CVE-2013-0422

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

References

http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html

http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/

http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html

http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/

http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/

http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html

http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html

http://rhn.redhat.com/errata/RHSA-2013-0156.html

http://rhn.redhat.com/errata/RHSA-2013-0165.html

http://seclists.org/bugtraq/2013/Jan/48

http://www.kb.cert.org/vuls/id/625617

http://www.mandriva.com/security/advisories?name=MDVSA-2013:095

http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

http://www.ubuntu.com/usn/USN-1693-1

http://www.us-cert.gov/cas/techalerts/TA13-010A.html

https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf

https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018

https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us

Details

Source: MITRE

Published: 2013-01-10

Updated: 2014-02-21

Type: CWE-264

Risk Information

CVSS v2

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 10

Severity: HIGH

Tenable Plugins

View all (17 total)

IDNameProductFamilySeverity
75022openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0199-1)NessusSuSE Local Security Checks
critical
72139GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT)NessusGentoo Local Security Checks
critical
68709Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0165)NessusOracle Linux Local Security Checks
critical
66107Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:095)NessusMandriva Local Security Checks
critical
65246SuSE 11.2 Security Update : Java (SAT Patch Number 7454)NessusSuSE Local Security Checks
critical
65204RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2013:0626)NessusRed Hat Local Security Checks
critical
64840Oracle Java SE 7 < Update 11 Multiple Vulnerabilities (Unix)NessusMisc.
critical
63609Ubuntu 12.10 : openjdk-7 vulnerabilities (USN-1693-1)NessusUbuntu Local Security Checks
critical
63607Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL6.x i386/x86_64 (20130116)NessusScientific Linux Local Security Checks
critical
63590RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0165)NessusRed Hat Local Security Checks
critical
63586Fedora 16 : java-1.7.0-openjdk-1.7.0.9-2.3.4.fc16 (2013-0888)NessusFedora Local Security Checks
critical
63585Fedora 17 : java-1.7.0-openjdk-1.7.0.9-2.3.4.fc17 (2013-0868)NessusFedora Local Security Checks
critical
63584Fedora 18 : java-1.7.0-openjdk-1.7.0.9-2.3.4.fc18 (2013-0853)NessusFedora Local Security Checks
critical
63581CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0165)NessusCentOS Local Security Checks
critical
63534RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0156)NessusRed Hat Local Security Checks
critical
63521Oracle Java SE 7 < Update 11 Multiple VulnerabilitiesNessusWindows
high
6664Oracle Java SE 7 <= Update 10 Remote Code ExecutionNessus Network MonitorWeb Clients
critical