10
CVSSv2

CVE-2013-5907

Published: 15/01/2014 Updated: 05/01/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 890
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote malicious users to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is due to incorrect input validation in LookupProcessor.cpp in the ICU Layout Engine, which allows malicious users to cause a denial of service (crash) or possibly execute arbitrary code via a crafted font file.

Affected Products

Vendor Product Versions
OracleJdk1.5.0, 1.6.0, 1.7.0
OracleJre1.5.0, 1.6.0, 1.7.0
OracleJrockitR27.7.7, R28.2.9

Vendor Advisories

Unspecified vulnerability in Oracle Java SE 50u55, 6u65, and 7u45; JRockit R2777 and R2829; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D NOTE: the previous information is from the January 2014 CPU Oracle has not commented on third-party ...
Synopsis Important: java-150-ibm security update Type/Severity Security Advisory: Important Topic Updated java-150-ibm packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 5 and 6 SupplementaryThe Red Hat Security Response Team has rated this update as havingimportant ...
Synopsis Important: java-160-openjdk security update Type/Severity Security Advisory: Important Topic Updated java-160-openjdk packages that fix various security issues arenow available for Red Hat Enterprise Linux 5 and 6The Red Hat Security Response Team has rated this update as havingimportant secur ...
Synopsis Critical: java-170-openjdk security update Type/Severity Security Advisory: Critical Topic Updated java-170-openjdk packages that fix various security issues arenow available for Red Hat Enterprise Linux 6The Red Hat Security Response Team has rated this update as having criticalsecurity impac ...
Synopsis Important: java-170-openjdk security update Type/Severity Security Advisory: Important Topic Updated java-170-openjdk packages that fix various security issues arenow available for Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as havingimportant security im ...
Synopsis Critical: java-160-ibm security update Type/Severity Security Advisory: Critical Topic Updated java-160-ibm packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 5 and 6 SupplementaryThe Red Hat Security Response Team has rated this update as having criticalse ...
Several security issues were fixed in OpenJDK 6 ...
USN-2124-1 introduced a regression in OpenJDK 6 ...
Synopsis Critical: java-170-ibm security update Type/Severity Security Advisory: Critical Topic Updated java-170-ibm packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 5 and 6 SupplementaryThe Red Hat Security Response Team has rated this update as having criticalse ...
Synopsis Critical: java-170-oracle security update Type/Severity Security Advisory: Critical Topic Updated java-170-oracle packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 5 and 6 SupplementaryThe Red Hat Security Response Team has rated this update as having crit ...
An input validation flaw was discovered in the font layout engine in the 2D component A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions (CVE-2013-5907 ) Multiple improper permission check issu ...
An input validation flaw was discovered in the font layout engine in the 2D component A specially crafted font file could trigger Java Virtual Machine memory corruption when processed An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions (CVE-2013-5907 ) Multiple improper permission check issues ...

References

NVD-CWE-noinfohttp://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/9d29c19f1de1http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00105.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00107.htmlhttp://lists.opensuse.org/opensuse-updates/2014-02/msg00000.htmlhttp://marc.info/?l=bugtraq&m=139402697611681&w=2http://marc.info/?l=bugtraq&m=139402749111889&w=2http://osvdb.org/101995http://rhn.redhat.com/errata/RHSA-2014-0026.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0027.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0030.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0097.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0134.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0135.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0136.htmlhttp://secunia.com/advisories/56432http://secunia.com/advisories/56485http://secunia.com/advisories/56486http://secunia.com/advisories/56487http://secunia.com/advisories/56535http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.htmlhttp://www.securityfocus.com/bid/64758http://www.securityfocus.com/bid/64894http://www.securitytracker.com/id/1029608http://www.ubuntu.com/usn/USN-2089-1http://www.ubuntu.com/usn/USN-2124-1https://access.redhat.com/errata/RHSA-2014:0414https://bugzilla.redhat.com/show_bug.cgi?id=1052915https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777https://nvd.nist.govhttps://www.securityfocus.com/bid/64894https://access.redhat.com/security/cve/cve-2013-5907https://usn.ubuntu.com/2124-1/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2013-5878https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-1208