CVE-2010-4351
Red Hat OpenJDK IcedTea6 ClassLoader Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7, 1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creating instances of ClassLoader.
El JNLP SecurityManager en IcedTea (IcedTea.so) v1.7 anteriores a v1.7.7, v1.8 anteriores a v1.8.4 y v1.9 anteriores a v1.9.4 de Java OpenJDK devuelve desde el método checkPermission una excepción en determinadas circunstancias, lo que podría permitir a atacantes dependientes del contexto eludir la política de protección establecida mediante la creación de instancias de ClassLoader.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Java OpenJDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The flaw exists within the IcedTea.so component. When handling the an applet the process fails to properly restrict permission of code. It is possible to create and instantiate subclasses of ClassLoader. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser.
Multiple vulnerabilities have been found in the IcedTea JDK, the worst of which could lead to arbitrary code execution. Versions less than 6.1.13.3 are affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2010-11-30 CVE Reserved
- 2011-01-18 CVE Published
- 2024-08-07 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-305: Authentication Bypass by Primary Weakness
CAPEC
References (23)
| URL | Tag | Source |
|---|---|---|
| http://blog.fuseyism.com/index.php/2011/01/18/security-icedtea6-177-184-194-released | X_refsource_confirm | |
| http://osvdb.org/70605 | Vdb Entry | |
| http://secunia.com/advisories/43078 | Third Party Advisory | |
| http://secunia.com/advisories/43085 | Third Party Advisory | |
| http://secunia.com/advisories/43135 | Third Party Advisory | |
| http://www.securityfocus.com/bid/45894 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2011/0215 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2011/0239 | Vdb Entry | |
| http://www.zerodayinitiative.com/advisories/ZDI-11-014 | X_refsource_misc |
|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/64893 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=663680 | 2011-01-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.7 Search vendor "Redhat" for product "Icedtea" and version "1.7" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.7.1 Search vendor "Redhat" for product "Icedtea" and version "1.7.1" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.7.2 Search vendor "Redhat" for product "Icedtea" and version "1.7.2" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.7.3 Search vendor "Redhat" for product "Icedtea" and version "1.7.3" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.7.4 Search vendor "Redhat" for product "Icedtea" and version "1.7.4" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.7.5 Search vendor "Redhat" for product "Icedtea" and version "1.7.5" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.7.6 Search vendor "Redhat" for product "Icedtea" and version "1.7.6" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.8 Search vendor "Redhat" for product "Icedtea" and version "1.8" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.8.1 Search vendor "Redhat" for product "Icedtea" and version "1.8.1" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.8.2 Search vendor "Redhat" for product "Icedtea" and version "1.8.2" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.8.3 Search vendor "Redhat" for product "Icedtea" and version "1.8.3" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.9 Search vendor "Redhat" for product "Icedtea" and version "1.9" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.9.1 Search vendor "Redhat" for product "Icedtea" and version "1.9.1" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.9.2 Search vendor "Redhat" for product "Icedtea" and version "1.9.2" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|
| Redhat Search vendor "Redhat" | Icedtea Search vendor "Redhat" for product "Icedtea" | 1.9.3 Search vendor "Redhat" for product "Icedtea" and version "1.9.3" | - |
Affected
| in | Sun Search vendor "Sun" | Openjdk Search vendor "Sun" for product "Openjdk" | * | - |
Safe
|