cbcvebase.
CVE-2012-4681
published 2012-08-28

CVE-2012-4681: Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
98.54%
99.9th percentile
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

Affected

10 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
opensuseopensuse
oraclejdk
oraclejdk
oraclejre
oraclejre
redhatenterprise_linux_desktop
redhatenterprise_linux_eus
redhatenterprise_linux_server
redhatenterprise_linux_workstation

Detection & IOCsextracted from sources · hover to see the quote

filenameGondzz
filenameGondvv
sigma
Snort SID 24020-24028, 24036-24038 (CVE-2012-4681 Java exploit coverage)
snort
SID 24020
snort
SID 24021
snort
SID 24022
snort
SID 24023
snort
SID 24024
snort
SID 24025
snort
SID 24026
snort
SID 24027
snort
SID 24028
snort
SID 24036
snort
SID 24037
snort
SID 24038
yara
JAVA.Exploit.Agent
yara
JAVA.Exploit.Agent-1
yara
JAVA.Exploit.Agent-2
yara
WIN.Trojan.Agent-131
  • Exploit targets Java 7 Update 0 through 6; passive detection of vulnerable Java versions on the wire can pre-emptively flag at-risk hosts
  • Presence of class files named 'Gondzz' and 'Gondvv' in Java archive payloads is a strong indicator of CVE-2012-4681 exploitation linked to the Gondad Exploit Kit
  • ·The exploit does not affect Java 6 and below; only Java 7 Update 0 through 6 are vulnerable
  • ·Initial reports that Google Chrome was not affected were partially contradicted; a Metasploit module was developed that successfully deploys the exploit against Chrome on Windows XP
  • ·The exploit is platform-independent and has been confirmed to work on Windows, OS X (Safari), and Linux (Firefox on Ubuntu)
  • ·The BlackHole exploit kit incorporated this Java zero-day, significantly increasing its success rate to approximately double the normal rate (~21%)

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.