CVE-2013-2423

EUVD-2013-2369
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot.  NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA-ADPADP
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
canonicalubuntu_linux
12.10
opensuseopensuse
12.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icedtea-web
hardy
dne
lucid
not-affected
oneiric
not-affected
precise
not-affected
quantal
not-affected
raring
not-affected
openjdk-6
hardy
ignored
lucid
not-affected
oneiric
not-affected
precise
not-affected
quantal
not-affected
raring
not-affected
openjdk-6b18
hardy
dne
lucid
ignored
oneiric
ignored
precise
dne
quantal
dne
raring
dne
openjdk-7
hardy
dne
lucid
dne
oneiric
Fixed 7u21-2.3.9-0ubuntu0.11.10.1
released
precise
Fixed 7u21-2.3.9-0ubuntu0.12.04.1
released
quantal
Fixed 7u21-2.3.9-0ubuntu0.12.10.1
released
raring
Fixed 7u21-2.3.9-1ubuntu1
released
Common Weakness Enumeration
References
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/
http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
http://rhn.redhat.com/errata/RHSA-2013-0752.html
http://rhn.redhat.com/errata/RHSA-2013-0757.html
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0
http://www.exploit-db.com/exploits/24976
http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
http://www.ubuntu.com/usn/USN-1806-1
http://www.us-cert.gov/ncas/alerts/TA13-107A
https://bugzilla.redhat.com/show_bug.cgi?id=952398
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/
http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
http://rhn.redhat.com/errata/RHSA-2013-0752.html
http://rhn.redhat.com/errata/RHSA-2013-0757.html
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0
http://www.exploit-db.com/exploits/24976
http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
http://www.ubuntu.com/usn/USN-1806-1
http://www.us-cert.gov/ncas/alerts/TA13-107A
https://bugzilla.redhat.com/show_bug.cgi?id=952398
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2423