Access Restriction Bypass Affecting java-1.7.0-oracle-plugin package, versions <1:1.7.0.11-1jpp.3.el6_3


Severity

Recommended
critical

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

Exploit Maturity
Mature
EPSS
91.69% (100th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL6-JAVA170ORACLEPLUGIN-1451459
  • published26 Jul 2021
  • disclosed10 Jan 2013

Introduced: 10 Jan 2013

CVE-2013-0422  (opens in a new tab)
CWE-264  (opens in a new tab)

How to fix?

Upgrade RHEL:6 java-1.7.0-oracle-plugin to version 1:1.7.0.11-1jpp.3.el6_3 or higher.
This issue was patched in RHSA-2013:0156.

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-1.7.0-oracle-plugin package and not the java-1.7.0-oracle-plugin package as distributed by RHEL. See How to fix? for RHEL:6 relevant fixed versions and status.

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

References

CVSS Scores

version 3.1