English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

CVE ID:CVE-2013-0422
Description:Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.
Test IDs: None available
Cross References: Common Vulnerability Exposure (CVE) ID: CVE-2013-0422
Bugtraq: 20130110 [SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code (Google Search)
http://seclists.org/bugtraq/2013/Jan/48
Cert/CC Advisory: TA13-010A
http://www.us-cert.gov/cas/techalerts/TA13-010A.html
CERT/CC vulnerability note: VU#625617
http://www.kb.cert.org/vuls/id/625617
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
RedHat Security Advisories: RHSA-2013:0156
http://rhn.redhat.com/errata/RHSA-2013-0156.html
RedHat Security Advisories: RHSA-2013:0165
http://rhn.redhat.com/errata/RHSA-2013-0165.html
SuSE Security Announcement: openSUSE-SU-2013:0199 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html
http://www.ubuntu.com/usn/USN-1693-1



© 1998-2025 E-Soft Inc. All rights reserved.