CVE-2013-2423

LOW KEV RANSOMWARE

Oracle Jre - Improper Access Control

Title source: rule

Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/24976

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Jeroen Frijters, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_jre17_reflection_types.rb

View Code ZIP pw:eip

References (17)

[Broken Link] http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/

[Not Applicable] http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html

[Patch] http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0752.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0757.html

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-201406-32.xml

[Broken Link] http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0

[Third Party Advisory, VDB Entry] http://www.exploit-db.com/exploits/24976

[Third Party Advisory] http://www.mandriva.com/security/advisories?name=MDVSA-2013:161

[Vendor Advisory] http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

[Third Party Advisory] http://www.ubuntu.com/usn/USN-1806-1

[Third Party Advisory, US Government Resource] http://www.us-cert.gov/ncas/alerts/TA13-107A

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=952398

[Broken Link] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700

[Third Party Advisory] https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2423

Scores

CVSS v3 3.7

EPSS 0.9340

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CISA KEV 2022-05-25

VulnCheck KEV 2013-05-20

InTheWild.io 2014-02-21

ENISA EUVD EUVD-2013-2369

Ransomware Use Confirmed

CWE

CWE-284

Status published

Products (3)

canonical/ubuntu_linux 12.10

opensuse/opensuse 12.3

oracle/jre 1.7.0 (13 CPE variants)

Published Apr 17, 2013

KEV Added May 25, 2022

Tracked Since Feb 18, 2026