Vulnerability Note VU#625617
Java 7 fails to restrict access to privileged code
Java 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin.
The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException".
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.
Apply an update
Disable Java in web browsers
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|IcedTea||Affected||-||16 Jan 2013|
|OpenJDK||Affected||-||14 Jan 2013|
|Oracle Corporation||Affected||11 Jan 2013||13 Jan 2013|
|Red Hat, Inc.||Affected||-||17 Jan 2013|
|Sun Microsystems, Inc.||Affected||11 Jan 2013||12 Jan 2013|
|IBM Corporation||Not Affected||14 Jan 2013||14 Jan 2013|
CVSS Metrics (Learn More)
Thanks to Kafeine for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: CVE-2013-0422
- US-CERT Alert: TA13-010A
- Date Public: 10 Jan 2013
- Date First Published: 10 Jan 2013
- Date Last Updated: 12 Jun 2013
- Document Revision: 142
If you have feedback, comments, or additional information about this vulnerability, please send us email.