Multiple vulnerabilities have been reported in Oracle Java SE, which can be exploited by malicious users to disclose certain information and by malicious people to disclose potentially sensitive information, hijack a user's session, conduct DNS cache poisoning attacks, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) A design error in the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols can be exploited to disclose potentially sensitive information via e.g. a Man-in-the-Middle (MitM) attack.

2) An error in the Deployment component may allow execution of arbitrary code in a client deployment via e.g untrusted applets.

This vulnerability affects Windows based platforms only.

3) A type checking error in the Deserialization component when handling IIOP deserialization may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

4) An input sanitisation error in the Scripting component when handling Rhino Javascript errors may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

5) A signedness error in jsound.dll when a function receives notifications of control-change events encountered in MIDI streams can be exploited to corrupt heap memory.

6) An error in the Deployment component can be exploited to disclose and manipulate certain data in a client deployment via e.g. untrusted applets.

7) An error in the Networking component can be exploited to disclose certain data in a client deployment via e.g. untrusted applets.

8) An error in the AWT component may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

9) An error in the Swing component may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

10) An error in the AWT component may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

11) An error in the 2D component may allow execution of arbitrary code in a client and server deployment via e.g untrusted applets or data sent to APIs through a web service.

12) The java.net.Socket API does not properly limit the number of concurrent UDP sockets, which can be exploited to conduct DNS cache poisoning attacks by exhausting available sockets by e.g. tricking a user into visiting a website containing malicious applets.

This may be related to vulnerability #19 in:
SA43262

13) An error in the JAXWS component can be exploited to disclose certain data in a server deployment via e.g. data sent to APIs through a web service.

14) An error in the Java Runtime Environment component may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

15) An error in the Java Runtime Environment component can be exploited to manipulate certain data and cause a DoS in a client deployment via e.g. untrusted applets.

16) An error in the RMI component can be exploited to disclose and manipulate certain data and to cause a DoS in a RMI server deployment.

17) An error in the RMI component can be exploited to disclose and manipulate certain data and to cause a DoS in a RMI server deployment.

18) An error in the HotSpot component can be exploited to disclose certain data in a client deployment via e.g. untrusted applets.

19) An error in the JSSE component can be exploited to disclose and manipulate certain data in a client deployment via e.g. untrusted applets.

20) An error in the Deployment component can be exploited to disclose certain data in a client deployment via e.g. untrusted applets.

Solution
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by
3) Sami Koivu via ZDI.
4) Michael Schierl via ZDI.
5) axtaxt via ZDI.
12) Roee Hay and Yair Amit, IBM Rational Application Security Research Group.

It is currently unclear who reported the remaining vulnerabilities as the Oracle Java SE Critical Patch Update for October 2011 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Changelog
Further details available in Customer Area

Original Advisory
Oracle:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

IBM:
http://blog.watchfire.com/files/dnsp_port_exhaustion.pdf
http://roeehay.blogspot.com/2011/10/dns-poisoning-via-port-exhaustion.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-305/
http://www.zerodayinitiative.com/advisories/ZDI-11-306/
http://www.zerodayinitiative.com/advisories/ZDI-11-307/

Other references
Further details available in Customer Area

Technical Analysis
Further details available in Customer Area

Deep Links
Links available in Customer Area