취약점소식 2013/04/17 12:51



오라클 자바(Oracle Java)에서 제공하는 JDK & JRE 프로그램의 보안업데이트가 공개되었습니다.

 

이번 JDK and JRE 7 Update 21 업데이트에서는 42개의 보안 취약점이 해결되었으며, 이 중 39개는 사용자의 
인증없이 원격코드 실행이 가능한 취약점을 해결 한 것으로 Java를 사용하는 컴퓨터라면 반드시 업데이트하길 바랍니다.
(CVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540,
CVE-2013-1557, CVE-2013-1558, CVE-2013-1561, CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383,
CVE-2013-2384, CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418,
CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424, CVE-2013-2425,
CVE-2013-2426, CVE-2013-2427, CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432,
CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2439, CVE-2013-2440)


[영향을 받는 소프트웨어 및 업데이트 버전]
 
 

□ JDK and JRE 7 Update 17 버전 및 하위 버전 → JDK and JRE 7 Update 21 버전


□ JDK and JRE 6 Update 43 버전 및 하위 버전 → JDK and JRE 6 Update 45 버전


□ JDK and JRE 5.0 Update 41 버전 및 하위 버전 → JDK and JRE 5.0 Update 43 버전


□ JavaFX 2.2.7 버전 및 하위 버전 → JavaFX 2.2.21 버전



또한 이번 업데이트에서는 중요한 기능개선이 포함 되어 있습니다.

1. Java 제어판 보안 설정 변경 사항
- 낮음 및 사용자 정의 설정이 보안 슬러이더에서 제거
(기존의 "사용자", "낮음" 설정 부분을 제거한 "5단계 → 3단계"로 슬라이드바 축소)



2. 보안 대화상자 변경
- HTTPS 보안 경고 및 혼합 코드 소스에 대한 보안 대화상자 업데이트

Java에서 업데이트를 확인할 때 'jucheck.exe' 대신 프로그램 이름 'Java 자동 업데이트' 표시



- 업데이트 관련 내용 : http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html

Java™ SE Development Kit 7, Update 21 (JDK 7u21)

The full version string for this update release is 1.7.0_21-b11 (where "b" means "build") except for Mac OS X for which it is 1.7.0_21-b12. The version number is 7u21.

Highlights

This update release contains several enhancements and changes including the following:

Olson Data 2012i

JDK 7u21 contains Olson time zone data version 2012i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 7u21 are specified in the following table:

JRE Family VersionJRE Security Baseline
(Full Version String)
7 1.7.0_21
6 1.6.0_45
5.0 1.5.0_45

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The expiration date for JRE 7u21 is 07/18/2013.

Blacklisted Jars and Certificates

Oracle now manages a certificate and jar blacklist repository. This data is updated on client computers daily on the first execution of a Java applet or web start application.

Changes to Java Control Panel's Security Settings

In this release, low and custom settings are removed from the Java Control Panel(JCP)'s Security Slider.

Depending on the security level set in the Java Control Panel and the user's version of the JRE, self-signed or unsigned applications might not be allowed to run. The default setting of High permits all but local applets to run on a secure JRE. If the user is running an insecure JRE, only applications that are signed with a certificate issued by a recognized certificate authority are allowed to run.

For more information, see the Security section of the Java Control Panel documentation.

Changes to Security Dialogs

As of JDK 7u21, JavaScript code that calls code within a privileged applet is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library attribute.

For more information, see Mixing Privileged Code and Sandbox Code documentation.

The JDK 7u21 release enables users to make more informed decisions before running Rich Internet Applications (RIAs) by prompting users for permissions before an RIA is run. These permission dialogs include information on the certificate used to sign the application, the location of the application, and the level of access that the application requests. For more information, seeUser Acceptance of RIAs.

Changes to RMI

From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by default. In previous releases the default value was false.

This change of default value may cause RMI-based applications to break unexpectedly. The typical symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nestedjava.lang.ClassNotFoundException.

For more information, see RMI Enhancements.

Server JRE

A new Server JRE package, with tools commonly required for server deployments but without the Java plug-in, auto-update or installer found in the regular JRE package, is available starting from this release. The Server JRE is specifically targeted for deploying Java in server environments and is available for 64-bit Solaris, Windows and Linux platforms. For more information on installing this package, see Installation Instructions.

Some of the tools included in the initial release of the Server JRE package, may not be available in future versions of the Server JRE. Please check future release notes for tools availability if you use this package.

JDK for Linux on ARM

JDk 7u21 release includes support for JDK for Linux on ARM. The product offers headful support for ARMv6 and ARMv7.

The following JDK features are not included or supported in this product:

  • Java WebStart
  • Java Plug-In
  • Garbage First (G1) Collector
  • JavaFX SDK or JavaFX Runtime

In addition, some features of the Serviceability Agent are also not available for Linux on ARM platform.

Java support on ARM is specific to the GNOME Desktop Environment version 1:2.30+7.

Changes to Runtime.exec

On Windows platform, the decoding of command strings specified to Runtime.exec(String),Runtime.exec(String,String[]) and Runtime.exec(String,String[],File) methods, has been improved to follow the specification more closely. This may cause problems for applications that are using one or more of these methods with commands that contain spaces in the program name, or are invoking these methods with commands that are not quoted correctly.

For example, Runtime.getRuntime().exec("C:\\My Programs\\foo.exe bar") is an attempt to launch the program "C:\\My" with the arguments "Programs\\foo.exe" and "bar". This command is likely to fail with an exception to indicate "C:\My" cannot be found.

The example Runtime.getRuntime().exec("\"C:\\My Programs\\foo.exe\" bar") is an attempt to launch the program "\"C:\\My". This command will fail with an exception to indicate the program has an embedded quote.

Applications that need to launch programs with spaces in the program name should consider using the variants of Runtime.exec that allow the command and arguments to be specified in an array.

Alternatively, the preferred way to create operating systems processes since JDK 5.0 is usingjava.lang.ProcessBuilder. The ProcessBuilder class has a much more complete API for setting the environment, working directory and redirecting streams for the process.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory.


업데이트 방법은 자바의 자동 업데이트를 실행하던가,

[제어판]에 가서 [JAVA] 를 실행시킨 후 [지금 업데이트] 하면 된다.




posted by 처리 

Trackback : http://kjcc2.tistory.com/trackback/1820 관련글 쓰기

  1. 업데이트 : Oracle Java SE Runtime Environment 7 Update 21 & 6 Update 45  삭제

    2013/04/17 13:16 Tracked from 울지않는벌새 : Security, Movie & Society

    Oracle 업체에서 제공하는 Oracle Java SE Runtime Environment(JRE) 제품군에서 발견된 다중 보안 취약점 문제를 해결한 Oracle Java SE Runtime Environment 7 Update 21(1.7.0_21-b12), Oracle Java SE Runtime Environment 6 Update 45(1..

  2. Java 7 updata 21 보안 업데이트  삭제

    2013/04/19 19:38 Tracked from 꿈을꾸는 파랑새

    오라클에서 제공하는 Java에 대한 보안갱신이 공개되었습니다. Java 7 updata 21 보안 갱신에서는 총 42건에 대한 보안 갱신이 진행되었습니다. 그리고 39건은 사용자의 인증 없이 원격코드 실행이 ..

댓글을 달아 주세요




티스토리 툴바