CVE-2013-0401

The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.
References
Link Resource
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/
http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044
http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html
http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html
http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html
http://marc.info/?l=bugtraq&m=137283787217316&w=2
http://marc.info/?l=bugtraq&m=137283787217316&w=2
http://rhn.redhat.com/errata/RHSA-2013-0752.html
http://rhn.redhat.com/errata/RHSA-2013-0757.html
http://rhn.redhat.com/errata/RHSA-2013-0758.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2013:145
http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
http://www.ubuntu.com/usn/USN-1806-1
http://www.us-cert.gov/ncas/alerts/TA13-107A US Government Resource
http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/
https://bugzilla.redhat.com/show_bug.cgi?id=920245
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641
https://twitter.com/thezdi/status/309784608508100608
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/
http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044
http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html
http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html
http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html
http://marc.info/?l=bugtraq&m=137283787217316&w=2
http://marc.info/?l=bugtraq&m=137283787217316&w=2
http://rhn.redhat.com/errata/RHSA-2013-0752.html
http://rhn.redhat.com/errata/RHSA-2013-0757.html
http://rhn.redhat.com/errata/RHSA-2013-0758.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2013:145
http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
http://www.ubuntu.com/usn/USN-1806-1
http://www.us-cert.gov/ncas/alerts/TA13-107A US Government Resource
http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/
https://bugzilla.redhat.com/show_bug.cgi?id=920245
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641
https://twitter.com/thezdi/status/309784608508100608
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*

History

21 Nov 2024, 01:47

Type Values Removed Values Added
References () http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/ - () http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/ -
References () http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/ - () http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/ -
References () http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880 - () http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880 -
References () http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157 - () http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157 -
References () http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044 - () http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044 -
References () http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html - () http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html -
References () http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html - () http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html -
References () http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html - () http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html -
References () http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html - () http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html -
References () http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html - () http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html -
References () http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html - () http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html -
References () http://marc.info/?l=bugtraq&m=137283787217316&w=2 - () http://marc.info/?l=bugtraq&m=137283787217316&w=2 -
References () http://rhn.redhat.com/errata/RHSA-2013-0752.html - () http://rhn.redhat.com/errata/RHSA-2013-0752.html -
References () http://rhn.redhat.com/errata/RHSA-2013-0757.html - () http://rhn.redhat.com/errata/RHSA-2013-0757.html -
References () http://rhn.redhat.com/errata/RHSA-2013-0758.html - () http://rhn.redhat.com/errata/RHSA-2013-0758.html -
References () http://rhn.redhat.com/errata/RHSA-2013-1455.html - () http://rhn.redhat.com/errata/RHSA-2013-1455.html -
References () http://rhn.redhat.com/errata/RHSA-2013-1456.html - () http://rhn.redhat.com/errata/RHSA-2013-1456.html -
References () http://security.gentoo.org/glsa/glsa-201406-32.xml - () http://security.gentoo.org/glsa/glsa-201406-32.xml -
References () http://www.mandriva.com/security/advisories?name=MDVSA-2013:145 - () http://www.mandriva.com/security/advisories?name=MDVSA-2013:145 -
References () http://www.mandriva.com/security/advisories?name=MDVSA-2013:161 - () http://www.mandriva.com/security/advisories?name=MDVSA-2013:161 -
References () http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html - () http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html -
References () http://www.ubuntu.com/usn/USN-1806-1 - () http://www.ubuntu.com/usn/USN-1806-1 -
References () http://www.us-cert.gov/ncas/alerts/TA13-107A - US Government Resource () http://www.us-cert.gov/ncas/alerts/TA13-107A - US Government Resource
References () http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/ - () http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/ -
References () https://bugzilla.redhat.com/show_bug.cgi?id=920245 - () https://bugzilla.redhat.com/show_bug.cgi?id=920245 -
References () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297 - () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297 -
References () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463 - () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463 -
References () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641 - () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641 -
References () https://twitter.com/thezdi/status/309784608508100608 - () https://twitter.com/thezdi/status/309784608508100608 -
References () https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124 - () https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124 -
References () https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130 - () https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130 -

Information

Published : 2013-03-08 18:55

Updated : 2024-11-21 01:47


NVD link : CVE-2013-0401

Mitre link : CVE-2013-0401

CVE.ORG link : CVE-2013-0401


JSON object : View

Products Affected

oracle

  • jdk
  • jre
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')