Risks
Advisories
Browse
or
or

HP Security Bulletin - HP-UX Running Java, Remote Execution of Arbitrary Code, and Other Vulnerabilities (HPSBUX02824)
HPSBUX02824 SSRT100970 rev.2 - HP-UX Running Java, Remote Execution of Arbitrary
Code, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as
possible.
Release Date: 2012-10-18
Last Updated: 2012-10-30
Potential Security Impact: Remote execution of arbitrary code, and other
vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime Environment
(JRE) and Java Developer Kit (JDK) running on HP-UX.These vulnerabilities could allow
remote execution of arbitrary code and other vulnerabilities.

References: CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, and B.11.31 running HP JDK and JRE v7.0.02 and earlier

BACKGROUND
For a PGP signed version of this security bulletin please write to:
security-alert@hp.com

CVSS 2.0 Base Metrics

Reference; Base Vector; Base Score
CVE-2012-0547; (AV:N/AC:L/Au:N/C:N/I:N/A:N); 0.0
CVE-2012-1682; (AV:N/AC:L/Au:N/C:C/I:C/A:C); 10.0
CVE-2012-3136; (AV:N/AC:L/Au:N/C:C/I:C/A:C); 10.0
CVE-2012-4681; (AV:N/AC:L/Au:N/C:C/I:C/A:C); 10.0

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrade to resolve these vulnerabilities.

The upgrade is available from the following location 

http://www.hp.com/go/java 

HP-UX B.11.23, B.11.31; JDK and JRE v7.0.03 or subsequent


MANUAL ACTIONS: Yes - Update 
For Java v7.0 update to Java v7.0.03 or subsequent 

PRODUCT SPECIFIC INFORMATION 

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that
replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP
and lists recommended actions that may apply to a specific HP-UX system. It can also
download patches and create a depot automatically. For more information see
https://www.hp.com/go/swa 

The following text is for use by the HP-UX Software Assistant. 

AFFECTED VERSIONS 

HP-UX B.11.23 
HP-UX B.11.31 
=========== 
Jdk70.JDK70 
Jdk70.JDK70-COM 
Jdk70.JDK70-DEMO 
Jdk70.JDK70-IPF32 
Jdk70.JDK70-IPF64 
Jre70.JRE70 
Jre70.JRE70-COM 
Jre70.JRE70-IPF32 
Jre70.JRE70-IPF32-HS 
Jre70.JRE70-IPF64 
Jre70.JRE70-IPF64-HS 
action: install revision 1.7.0.03.00 or subsequent 

END AFFECTED VERSIONS 

HISTORY 
Version:1 (rev.1) - 18 October 2012 Initial release 
Version:2 (rev.2) - 30 October 2012 Corrected CVE-2012-0547 typo
Third Party Security Patches: Third party security patches that are to be installed
on systems running HP software products should be applied in accordance with the
customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product,
send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts
via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins 

Security Bulletin List: A list of HP Security Bulletins, updated periodically, is
contained in HP Security Notice HPSN-2011-001
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964
430

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/


Software Product Category: The Software Product Category is represented in the title
by the two characters following HPSB.
3C = 3COM 
3P = 3rd Party Software 
GN = HP General Software 
HF = HP Hardware and Firmware 
MP = MPE/iX 
MU = Multi-Platform Software 
NS = NonStop Servers 
OV = OpenVMS 
PI = Printing and Imaging 
PV = ProCurve 
ST = Storage Software 
TU = Tru64 UNIX 
UX = HP-UX

REQUIRED FIELD INADVERTENTLY LEFT BLANK

REQUIRED FIELD INADVERTENTLY LEFT BLANK

System management and security procedures must be reviewed frequently to maintain
system integrity. HP is continually reviewing and enhancing the security features of
software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention
of users of the affected HP products the important security information contained in
this Bulletin. HP recommends that all users determine the applicability of this
information to their individual situations and take appropriate action. HP does not
warrant that this information is necessarily accurate or complete for all user
situations and, consequently, HP will not be responsible for any damages resulting
from user's use or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose,
title and non-infringement."





Spotlight

Is it time to professionalize information security?

Posted on 23 May 2013.  |  The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.


Daily digest

By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
  
Weekly newsletter

With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
  

 
DON'T
MISS
Fri, May 24th
    COPYRIGHT 1998-2013 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //