⚠ Actively exploited

Added to CISA KEV on 2022-05-25. Federal agencies required to patch by 2022-06-15. Required action: Apply updates per vendor instructions..

CVE-2010-0840 — Oracle JRE vulnerability

12 documents11 sources

Severity

9.8CRITICALNVD

EPSS

92.1%

top 0.29%

CISA KEV

KEV

Added 2022-05-25

Due 2022-06-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Canonical Ubuntu Linux Opensuse Oracle JRE +5 more

Timeline

PublishedApr 1

KEV addedMay 25

KEV dueJun 15

CISA Required Action: Apply updates per vendor instructions.

Description

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

▶NVDoracle/jre1.4.2_25, 1.5.0, 1.6.0+2

▶vmwarevmware/esxi

▶NVDopensuse/opensuse11.0, 11.1, 11.2+2

▶vmwarevmware/vmware_tools

▶vmwarevmware/vmware_vsphere

Also affects: Ubuntu Linux 8.04, 8.10, 9.04, 9.10

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-8rrv-3xx7-wmfc: Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5↗2022-05-02

▶

VulnCheck

Oracle JRE Unspecified Vulnerability↗2010

▶

💥Exploits & PoCs

Exploit-DB

Java - 'Statement.invoke()' Trusted Method Chain (Metasploit)↗2010-12-15

▶

Metasploit

Java Statement.invoke() Trusted Method Chain Privilege Escalation↗

▶

📋Vendor Advisories

CISA

Oracle JRE Unspecified Vulnerability↗2022-05-25

▶

VMware

Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX↗2011-02-10

▶

Ubuntu

OpenJDK vulnerabilities↗2010-04-07

▶

Red Hat

OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)↗2010-03-30

▶

🕵️Threat Intelligence

Securelist

Investigation Report for the September 2014 Equation malware detection incident in the US↗2017-11-16

▶

Securelist

Investigation Report for the September 2014 Equation malware detection incident in the US↗2017-11-16

▶

💬Community

Bugzilla

CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)↗2010-03-22

▶