Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArch LinuxASA-201604-2
HistoryApr 01, 2016 - 12:00 a.m.

jre7-openjdk: sandbox escape

2016-04-0100:00:00
Arch Linux
lists.archlinux.org
29

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.039 Low

EPSS

Percentile

91.0%

JSON

It was discovered that the security fix for CVE-2013-5838 was incomplete
and still allowed remote attackers to escape the Java security sandbox
mechanism.
The root problem is that the Reflection API does not properly guarantee
type safety when Method Handle objects were invoked across two different
Class Loader namespaces.
A part of the original patch was to use the "loadersAreRelated()" method
to ensure that the two Class Loaders are related, which is a condition
for correct type safety.
However, this condition could be easily fulfilled by abusing certain
behaviors in the class loading process, which could allow an attacker
to bypass the type safety checks and ultimately escape the security
sandbox mechanism.

OSVersionArchitecturePackageVersionFilename
anyanyanyjre7-openjdk< 7.u99_2.6.5-1UNKNOWN

Related

archlinux 5
checkpoint_advisories 1
threatpost 2
cvelist 2
prion 2
ubuntucve 2
symantec 1
veracode 2
cve 2
openvas 44
nessus 54
oraclelinux 6
redhat 10
suse 11
mageia 2
centos 6
ubuntu 1
ibm 19
debiancve 1
cisa 1
amazon 2
kaspersky 2
f5 4
osv 1
debian 2
gentoo 3
aix 1
securityvulns 1
oracle 2
archlinux
archlinux
jdk7-openjdk: sandbox escape
2016-04-01 00:00:00
jre8-openjdk-headless: sandbox escape
2016-03-29 00:00:00
jre7-openjdk-headless: sandbox escape
2016-04-01 00:00:00
checkpoint_advisories
checkpoint_advisories
Oracle Java SE Security Sandbox Escape (CVE-2013-5838; CVE-2016-0636)
2016-03-27 00:00:00
threatpost
threatpost
Emergency Java Patch Re-Issued for 2013 Vulnerability
2016-03-24 12:05:59
Broken 2013 Java Patch Leads to Sandbox Bypass
2016-03-14 09:24:46
cvelist
cvelist
CVE-2013-5838
2013-10-16 17:31:00
CVE-2016-0636
2016-03-24 18:00:00
prion
prion
Buffer overflow
2013-10-16 17:55:00
Buffer overflow
2016-03-24 18:59:00
ubuntucve
ubuntucve
CVE-2013-5838
2013-10-16 00:00:00
CVE-2016-0636
2016-03-23 00:00:00
symantec
symantec
Oracle Java SE CVE-2013-5838 Remote Security Vulnerability
2013-10-15 00:00:00
veracode
veracode
Arbitrary Code Execution
2019-05-02 04:54:24
Sandbox Restrictions Bypass
2019-01-15 09:10:40
cve
cve
CVE-2013-5838
2013-10-16 17:55:05
CVE-2016-0636
2016-03-24 18:59:00
openvas
openvas
Oracle Java SE JRE Multiple Unspecified Vulnerabilities-03 (Oct 2013) - Windows
2013-10-25 00:00:00
CentOS Update for java CESA-2016:0513 centos7
2016-03-25 00:00:00
Mageia: Security Advisory (MGASA-2016-0130)
2016-05-09 00:00:00
nessus
nessus
openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-432)
2016-04-13 00:00:00
openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-444)
2016-04-13 00:00:00
Oracle Java SE Hotspot JSR 292 Method Handles RCE
2016-05-02 00:00:00
oraclelinux
oraclelinux
java-1.7.0-openjdk security update
2016-03-24 00:00:00
java-1.7.0-openjdk security update
2016-03-24 00:00:00
java-1.8.0-openjdk security update
2016-03-24 00:00:00
redhat
redhat
(RHSA-2016:0512) Important: java-1.7.0-openjdk security update
2016-03-24 00:00:00
(RHSA-2016:0511) Critical: java-1.7.0-openjdk security update
2016-03-24 00:00:00
(RHSA-2016:0513) Critical: java-1.8.0-openjdk security update
2016-03-24 22:59:11
suse
suse
Security update for java-1_7_0-openjdk (important)
2016-04-11 21:07:36
Security update for java-1_7_0-openjdk (important)
2016-04-05 18:08:42
Security update for java-1_7_0-openjdk (important)
2016-04-05 18:07:50
mageia
mageia
Updated java packages fix CVE-2016-0636
2016-04-06 17:09:53
Updated java-1.7.0-openjdk package fixes security vulnerabilities
2013-11-13 23:03:04
centos
centos
java security update
2016-03-25 03:44:42
java security update
2016-03-25 04:16:25
java security update
2016-03-25 03:42:05
ubuntu
ubuntu
OpenJDK 7 vulnerability
2016-03-24 00:00:00
ibm
ibm
Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0636)
2018-06-18 00:32:43
Security Bulletin:Multiple vulnerabilities in IBM JRE affect IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC(CVE-2016-4003)
2018-06-18 01:32:23
Security Bulletin: Vulnerabilities in IBM Java Runtime affects CICS Transaction Gateway (CVE-2016-0363 and CVE-2016-0636).
2018-06-15 07:05:37
debiancve
debiancve
CVE-2016-0636
2016-03-24 18:59:00
cisa
cisa
Oracle Releases Security Update for Java SE
2016-03-24 00:00:00
amazon
amazon
Critical: java-1.8.0-openjdk, java-1.7.0-openjdk
2016-03-29 15:30:00
Critical: java-1.7.0-openjdk
2013-10-23 15:22:00
kaspersky
kaspersky
KLA10775 An unknown vulnerability in Oracle Java SE
2016-03-23 00:00:00
KLA10492 Multiple vulnerabilities in Oracle products
2013-10-16 00:00:00
f5
f5
K77535578 : Multiple Java SE client-side vulnerabilities
2016-05-26 00:00:00
SOL77535578 - Multiple Java SE client-side vulnerabilities
2016-05-26 00:00:00
SOL61971428 - Multiple Java vulnerabilities
2016-05-23 00:00:00
osv
osv
openjdk-7 - security update
2016-04-26 00:00:00
debian
debian
[SECURITY] [DSA 3558-1] openjdk-7 security update
2016-04-26 20:25:31
[SECURITY] [DLA 451-1] openjdk-7 security update
2016-05-03 10:37:58
gentoo
gentoo
IcedTea: Multiple vulnerabilities
2016-06-27 00:00:00
Oracle JRE/JDK: Multiple vulnerabilities
2016-10-15 00:00:00
Oracle JRE/JDK: Multiple vulnerabilities
2014-01-27 00:00:00
aix
aix
Multiple Java vulnerabilities
2013-12-11 10:53:34
securityvulns
securityvulns
Oracle / Sun / MySQL / PeopleSoft applications multiple security vulnerabilities
2013-12-09 00:00:00
oracle
oracle
Oracle Critical Patch Update - October 2013
2013-10-15 00:00:00
Oracle Critical Patch Update Advisory - April 2016
2016-04-19 00:00:00

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.039 Low

EPSS

Percentile

91.0%

JSON
Related for ASA-201604-2
archlinux5checkpoint_advisories1threatpost2cvelist2prion2ubuntucve2symantec1veracode2cve2openvas44nessus54oraclelinux6redhat10suse11mageia2centos6ubuntu1ibm19debiancve1cisa1amazon2kaspersky2f54osv1debian2gentoo3aix1securityvulns1oracle2