CVE-2013-2423

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot.  NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
oracleCNA
---
---
CVEADP
---
---
CISA-ADPADP
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
oraclejre
1.7.0
canonicalubuntu_linux
12.10
opensuseopensuse
12.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icedtea-web
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
lucid
not-affected
hardy
dne
openjdk-6
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
lucid
not-affected
hardy
ignored
openjdk-6b18
raring
dne
quantal
dne
precise
dne
oneiric
ignored
lucid
ignored
hardy
dne
openjdk-7
raring
Fixed 7u21-2.3.9-1ubuntu1
released
quantal
Fixed 7u21-2.3.9-0ubuntu0.12.10.1
released
precise
Fixed 7u21-2.3.9-0ubuntu0.12.04.1
released
oneiric
Fixed 7u21-2.3.9-0ubuntu0.11.10.1
released
lucid
dne
hardy
dne
Common Weakness Enumeration
References
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/
http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
http://rhn.redhat.com/errata/RHSA-2013-0752.html
http://rhn.redhat.com/errata/RHSA-2013-0757.html
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0
http://www.exploit-db.com/exploits/24976
http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
http://www.ubuntu.com/usn/USN-1806-1
http://www.us-cert.gov/ncas/alerts/TA13-107A
https://bugzilla.redhat.com/show_bug.cgi?id=952398
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/
http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
http://rhn.redhat.com/errata/RHSA-2013-0752.html
http://rhn.redhat.com/errata/RHSA-2013-0757.html
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0
http://www.exploit-db.com/exploits/24976
http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
http://www.ubuntu.com/usn/USN-1806-1
http://www.us-cert.gov/ncas/alerts/TA13-107A
https://bugzilla.redhat.com/show_bug.cgi?id=952398
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130