Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArch LinuxASA-201603-25
HistoryMar 29, 2016 - 12:00 a.m.

jdk8-openjdk: sandbox escape

2016-03-2900:00:00
Arch Linux
lists.archlinux.org
48

0.036 Low

EPSS

Percentile

91.8%

JSON

It was discovered that the security fix for CVE-2013-5838 was incomplete
and still allowed remote attackers to escape the Java security sandbox
mechanism.
The root problem is that the Reflection API does not properly guarantee
type safety when Method Handle objects were invoked across two different
Class Loader namespaces.
A part of the original patch was to use the "loadersAreRelated()" method
to ensure that the two Class Loaders are related, which is a condition
for correct type safety.
However, this condition could be easily fulfilled by abusing certain
behaviors in the class loading process, which could allow an attacker
to bypass the type safety checks and ultimately escape the security
sandbox mechanism.

OSVersionArchitecturePackageVersionFilename
anyanyanyjdk8-openjdk< 8.u77-1UNKNOWN

Related

archlinux 5
threatpost 2
checkpoint_advisories 1
cvelist 2
ubuntucve 2
prion 2
redhat 10
oraclelinux 6
nessus 54
suse 11
openvas 44
centos 6
debiancve 1
ibm 19
nvd 2
symantec 1
ubuntu 1
mageia 2
cve 2
kaspersky 2
cisa 1
veracode 2
amazon 2
osv 1
f5 4
debian 2
gentoo 3
aix 1
securityvulns 1
oracle 2
archlinux
archlinux
jdk7-openjdk: sandbox escape
2016-04-01 00:00:00
jre7-openjdk: sandbox escape
2016-04-01 00:00:00
jre8-openjdk: sandbox escape
2016-03-29 00:00:00
threatpost
threatpost
Emergency Java Patch Re-Issued for 2013 Vulnerability
2016-03-24 12:05:59
Broken 2013 Java Patch Leads to Sandbox Bypass
2016-03-14 09:24:46
checkpoint_advisories
checkpoint_advisories
Oracle Java SE Security Sandbox Escape (CVE-2013-5838; CVE-2016-0636)
2016-03-27 00:00:00
cvelist
cvelist
CVE-2013-5838
2013-10-16 17:31:00
CVE-2016-0636
2016-03-24 18:00:00
ubuntucve
ubuntucve
CVE-2013-5838
2013-10-16 00:00:00
CVE-2016-0636
2016-03-23 00:00:00
prion
prion
Buffer overflow
2013-10-16 17:55:00
Buffer overflow
2016-03-24 18:59:00
redhat
redhat
(RHSA-2016:0515) Critical: java-1.7.0-oracle security update
2016-03-24 22:59:46
(RHSA-2016:0514) Important: java-1.8.0-openjdk security update
2016-03-24 00:00:00
(RHSA-2016:0516) Critical: java-1.8.0-oracle security update
2016-03-24 23:01:33
oraclelinux
oraclelinux
java-1.8.0-openjdk security update
2016-03-24 00:00:00
java-1.7.0-openjdk security update
2016-03-24 00:00:00
java-1.8.0-openjdk security update
2016-03-24 00:00:00
nessus
nessus
RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2016:0516)
2016-03-25 00:00:00
Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20160325)
2016-03-28 00:00:00
openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-443)
2016-04-13 00:00:00
suse
suse
Security update for java-1_8_0-openjdk (important)
2016-04-05 18:08:06
Security update for java-1_7_0-openjdk (important)
2016-04-07 15:08:01
Security update for java-1_7_0-openjdk (important)
2016-04-05 18:07:50
openvas
openvas
openSUSE: Security Advisory for java-1_8_0-openjdk (openSUSE-SU-2016:1005-1)
2016-04-12 00:00:00
Oracle: Security Advisory (ELSA-2016-0513)
2016-03-31 00:00:00
openSUSE: Security Advisory for java-1_7_0-openjdk (openSUSE-SU-2016:1004-1)
2016-04-12 00:00:00
centos
centos
java security update
2016-03-25 03:42:05
java security update
2016-03-25 04:16:25
java security update
2016-03-25 03:44:42
debiancve
debiancve
CVE-2016-0636
2016-03-24 18:59:00
ibm
ibm
Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0636)
2018-06-18 00:32:43
Security Bulletin:Multiple vulnerabilities in IBM JRE affect IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC(CVE-2016-4003)
2018-06-18 01:32:23
Security Bulletin: Vulnerabilities in IBM Java Runtime affects CICS Transaction Gateway (CVE-2016-0363 and CVE-2016-0636).
2018-06-15 07:05:37
nvd
nvd
CVE-2016-0636
2016-03-24 18:59:00
CVE-2013-5838
2013-10-16 17:55:05
symantec
symantec
Oracle Java SE CVE-2013-5838 Remote Security Vulnerability
2013-10-15 00:00:00
ubuntu
ubuntu
OpenJDK 7 vulnerability
2016-03-24 00:00:00
mageia
mageia
Updated java packages fix CVE-2016-0636
2016-04-06 17:09:53
Updated java-1.7.0-openjdk package fixes security vulnerabilities
2013-11-13 23:03:04
cve
cve
CVE-2016-0636
2016-03-24 18:59:00
CVE-2013-5838
2013-10-16 17:55:05
kaspersky
kaspersky
KLA10775 An unknown vulnerability in Oracle Java SE
2016-03-23 00:00:00
KLA10492 Multiple vulnerabilities in Oracle products
2013-10-16 00:00:00
cisa
cisa
Oracle Releases Security Update for Java SE
2016-03-24 00:00:00
veracode
veracode
Sandbox Restrictions Bypass
2019-01-15 09:10:40
Arbitrary Code Execution
2019-05-02 04:54:24
amazon
amazon
Critical: java-1.8.0-openjdk, java-1.7.0-openjdk
2016-03-29 15:30:00
Critical: java-1.7.0-openjdk
2013-10-23 15:22:00
osv
osv
openjdk-7 - security update
2016-04-26 00:00:00
f5
f5
K77535578 : Multiple Java SE client-side vulnerabilities
2016-05-26 00:00:00
SOL77535578 - Multiple Java SE client-side vulnerabilities
2016-05-26 00:00:00
SOL61971428 - Multiple Java vulnerabilities
2016-05-23 00:00:00
debian
debian
[SECURITY] [DLA 451-1] openjdk-7 security update
2016-05-03 10:37:41
[SECURITY] [DSA 3558-1] openjdk-7 security update
2016-04-26 20:25:06
gentoo
gentoo
IcedTea: Multiple vulnerabilities
2016-06-27 00:00:00
Oracle JRE/JDK: Multiple vulnerabilities
2016-10-15 00:00:00
Oracle JRE/JDK: Multiple vulnerabilities
2014-01-27 00:00:00
aix
aix
Multiple Java vulnerabilities
2013-12-11 10:53:34
securityvulns
securityvulns
Oracle / Sun / MySQL / PeopleSoft applications multiple security vulnerabilities
2013-12-09 00:00:00
oracle
oracle
Oracle Critical Patch Update - October 2013
2013-10-15 00:00:00
Oracle Critical Patch Update Advisory - April 2016
2016-04-19 00:00:00

0.036 Low

EPSS

Percentile

91.8%

JSON
Related for ASA-201603-25
archlinux5threatpost2checkpoint_advisories1cvelist2ubuntucve2prion2redhat10oraclelinux6nessus54suse11openvas44centos6debiancve1ibm19nvd2symantec1ubuntu1mageia2cve2kaspersky2cisa1veracode2amazon2osv1f54debian2gentoo3aix1securityvulns1oracle2