1. IBM Products that Ship only IBM JRE
A new Java zero-day vulnerability, CVE-2013-0422, was publicly reported on January 10, 2013.
Details about this issue are available in a Vulnerability Note published by CERT/CC Carnegie Mellon (see http://www.kb.cert.org/vuls/id/625617). This vulnerability can only be exploited as a Client-Side attack specifically targeting the browser software located on a user's desktop. For more information about Client-Side attacks see “Client-Side Attacks: An Overview” (http://books.google.com/books?id=izHrTu3dxAYC&lpg=PP1&pg=PA1#v=onepage&q&f=false).
The IBM Hursley Java team has acquired the exploit code (note that the source code for the exploit calls itself the
Java "EveryDay" exploit), used it to test the IBM JDK, and confirmed that the IBM JDK is not vulnerable
to this exploit. Thus the IBM Java Development team has confirmed that the IBM Software Development Kit (SDK) and
IBM Java Runtime Environment (JRE) are not vulnerable to this exploit. So our customers can continue to run the
IBM JRE with confidence and the link to the official statement is attached below
2. IBM products that ship the Oracle JRE may be vulnerable to this exploit if the Oracle JRE plug-in is being used by
a web browser such as Internet Explorer, Chrome, Firefox, etcetera. In such cases, there is no fix available, but
Read the article and links in them on how to "Disable Java on IE with the Windows Registry Wizard"
3. IBM customers using Award winning Patch Management provided by Tivoli Endpoint Manager (TEM)
Content in the Updates for Windows Applications Fixlet site has been modified and JRE fixlets for Mac OS X as well.
You can review the information provided below to understand how rapidly all enterprise vulnerabilities can be closed.
If you have further questions please contact me.