A memory corruption flaw exists in Oracle Java SE's 2D component. The 'nTblSize' variable within the cmm.dll library fails to sanitize user-supplied input when parsing the A-to-B curve data multi-function resulting in memory corruption. With a specially crafted request, a remote attacker can cause a denial of service or potentially execute arbitrary code.

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory in the references section.

• Security Tracker: 1026687
• CVE ID: 2012-0498 (see also: NVD)
• Secunia Advisory ID: 48009 48073 48074 48546 48589 48648 48692 48854 48913 48915 48948 48950 49076 49124 49333 49369 49552 49554 49953 49966 50479 50806 52491 52799 53006 53238
• Bugtraq ID: 52019
• Related OSVDB ID: 79226 79227 79228 79229 79230 79231 79232 79233 79234 79235 79236
• Vendor Specific News/Changelog Entry: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03254184
  http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
  http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00010.html
  http://www-01.ibm.com/support/docview.wss?uid=swg21612331
  http://www-01.ibm.com/support/docview.wss?uid=swg21626697
  http://www-01.ibm.com/support/docview.wss?uid=swg21632667
  http://www-01.ibm.com/support/docview.wss?uid=swg21633918
  http://www-01.ibm.com/support/docview.wss?uid=swg21633991
  http://www-01.ibm.com/support/docview.wss?uid=swg21633992
  http://www-01.ibm.com/support/docview.wss?uid=swg24033633
  http://www-01.ibm.com/support/docview.wss?uid=swg24034373
  http://www.ibm.com/developerworks/java/jdk/alerts/
  http://www.ibm.com/support/docview.wss?uid=swg1PM59971
  http://www.ibm.com/support/docview.wss?uid=swg1PM59978
  http://www.ibm.com/support/docview.wss?uid=swg1PM60958
  http://www.ibm.com/support/docview.wss?uid=swg21598423
  http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
  https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03350339
• Vendor Specific Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03266681
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03358587
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03405642
  http://support.apple.com/kb/HT5228
  http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-007/index.html
  http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
  http://www.vmware.com/security/advisories/VMSA-2012-0013.html
  http://www.xerox.com/download/security/security-bulletin/16576-4c596b2a88f00/cert_XRX12-006_v1.01.pdf
• Packet Storm: http://packetstormsecurity.org/files/111594/Apple-Security-Advisory-2012-04-03-1.html
  http://packetstormsecurity.org/files/111624/HP-Security-Bulletin-HPSBUX02757-SSRT100779-2.html
  http://packetstormsecurity.org/files/111633/HP-Security-Bulletin-HPSBUX02760-SSRT100805.html
  http://packetstormsecurity.org/files/111713/Zero-Day-Initiative-Advisory-12-060.html
  http://packetstormsecurity.org/files/113170/HP-Security-Bulletin-HPSBUX02784-SSRT100871.html
• Mail List Post: http://seclists.org/bugtraq/2012/Apr/46
  http://seclists.org/bugtraq/2012/Apr/48
  http://seclists.org/bugtraq/2012/May/151
• Vendor URL: http://www.oracle.com/
• News Article: http://www.zdnet.com/blog/security/have-you-uninstalled-java-yet-here-are-14-new-reasons/10323
• Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-12-032/
  http://www.zerodayinitiative.com/advisories/ZDI-12-060/
• RedHat RHSA: RHSA-2012:0139 RHSA-2012:0508 RHSA-2012:0514

• Not Available