ID

VAR-201208-0292

CVE

CVE-2012-4681

TITLE

Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code

DESCRIPTION

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class. Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions. Oracle Provided by Java 7 Any OS A vulnerability exists that allows the command to be executed. Oracle Provided by Java 7 Is Java Any sandbox is avoided OS A vulnerability exists that allows the command to be executed. Attack code using this vulnerability has been released and attacks have been observed.Crafted Java By opening a web page with an applet embedded, OS The command may be executed. An attacker can exploit this issue to bypass Java sandbox restrictions and load additional classes to execute arbitrary code in the context of the application. Oracle Java SE is prone to a weakness in the Java Runtime Environment. The issue can be exploited over multiple protocols and affects the 'AWT' sub-component. Note: The flaw cannot be exploited directly but is dependent on any other security vulnerability that can be directly executed first. This issue affects the following supported versions: 7 Update 6 and before, 6 Update 34 and before. NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities (CVE-2012-0547). Update: Packages for Mandriva Linux 2011 is being provided. The verification of md5 checksums and GPG signatures is performed automatically for you. (CVE-2012-0547) This erratum also upgrades the OpenJDK package to IcedTea6 1.10.9. Refer to the NEWS file, linked to in the References, for further information. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Hitachi Cosminexus Java Multiple Vulnerabilities SECUNIA ADVISORY ID: SA51141 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51141/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51141 RELEASE DATE: 2012-11-01 DISCUSS ADVISORY: http://secunia.com/advisories/51141/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51141/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51141 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Hitachi has acknowledged multiple vulnerabilities in multiple Cosminexus products, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. The vulnerabilities exist in the bundled version of Java. For more information: SA50133 SA50949 Please see the vendor's advisory for a list of affected products. ORIGINAL ADVISORY: Hitachi (HS12-023): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-023/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.7.0-openjdk security update Advisory ID: RHSA-2012:1223-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1223.html Issue date: 2012-09-03 CVE Names: CVE-2012-0547 CVE-2012-1682 CVE-2012-3136 CVE-2012-4681 ===================================================================== 1. Summary: Updated java-1.7.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64 3. Description: These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. Multiple improper permission check issues were discovered in the Beans component in OpenJDK. (CVE-2012-0547) All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 852051 - CVE-2012-4681 OpenJDK: beans insufficient permission checks, Java 7 0day (beans, 7162473) 853097 - CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476) 853138 - CVE-2012-3136 OpenJDK: beans MethodElementHandler insufficient permission checks (beans, 7194567) 853228 - CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.src.rpm i386: java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-demo-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-devel-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-src-1.7.0.5-2.2.1.el6_3.3.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.5-2.2.1.el6_3.3.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.src.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.5-2.2.1.el6_3.3.noarch.rpm x86_64: java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.src.rpm i386: java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-demo-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-devel-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-src-1.7.0.5-2.2.1.el6_3.3.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.5-2.2.1.el6_3.3.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.src.rpm i386: java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.5-2.2.1.el6_3.3.src.rpm i386: java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-demo-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-devel-1.7.0.5-2.2.1.el6_3.3.i686.rpm java-1.7.0-openjdk-src-1.7.0.5-2.2.1.el6_3.3.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.5-2.2.1.el6_3.3.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.5-2.2.1.el6_3.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0547.html https://www.redhat.com/security/data/cve/CVE-2012-1682.html https://www.redhat.com/security/data/cve/CVE-2012-3136.html https://www.redhat.com/security/data/cve/CVE-2012-4681.html https://access.redhat.com/security/updates/classification/#important http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQRKzHXlSAg2UNWIIRAt9QAJ9qt+dYZrGWLZfelO3gxXIHLRIrjgCdE0e8 0vzPqUIZfBkT+eNBNebUuVE= =WYyS -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the java.beans.Expression class. Due to unsafe handling of reflection of privileged classes inside the Expression class it is possible for untrusted code to gain access to privileged methods and properties. This can result in remote code execution under the context of the current process. More details can be found at: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-18357 15.html - -- Disclosure Timeline: 2012-07-24 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * James Forshaw (tyranid) - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

Unknown

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Adam Gowdiak of Security Explorations and James Forshaw (tyranid) via TippingPoint

SOURCES

LAST UPDATE DATE

2026-01-28T21:50:18.650000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE