CVE-2012-4681 – Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2012-4681
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class. Oracle Java 7 Update 6, y posiblemente otras versiones, permite a atacantes remotos ejecutar código arbitrario a través de un applet manipulado, explotado como en la naturaleza, en agosto de 2012 utilizando Gondzz.class y Gondvv.class. The Java Runtime Environment (JRE) component in Oracle Java SE allow for remote code execution. • https://www.exploit-db.com/exploits/20865 https://github.com/benjholla/CVE-2012-4681-Armoring http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html h •
CVE-2012-1720
https://notcve.org/view.php?id=CVE-2012-1720
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier, when running on Solaris, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Networking. Vulnerabilidad no especificada en el Java Runtime Environment (JRE), componente de Oracle Java SE 7 Update 4 y anteriores, 6 Update 32 y anteriores, 5 actualización 35 y anteriores, y v1.4.2_37 y anteriores, cuando se ejecutan en Solaris, permite a los usuarios locales a afectar confidencialidad, integridad y disponibilidad a través de vectores desconocidos relacionados con la red. • http://marc.info/?l=bugtraq&m=134496371727681&w=2 http://secunia.com/advisories/51080 http://www.ibm.com/support/docview.wss?uid=swg21615246 http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html http://www.securityfocus.com/bid/53956 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16581 •
CVE-2012-1726 – OpenJDK: java.lang.invoke.MethodHandles.Lookup does not honor access modes (Libraries, 7165628)
https://notcve.org/view.php?id=CVE-2012-1726
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. Vulnerabilidad no especificada en el Java Runtime Environment (JRE), componente de Oracle Java SE 7 actualización 4 y anteriores permite a atacantes remotos afectar a la confidencialidad y la integridad a través de vectores desconocidos relacionados con las bibliotecas. • http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html http://marc.info/?l=bugtraq&m=134496371727681&w=2 http://security.gentoo.org/glsa/glsa-201406-32.xml http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html http://www.securityfocus.com/bid/53948 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16699 https://access.redhat.com/security/cve/CVE-2012-1726 https://bugzilla.redhat.com/show_bug.cgi?id=829377 •
CVE-2012-1721 – Oracle Java WebStart Changing System Properties Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2012-1721
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-1722. Vulnerabilidad no especificada en el componente Java Runtime Enviroment (JRE) en Oracle Java SE v7 actualización 4 y anteriores, y v6 actualización 32 y anteriores, permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores relacionados con el despliegue, una vulnerabilidad diferente de CVE-2012-1722. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists because it is possible to change system properties through trusted JNLP files. If a JNLP file requests "<all-permissions/>" and only references signed, trusted JAR files, it can set all System properties. • http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00035.html http://marc.info/?l=bugtraq&m=134496371727681&w=2 http://rhn.redhat.com/errata/RHSA-2012-0734.html http://rhn.redhat.com/errata/RHSA-2013-1455.html http://rhn.redhat.com/errata/RHSA-2013-1456.html http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html http://www.securityfocus.com/bid/53959 https://oval.cisecu •
CVE-2012-1722 – JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment)
https://notcve.org/view.php?id=CVE-2012-1722
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-1721. Vulnerabilidad no especificada en el componente Java Runtime Environment (JRE) en Oracle Java SE v7 actualización 4 y anteriores, y v6 actualización 32 y anteriores, que permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores desconocidos relacionados con el despliegue, una vulnerabilidad diferente a la CVE-2012-1721. • http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00035.html http://marc.info/?l=bugtraq&m=134496371727681&w=2 http://rhn.redhat.com/errata/RHSA-2012-0734.html http://rhn.redhat.com/errata/RHSA-2013-1455.html http://rhn.redhat.com/errata/RHSA-2013-1456.html http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html http://www.securityfocus.com/bid/53953 https://oval.cisecu •