Oracle has released its scheduled June Critical Update Patch (CPU) for Oracle Java SE, which addresses a number of critical security vulnerabilities affecting the Java Development Kit (JDK) and Java Runtime Environment (JRE). A total of 17 security vulnerabilities have been identified in this advisory, across the Java SE product line.
The vulnerabilities affect JDK and JRE version 6.0, up to update 25; JDK version 5.0, up to update 29; Software Development Kit (SDK), version 1.4.2_31 and earlier versions. These vulnerabilities affect all Java SE products across all supported platforms. Of these, 11 apply to client only deployments of Java SE, whereas five apply to client and server deployments.
Nine of these vulnerabilities have received a common vulnerability scoring system (CVSS) base rating of 10.0 — the highest rating. However, these ratings apply only to systems where the user has administrative privileges, typically Windows systems. On other platforms like Linux and Solaris, the corresponding CVSS rating severity falls to 7.5.
Oracle informs that all these vulnerabilities are remotely exploitable without authentication by un-trusted applets and/or Java Web starts, with up to 13 of these having a low level of access complexity. Vulnerabilities have been identified in the AWT, deployment, sound and 2D subsystems of the Java runtime environment. In several cases, multiple instances of these vulnerabilities have been identified.
Due to the severity of threats posed by successful exploitation, Oracle recommends that users apply the CPU fixes as soon as possible. Oracle advises that until the fixes are applied, it may be possible to reduce the severity of an attack by restricting network protocols and privileges.
While unsupported Java products are not addressed in this CPU, Oracle believes it is likely that those products also suffer from these same security holes. It advises users to upgrade to supported versions. Patches may be downloaded directly from the Website or using the Java auto-upgrade feature.