CVE-2013-0422

Oracle JRE Remote Code Execution Vulnerability

Severity Score

10.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

Múltiples vulnerabilidades en Java de Oracle versión 7 anterior a Update 11, permiten a los atacantes remotos ejecutar código arbitrario mediante (1) utilizando el método público getMBeanInstantiator en la clase JmxMBeanServer para obtener una referencia a un objeto MBeanInstantiator privado, a continuación, recuperar referencias arbitrarias Class mediante el método findClass y (2) mediante la API Reflection con recursión de una manera que omita una comprobación de seguridad mediante el método java.lang.invoke.MethodHandles.Lookup.checkSecurityManager debido a la incapacidad del método sun.reflect.Reflection.getCallerClass para omitir marcos relacionados con la nueva API reflection, como se explotó “in the wild” en Enero de 2013, como es demostrado por Blackhole y Nuclear Pack, y una vulnerabilidad diferente de CVE-2012-4681 y CVE-2012-3174. NOTA: algunas partes han mapeado el problema recursivo de la API Reflection al CVE-2012-3174, pero el CVE-2012-3174 es para una vulnerabilidad diferente cuyos detalles no son públicos a partir de 20130114. El CVE-2013-0422 cubre los problemas de JMX/MBean y API Reflection. NOTA: originalmente se informó que Java versión 6 también era vulnerable, pero el reportero se ha retractado de esta afirmación, declarando que Java versión 6 no es explotable porque el código relevante se llama de una manera que no omita las comprobaciones de seguridad. NOTA: a partir de 20130114, un tercero confiable ha afirmado que el vector findClass/MBeanInstantiator no se corrigió en Java de Oracle versión 7 Update 11. Si todavía hay una condición vulnerable, se podría crear un identificador CVE independiente para el problema no corregido.

A vulnerability in the way Java restricts the permissions of Java applets could allow an attacker to execute commands on a vulnerable system.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-12-07 CVE Reserved
2013-01-10 CVE Published
2013-01-11 First Exploit
2022-05-25 Exploited in Wild
2022-06-15 KEV Due Date
2024-08-06 CVE Updated
2024-08-10 EPSS Updated

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (22)

URL	Tag	Source
http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html	Not Applicable
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released	Broken Link
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html	Third Party Advisory
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware	Third Party Advisory
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday	Broken Link
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html	Third Party Advisory
http://seclists.org/bugtraq/2013/Jan/48	Mailing List
http://www.kb.cert.org/vuls/id/625617	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA13-010A.html	Third Party Advisory
https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf	Broken Link
https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013	Not Applicable
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018	Third Party Advisory
https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us	Not Applicable

URL	Date	SRC
https://www.exploit-db.com/exploits/24045	2013-01-11

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html	2024-04-26
http://rhn.redhat.com/errata/RHSA-2013-0156.html	2024-04-26
http://rhn.redhat.com/errata/RHSA-2013-0165.html	2024-04-26
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095	2024-04-26
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html	2024-04-26
http://www.ubuntu.com/usn/USN-1693-1	2024-04-26
https://access.redhat.com/security/cve/CVE-2013-0422	2013-03-11
https://bugzilla.redhat.com/show_bug.cgi?id=894172	2013-03-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update1		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update10		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update2		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update3		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update4		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update5		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update6		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update7		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.7.0 Search vendor "Oracle" for product "Jdk" and version "1.7.0"		update9		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update1		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update10		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update2		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update3		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update4		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update5		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update6		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update7		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.7.0 Search vendor "Oracle" for product "Jre" and version "1.7.0"		update9		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.10"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				12.2 Search vendor "Opensuse" for product "Opensuse" and version "12.2"		-		Affected