Oracle Updates Java for Lucky13 SSL Vulnerability
Page 1 of 1
Oracle this week released a patch update providing an additional five fixes for Java. Three of the five fixes carry the highest possible CVSS base score of 10, and all five exploits are remotely exploitable without user authentication.
"The purpose of this update is to deliver five additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th," Eric Maurice, Manager for Oracle's global technology business unit, stated.
One of the fixes is for a newly reported server security risk.
"The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE)," Maurice noted. "This fix is for a vulnerability commonly referred to as the 'Lucky Thirteen' vulnerability in SSL/TLS (CVE-2013-0169)."
The Lucky Thirteen attack is an SSL cryptographic timing attack that could potentially enable an attacker to intercept and decrypt secured data.