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update11::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update12::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update13::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update14::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update15::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update16::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update17::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update18::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update19::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update2::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update20::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update21::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update22::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update23::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update24::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update25::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update26::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update27::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update28::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update29::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update3::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update31::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update33::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update4::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update5::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update6::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update7::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update8::::::	1	OR
cpe:2.3:a:sun:jre:1.5.0:update9::::::	1	OR
cpe:2.3:a:oracle:jdk::update41::::::*	1	OR	1.6.0
cpe:2.3:a:oracle:jdk:1.6.0:update22::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update23::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update24::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update25::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update26::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update27::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update29::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update30::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update31::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update32::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update33::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update34::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update35::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update37::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update38::::::	1	OR
cpe:2.3:a:oracle:jdk:1.6.0:update39::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:::::::*	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_10::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_11::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_12::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_13::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_14::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_15::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_16::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_17::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_18::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_19::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_20::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_21::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_3::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_4::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_5::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_6::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update_7::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update1::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update1_b06::::::	1	OR
cpe:2.3:a:sun:jdk:1.6.0:update2::::::	1	OR
cpe:2.3:a:oracle:jre::update41::::::*	1	OR	1.6.0
cpe:2.3:a:oracle:jre:1.6.0:update22::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update23::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update24::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update25::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update26::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update27::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update29::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update30::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update31::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update32::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update33::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update34::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update35::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update37::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update38::::::	1	OR
cpe:2.3:a:oracle:jre:1.6.0:update39::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:::::::*	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_1::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_10::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_11::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_12::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_13::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_14::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_15::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_16::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_17::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_18::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_19::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_2::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_20::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_21::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_3::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_4::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_5::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_6::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_7::::::	1	OR
cpe:2.3:a:sun:jre:1.6.0:update_9::::::	1	OR
cpe:2.3:a:oracle:jdk::update40::::::*	1	OR	1.5.0
cpe:2.3:a:oracle:jdk:1.5.0:update36::::::	1	OR
cpe:2.3:a:oracle:jdk:1.5.0:update38::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:::::::*	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update1::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update10::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update11::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update11_b03::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update12::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update13::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update14::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update15::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update16::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update17::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update18::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update19::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update2::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update20::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update21::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update22::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update23::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update24::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update25::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update26::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update27::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update28::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update29::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update3::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update31::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update33::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update4::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update5::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update6::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update7::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update7_b03::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update8::::::	1	OR
cpe:2.3:a:sun:jdk:1.5.0:update9::::::	1	OR
cpe:2.3:a:oracle:jdk::update15::::::*	1	OR	1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:::::::*	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update1::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update10::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update11::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update13::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update2::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update3::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update4::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update5::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update6::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update7::::::	1	OR
cpe:2.3:a:oracle:jdk:1.7.0:update9::::::	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector
NETWORK

Access Compatibility
LOW

Authentication
NONE

Confidentiality Impact
COMPLETE

Integrity Impact
COMPLETE

Availability Impact
COMPLETE

Base Score
10

Severity
HIGH

Exploitability Score
10

Impact Score
10

References

Reference URL	Reference Tags
http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1915099.xml	Vendor Advisory
http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html
http://www.symantec.com/connect/blogs/latest-java-zero-day-shares-connections-bit9-security-incident
https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/
https://bugzilla.redhat.com/show_bug.cgi?id=917553
https://twitter.com/jduck1337/status/307629902574800897
http://www.ubuntu.com/usn/USN-1755-2
http://rhn.redhat.com/errata/RHSA-2013-0604.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00012.html
http://rhn.redhat.com/errata/RHSA-2013-0601.html
http://rhn.redhat.com/errata/RHSA-2013-0603.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00009.html
http://www.us-cert.gov/ncas/alerts/TA13-064A	US Government Resource
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136570436423916&w=2
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022145.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://www.exploit-db.com/exploits/24904
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
http://www.kb.cert.org/vuls/id/688246	US Government Resource
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0088
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04117626-1
http://www.securitytracker.com/id/1029803
http://www.securityfocus.com/bid/58238
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19477
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19246

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2013-1493
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 08:30:45				Added to TrackCVE