Oracle Releases Updates for Javadoc and Other Java SE Vulnerabilities

  • CERT Admin
  • Tue Oct 27 2020
  • Alerts

Overview

Oracle released the June 2013 Critical Patch Update for Oracle Java SE. This patch contains 40 new security fixes across Java SE products and a fix to the Javadoc Tool. API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server.

Description

Oracle's June Critical Patch Update includes a fix to the Javadoc Tool. API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server. Additional information can be found in CERT Vulnerability Report VU#225657. It is recommended that sites hosting such pages should re-generate the API documentation using the latest Javadoc tool and replace the current pages with the re-generated Javadoc output. In cases where regenerating API documentation is not feasible, a Java API Documentation Updater Tool that updates API documentation "in place" is available Oracle's Java SE Downloads page.

Impact

An attacker can cause one of the frames within a Javadoc-generated web page to be replaced with a malicious page. This vulnerability could be used for phishing or social engineering, or it could be used for browser exploitation if combined with another browser-related vulnerability.

Solution/ Workarounds

✻ Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.

References

✻ http://www.us-cert.gov/ncas/alerts/TA13-169A

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Last updated: Tue Oct 27 2020

Audience

Tags