It was discovered that the CMM part of the 2D component did not properly reject certain malformed images. Specially-crafted raster parameters could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1493 to the following vulnerability: Name: CVE-2013-1493 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493 Assigned: 20130130 Reference: http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html Reference: http://www.symantec.com/connect/blogs/latest-java-zero-day-shares-connections-bit9-security-incident Reference: https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/ Reference: http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1915099.xml The 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via vectors that trigger a (1) read or (2) write of arbitrary memory in the JVM, as exploited in the wild in February 2013.
Fixed in Oracle Java SE 7u17 and 6u43. External Reference: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0601 https://rhn.redhat.com/errata/RHSA-2013-0601.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0600 https://rhn.redhat.com/errata/RHSA-2013-0600.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0604 https://rhn.redhat.com/errata/RHSA-2013-0604.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0603 https://rhn.redhat.com/errata/RHSA-2013-0603.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0602 https://rhn.redhat.com/errata/RHSA-2013-0602.html
Oracle security blog post with more information on the security alert: https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493 Upstream commit, as included in IcedTea7 repositories: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/4f97a6256473
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0605 https://rhn.redhat.com/errata/RHSA-2013-0605.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0624 https://rhn.redhat.com/errata/RHSA-2013-0624.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0626 https://rhn.redhat.com/errata/RHSA-2013-0626.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0625 https://rhn.redhat.com/errata/RHSA-2013-0625.html
Fixed in IcedTea versions IcedTea6 1.11.9 and 1.12.4, and IcedTea7 2.1.7, 2.2.7 and 2.3.8: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022145.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-March/022273.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.5 Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html