CVE-2013-0401

08.03.2013, 18:55

The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013.  NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:C/I:C/A:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 93%

Affected Products (NVD)

Vendor	Product	Version
oracle	jdk	1.7.0
oracle	jre	1.7.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

openjdk-6

hardy	ignored
lucid	Fixed 6b27-1.12.5-0ubuntu0.10.04.1 released
oneiric	Fixed 6b27-1.12.5-0ubuntu0.11.10.1 released
precise	Fixed 6b27-1.12.5-0ubuntu0.12.04.1 released
quantal	Fixed 6b27-1.12.5-0ubuntu0.12.10.1 released
raring	Fixed 6b27-1.12.5-1ubuntu1 released

openjdk-7

hardy	dne
lucid	dne
oneiric	Fixed 7u21-2.3.9-0ubuntu0.11.10.1 released
precise	Fixed 7u21-2.3.9-0ubuntu0.12.04.1 released
quantal	Fixed 7u21-2.3.9-0ubuntu0.12.10.1 released
raring	Fixed 7u21-2.3.9-1ubuntu1 released

openSUSE / SLES Releases

openSUSE Product

Release

java-1_7_0-openjdk

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

java-1_7_0-openjdk-demo

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

java-1_7_0-openjdk-devel

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

java-1_7_0-openjdk-headless

suse enterprise sap 12 SP5	1.7.0.231-43.27.2 fixed
suse enterprise server 12 SP2	1.7.0.111-33.1 fixed
suse enterprise server 12 SP5	1.7.0.231-43.27.2 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

java-1.5.0-ibm

RHEL 6

1:1.5.0.16.2-1jpp.1.el6_4

fixed

java-1.5.0-ibm-demo

RHEL 6

1:1.5.0.16.2-1jpp.1.el6_4

fixed

java-1.5.0-ibm-devel

RHEL 6

1:1.5.0.16.2-1jpp.1.el6_4

fixed

java-1.5.0-ibm-javacomm

RHEL 6

1:1.5.0.16.2-1jpp.1.el6_4

fixed

java-1.5.0-ibm-jdbc

RHEL 6

1:1.5.0.16.2-1jpp.1.el6_4

fixed

java-1.5.0-ibm-plugin

RHEL 6

1:1.5.0.16.2-1jpp.1.el6_4

fixed

java-1.5.0-ibm-src

RHEL 6

1:1.5.0.16.2-1jpp.1.el6_4

fixed

java-1.6.0-ibm

RHEL 6

1:1.6.0.13.2-1jpp.1.el6_4

fixed

java-1.6.0-ibm-demo

RHEL 6

1:1.6.0.13.2-1jpp.1.el6_4

fixed

java-1.6.0-ibm-devel

RHEL 6

1:1.6.0.13.2-1jpp.1.el6_4

fixed

java-1.6.0-ibm-javacomm

RHEL 6

1:1.6.0.13.2-1jpp.1.el6_4

fixed

java-1.6.0-ibm-jdbc

RHEL 6

1:1.6.0.13.2-1jpp.1.el6_4

fixed

java-1.6.0-ibm-plugin

RHEL 6

1:1.6.0.13.2-1jpp.1.el6_4

fixed

java-1.6.0-ibm-src

RHEL 6

1:1.6.0.13.2-1jpp.1.el6_4

fixed

java-1.6.0-openjdk

RHEL 6

1:1.6.0.0-1.61.1.11.11.el6_4

fixed

java-1.6.0-openjdk-demo

RHEL 6

1:1.6.0.0-1.61.1.11.11.el6_4

fixed

java-1.6.0-openjdk-devel

RHEL 6

1:1.6.0.0-1.61.1.11.11.el6_4

fixed

java-1.6.0-openjdk-javadoc

RHEL 6

1:1.6.0.0-1.61.1.11.11.el6_4

fixed

java-1.6.0-openjdk-src

RHEL 6

1:1.6.0.0-1.61.1.11.11.el6_4

fixed

java-1.6.0-sun

RHEL 6

1:1.6.0.45-1jpp.1.el6

fixed

java-1.6.0-sun-demo

RHEL 6

1:1.6.0.45-1jpp.1.el6

fixed

java-1.6.0-sun-devel

RHEL 6

1:1.6.0.45-1jpp.1.el6

fixed

java-1.6.0-sun-jdbc

RHEL 6

1:1.6.0.45-1jpp.1.el6

fixed

java-1.6.0-sun-plugin

RHEL 6

1:1.6.0.45-1jpp.1.el6

fixed

java-1.6.0-sun-src

RHEL 6

1:1.6.0.45-1jpp.1.el6

fixed

java-1.7.0-ibm

RHEL 6

1:1.7.0.4.2-1jpp.1.el6_4

fixed

java-1.7.0-ibm-demo

RHEL 6

1:1.7.0.4.2-1jpp.1.el6_4

fixed

java-1.7.0-ibm-devel

RHEL 6

1:1.7.0.4.2-1jpp.1.el6_4

fixed

java-1.7.0-ibm-jdbc

RHEL 6

1:1.7.0.4.2-1jpp.1.el6_4

fixed

java-1.7.0-ibm-plugin

RHEL 6

1:1.7.0.4.2-1jpp.1.el6_4

fixed

java-1.7.0-ibm-src

RHEL 6

1:1.7.0.4.2-1jpp.1.el6_4

fixed

java-1.7.0-openjdk

RHEL 6

1:1.7.0.19-2.3.9.1.el6_4

fixed

java-1.7.0-openjdk-demo

RHEL 6

1:1.7.0.19-2.3.9.1.el6_4

fixed

java-1.7.0-openjdk-devel

RHEL 6

1:1.7.0.19-2.3.9.1.el6_4

fixed

java-1.7.0-openjdk-javadoc

RHEL 6

1:1.7.0.19-2.3.9.1.el6_4

fixed

java-1.7.0-openjdk-src

RHEL 6

1:1.7.0.19-2.3.9.1.el6_4

fixed

java-1.7.0-oracle

RHEL 6

1:1.7.0.21-1jpp.1.el6

fixed

java-1.7.0-oracle-devel

RHEL 6

1:1.7.0.21-1jpp.1.el6

fixed

java-1.7.0-oracle-javafx

RHEL 6

1:1.7.0.21-1jpp.1.el6

fixed

java-1.7.0-oracle-jdbc

RHEL 6

1:1.7.0.21-1jpp.1.el6

fixed

java-1.7.0-oracle-plugin

RHEL 6

1:1.7.0.21-1jpp.1.el6

fixed

java-1.7.0-oracle-src

RHEL 6

1:1.7.0.21-1jpp.1.el6

fixed

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/

http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157

http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044

http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html

http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html

http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html

http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html

http://marc.info/?l=bugtraq&m=137283787217316&w=2

http://rhn.redhat.com/errata/RHSA-2013-0752.html

http://rhn.redhat.com/errata/RHSA-2013-0757.html

http://rhn.redhat.com/errata/RHSA-2013-0758.html

http://rhn.redhat.com/errata/RHSA-2013-1455.html

http://rhn.redhat.com/errata/RHSA-2013-1456.html

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://www.mandriva.com/security/advisories?name=MDVSA-2013:145

http://www.mandriva.com/security/advisories?name=MDVSA-2013:161

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

http://www.ubuntu.com/usn/USN-1806-1

http://www.us-cert.gov/ncas/alerts/TA13-107A

http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/

https://bugzilla.redhat.com/show_bug.cgi?id=920245

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641

https://twitter.com/thezdi/status/309784608508100608

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130

http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/

http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157

http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044

http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html

http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html

http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html

http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html

http://marc.info/?l=bugtraq&m=137283787217316&w=2

http://rhn.redhat.com/errata/RHSA-2013-0752.html

http://rhn.redhat.com/errata/RHSA-2013-0757.html

http://rhn.redhat.com/errata/RHSA-2013-0758.html

http://rhn.redhat.com/errata/RHSA-2013-1455.html

http://rhn.redhat.com/errata/RHSA-2013-1456.html

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://www.mandriva.com/security/advisories?name=MDVSA-2013:145

http://www.mandriva.com/security/advisories?name=MDVSA-2013:161

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

http://www.ubuntu.com/usn/USN-1806-1

http://www.us-cert.gov/ncas/alerts/TA13-107A

http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/

https://bugzilla.redhat.com/show_bug.cgi?id=920245

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641

https://twitter.com/thezdi/status/309784608508100608

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130