CVE-2012-3174
published 2013-01-14CVE-2012-3174: Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.58%
90.4th percentile
Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| opensuse | opensuse | — | — |
| oracle | jdk | — | — |
| oracle | jre | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2012-3174 involves incorrect permission checks in MethodHandles in Oracle Java 7 before Update 11 (Libraries, 8004933); details remain non-public but the fix is in the same OpenJDK commits as CVE-2013-0422 ↗
- →The fix for CVE-2012-3174 is contained in the same upstream OpenJDK7 commits as CVE-2013-0422; monitor for these changesets being absent on Java 7 < Update 11 deployments ↗
- →CVE-2012-3174 is distinct from the recursive Reflection API issue (CVE-2013-0422); do not conflate the two when writing detection logic — CVE-2012-3174 details were not public as of 2013-01-14 ↗
- →Both CVE-2012-3174 and CVE-2013-0422 were patched together in IcedTea versions 2.1.4, 2.2.4, and 2.3.4; systems running older IcedTea 2.x branches remain exposed ↗
- ·CVE-2012-3174 technical details were intentionally withheld and remain unspecified; no concrete attack vector or exploit code is publicly attributed solely to this CVE ↗
- ·IBM Java SE packages (java-1.5.0-ibm, java-1.6.0-ibm) on RHEL 5 and 6 are listed as Not Affected for CVE-2012-3174 ↗
- ·CVE-2012-3174 affects Oracle Java 7 before Update 11 only; Java 6 and older versions are not listed as affected ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xcww-3952-xr69: Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2012-3174 [CRITICAL] GHSA-xcww-3952-xr69: Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown
Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114.
GHSA
GHSA-r293-6mhc-29xx: Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiat
ghsa_unreviewed·2022-05-05·CVSS 10.0
CVE-2013-0422 [CRITICAL] CWE-284 GHSA-r293-6mhc-29xx: Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiat
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recu
VulnCheck
Oracle Java 7 before Update 11 Unspecified Vulnerability
vulncheck·2012·CVSS 10.0
CVE-2012-3174 [CRITICAL] Oracle Java 7 before Update 11 Unspecified Vulnerability
Oracle Java 7 before Update 11 Unspecified Vulnerability
Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114.
Affected: Oracle jdk
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2013/04/java-security-era-byo
Ubuntu
OpenJDK 7 vulnerabilities
vendor_ubuntu·2013-01-16
CVE-2012-3174 OpenJDK 7 vulnerabilities
Title: OpenJDK 7 vulnerabilities
Summary: OpenJDK 7 could be made to crash or run programs as your login if it
opened a specially crafted Java applet.
It was discovered that OpenJDK 7's security mechanism could be bypassed via
Java applets. If a user were tricked into opening a malicious website, a
remote attacker could exploit this to perform arbitrary code execution as
the user invoking the program.
Instructions: After a standard system update you need to restart your browser to make all
the necessary changes.
Red Hat
OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)
vendor_redhat·2013-01-13·CVSS 10.0
CVE-2012-3174 [CRITICAL] OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)
OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)
Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114.
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-ibm (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 6) - Not affected
Package: java-1.6.0-ibm (Red Hat Enterprise Linux 6) -
Red Hat
OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
vendor_redhat·2013-01-10·CVSS 10.0
CVE-2013-0422 [CRITICAL] OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a differen
No detection rules found.
Bugzilla
CVE-2013-0422 CVE-2012-3174 java-1.7.0-openjdk various flaws [fedora-all]
bugzilla·2013-01-14·CVSS 10.0
CVE-2013-0422 [CRITICAL] CVE-2013-0422 CVE-2012-3174 java-1.7.0-openjdk various flaws [fedora-all]
CVE-2013-0422 CVE-2012-3174 java-1.7.0-openjdk various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects
Bugzilla
CVE-2012-3174 OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)
bugzilla·2013-01-14·CVSS 10.0
CVE-2012-3174 [CRITICAL] CVE-2012-3174 OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)
CVE-2012-3174 OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)
Oracle Java SE 7 Update 11 resolves CVE-2012-3174, an unknown flaw that allows for remote arbitrary code execution, related to CVE-2013-0422 (bug 894172).
External Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Discussion:
Created java-1.7.0-openjdk tracking bugs for this issue
Affects: fedora-all [bug 895035]
---
Related commits in upstream OpenJDK7 repositories:
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/ecc14534318c
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/d9969a953f69
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2013
Bugzilla
CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
bugzilla·2013-01-10·CVSS 9.8
CVE-2013-0422 [CRITICAL] CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
CERT VU#625617 [1] describes a flaw in Java 7 Update 10 and earlier, which contains an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
This is currently being exploited in the wild and is reported to be incorporated into exploit kits. It is recommended that all users disable the java browser plugin in their browsers.
[1] http://www.kb.cert.org/vuls/id/625617
Other references:
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Discussion:
Common Vulnerabilities and Exposures assigned an identifier to
the
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0156.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0165.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:095http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.htmlhttp://www.ubuntu.com/usn/USN-1693-1https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0156.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0165.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:095http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.htmlhttp://www.ubuntu.com/usn/USN-1693-1https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
2013-01-14
Published
Exploited in the wild