10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.094 Low
EPSS
Percentile
94.6%
Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote
attackers to affect confidentiality, integrity, and availability via
unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some
parties have mapped CVE-2012-3174 to an issue involving recursive use of
the Reflection API, but that issue is already covered as part of
CVE-2013-0422. This identifier is for a different vulnerability whose
details are not public as of 20130114.
Author | Note |
---|---|
jdstrand | like with CVE-2013-0422, exploit code does not work with OpenJDK at this time. Users are advised to disable and/or uninstall the IcedTea plugin (regardless of version) as a precaution unless its use is strictly required. Fixed in IcedTea 2.2.3 and 2.3.4 |
blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
www.kb.cert.org/vuls/id/625617
www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
blogs.oracle.com/security/entry/security_alert_for_cve_2013
launchpad.net/bugs/cve/CVE-2012-3174
nvd.nist.gov/vuln/detail/CVE-2012-3174
security-tracker.debian.org/tracker/CVE-2012-3174
threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
ubuntu.com/security/notices/USN-1693-1
www.cve.org/CVERecord?id=CVE-2012-3174