10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.235 Low
EPSS
Percentile
96.5%
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17
and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and
OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via
vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own
competition at CanSecWest 2013. NOTE: the previous information is from the
April 2013 CPU. Oracle has not commented on claims from another vendor that
this issue is related to invocation of the system class loader by the
sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows
remote attackers to bypass Java sandbox restrictions.
Author | Note |
---|---|
jdstrand | as of 2013-04-19, IcedTea has not released 2.3.9 or 1.12.5 to fix this issue |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 10.04 | noarch | openjdk-6 | < 6b27-1.12.5-0ubuntu0.10.04.1 | UNKNOWN |
ubuntu | 11.10 | noarch | openjdk-6 | < 6b27-1.12.5-0ubuntu0.11.10.1 | UNKNOWN |
ubuntu | 12.04 | noarch | openjdk-6 | < 6b27-1.12.5-0ubuntu0.12.04.1 | UNKNOWN |
ubuntu | 12.10 | noarch | openjdk-6 | < 6b27-1.12.5-0ubuntu0.12.10.1 | UNKNOWN |
ubuntu | 13.04 | noarch | openjdk-6 | < 6b27-1.12.5-1ubuntu1 | UNKNOWN |
ubuntu | 11.10 | noarch | openjdk-7 | < 7u21-2.3.9-0ubuntu0.11.10.1 | UNKNOWN |
ubuntu | 12.04 | noarch | openjdk-7 | < 7u21-2.3.9-0ubuntu0.12.04.1 | UNKNOWN |
ubuntu | 12.10 | noarch | openjdk-7 | < 7u21-2.3.9-0ubuntu0.12.10.1 | UNKNOWN |
ubuntu | 13.04 | noarch | openjdk-7 | < 7u21-2.3.9-1ubuntu1 | UNKNOWN |
h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157
www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/
launchpad.net/bugs/cve/CVE-2013-0401
nvd.nist.gov/vuln/detail/CVE-2013-0401
security-tracker.debian.org/tracker/CVE-2013-0401
twitter.com/thezdi/status/309784608508100608
ubuntu.com/security/notices/USN-1806-1
ubuntu.com/security/notices/USN-1819-1
www.cve.org/CVERecord?id=CVE-2013-0401