CVE-2012-4681
published 2012-08-28CVE-2012-4681: Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
98.54%
99.9th percentile
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| opensuse | opensuse | — | — |
| oracle | jdk | — | — |
| oracle | jdk | — | — |
| oracle | jre | — | — |
| oracle | jre | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_eus | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
Snort SID 24020-24028, 24036-24038 (CVE-2012-4681 Java exploit coverage)
snort↗
SID 24020
snort↗
SID 24021
snort↗
SID 24022
snort↗
SID 24023
snort↗
SID 24024
snort↗
SID 24025
snort↗
SID 24026
snort↗
SID 24027
snort↗
SID 24028
snort↗
SID 24036
snort↗
SID 24037
snort↗
SID 24038
yara↗
JAVA.Exploit.Agent
yara↗
JAVA.Exploit.Agent-1
yara↗
JAVA.Exploit.Agent-2
yara↗
WIN.Trojan.Agent-131
- →Exploit targets Java 7 Update 0 through 6; passive detection of vulnerable Java versions on the wire can pre-emptively flag at-risk hosts ↗
- →Presence of class files named 'Gondzz' and 'Gondvv' in Java archive payloads is a strong indicator of CVE-2012-4681 exploitation linked to the Gondad Exploit Kit ↗
- ·The exploit does not affect Java 6 and below; only Java 7 Update 0 through 6 are vulnerable ↗
- ·Initial reports that Google Chrome was not affected were partially contradicted; a Metasploit module was developed that successfully deploys the exploit against Chrome on Windows XP ↗
- ·The exploit is platform-independent and has been confirmed to work on Windows, OS X (Safari), and Linux (Firefox on Ubuntu) ↗
- ·The BlackHole exploit kit incorporated this Java zero-day, significantly increasing its success rate to approximately double the normal rate (~21%) ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fw99-8m5g-58p8: Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute ar
ghsa_unreviewed·2022-05-14
CVE-2012-4681 [HIGH] CWE-284 GHSA-fw99-8m5g-58p8: Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute ar
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
GHSA
GHSA-r293-6mhc-29xx: Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiat
ghsa_unreviewed·2022-05-05·CVSS 10.0
CVE-2013-0422 [CRITICAL] CWE-284 GHSA-r293-6mhc-29xx: Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiat
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recu
VulnCheck
Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability
vulncheck·2012·CVSS 9.8
CVE-2012-4681 [CRITICAL] Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability
Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability
The Java Runtime Environment (JRE) component in Oracle Java SE allow for remote code execution.
Affected: Oracle Java SE
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2012-4681; https://cisa.gov/news-events/alerts/2012/08/27/oracle-java-7-security-manager-bypass-vulnerability; https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf; https://securelist.com/the-epic-turla-operation/65545/; https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf; https://go.recordedfuture.com/hubfs/repor
CISA
Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability
cisa·2022-03-03·CVSS 9.8
CVE-2012-4681 [CRITICAL] Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability
Vulnerability: Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability
Affected: Oracle Java SE
The Java Runtime Environment (JRE) component in Oracle Java SE allow for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2012-4681
Remediation Due Date: 2022-03-24
Red Hat
OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
vendor_redhat·2013-01-10·CVSS 10.0
CVE-2013-0422 [CRITICAL] OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a differen
Red Hat
OpenJDK: beans insufficient permission checks, Java 7 0day (beans, 7162473)
vendor_redhat·2012-08-27·CVSS 9.8
CVE-2012-4681 [CRITICAL] OpenJDK: beans insufficient permission checks, Java 7 0day (beans, 7162473)
OpenJDK: beans insufficient permission checks, Java 7 0day (beans, 7162473)
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
Statement: This flaw allowed an attacker to circumvent all restrictions applied by the Java security
No detection rules found.
Exploit-DB
Java 7 Applet - Remote Code Execution (Metasploit)
exploitdb·2012-08-27
CVE-2012-4681 Java 7 Applet - Remote Code Execution (Metasploit)
Java 7 Applet - Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java 7 Applet Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary
Java code outside the sandbox. This flaw is also being exploited in the wild, and there is
no patch from Oracle at this point. The exploit has been tested to work against: IE, Chrome
and Firefox across different platforms.
},
'Lic
Metasploit
Java 7 Applet Remote Code Execution
metasploit
Java 7 Applet Remote Code Execution
Java 7 Applet Remote Code Execution
The exploit takes advantage of two issues in JDK 7: The ClassFinder and MethodFinder.findMethod(). Both were newly introduced in JDK 7. ClassFinder is a replacement for classForName back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SunToolkit (a restricted package). With sun.awt.SunToolkit, we can actually invoke getField() by abusing findMethod() in Statement.invokeInternal() (but getField() must be public, and that's not always the case in JDK 6) in order to access Statement.acc's private field, modify AccessControlContext, and then disable Security Manager. Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
- Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
1. Was our software used outside of its intended functionality to pull classified information from a person’s c
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
Was our software used outside of its intended functionality to pull classified information from a person’s comput
Tenable
Monitoring the Life of a Java Zero-Day Exploit with Tenable USM
blogs_tenable·2012-10-25
Monitoring the Life of a Java Zero-Day Exploit with Tenable USM
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Monitoring the Life of a Java Zero-Day Exploit with Tenable USM
blogs_tenable·2012-10-25·CVSS 9.8
CVE-2012-4681 [CRITICAL] Monitoring the Life of a Java Zero-Day Exploit with Tenable USM
Blog /
Subscribe
# Monitoring the Life of a Java Zero-Day Exploit with Tenable USM
Randal T. Rioux
October 25, 2012
3 Min Read
Not too long ago, CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU #636312) was issued for a flaw discovered in Oracle Java (JDK and JRE 7 U6 and before), as well as version 6 U34 and before.
This is a client-side vulnerability, which requires a user to initiate activity to be exploited. I will avoid dissecting the flaw in detail, as this information is widely available on the Web (a particularly good write-up is here).
Keep in mind that Java is platform independent, and so is this exploit. The example here uses Internet Explorer on Windows 7 (with Java SE 7u3). However, Linux and OS X users shouldn’t feel excluded on this one!
With Tenable'
Talos
Internet Explorer use-after-free 0-Day vulnerability
blogs_talos·2012-09-18·CVSS 9.8
CVE-2012-4681 [CRITICAL] Internet Explorer use-after-free 0-Day vulnerability
A new vulnerability has been discovered that affects Internet Explorer 6, 7, 8 and 9 on Windows XP, Vista, 7, Windows Server 2003 and 2008 . It is still unpatched at the time of this blog post.
Late Sunday Eric Romang reported that the Nitro cybercrimal gang, which just a few weeks ago was responsible for a series of attacks that was taking advantage of the "Java 0-day" (CVE-2012-4681) , was hosting some suspicious files on their servers. Upon further investigation, Eric found that running one of the said files led to code execution in the context of the logged in user on his fully patched Windows system.
Dr. Zulfikar Ramzan, Chief Scientist of Sourcefire's Cloud Technology Group, describes the recent Internet Explorer Zero Day vulnerability in this video:
The vulnerability is a "use-afte
Talos
Internet Explorer use-after-free 0-Day vulnerability
blogs_talos·2012-09-18·CVSS 9.8
CVE-2012-4681 [CRITICAL] Internet Explorer use-after-free 0-Day vulnerability
## Internet Explorer use-after-free 0-Day vulnerability
A new vulnerability has been discovered that affects Internet Explorer 6, 7, 8 and 9 on Windows XP, Vista, 7, Windows Server 2003 and 2008 . It is still unpatched at the time of this blog post.
Late Sunday Eric Romang reported that the Nitro cybercrimal gang, which just a few weeks ago was responsible for a series of attacks that was taking advantage of the "Java 0-day" (CVE-2012-4681) , was hosting some suspicious files on their servers. Upon further investigation, Eric found that running one of the said files led to code execution in the context of the logged in user on his fully patched Windows system. Dr. Zulfikar Ramzan, Chief Scientist of Sourcefire's Cloud Technology Group, describes the recent Internet Explorer Zero Day vuln
Krebs
Apple Releases Fix for Critical Java Flaw
blogs_krebs·2012-09-05·CVSS 9.8
[CRITICAL] Apple Releases Fix for Critical Java Flaw
Apple has issued an update for Mac OS X installations of Java that fixes at least one critical security vulnerability in the software.
If you own a Mac, take a moment today to run the Software Update application and check if there is a Java update available. Delaying this action could set your Mac up for a date with malware. In April, the Flashback Trojan infected more than 650,000 Mac systems using an exploit for a critical Java flaw.
Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005 are available for Java installations on OS X 10.6, OS X Lion and Mountain Lion systems, via Software Update or from Apple Downloads.
Apple stopped bundling Java by default in OS X 10.7 (Lion), but it offers instructions for downloading and installing the software framework when users access webpa
Krebs
Apple Releases Fix for Critical Java Flaw – Krebs on Security
blogs_krebs·2012-09-01·CVSS 9.8
[CRITICAL] Apple Releases Fix for Critical Java Flaw – Krebs on Security
Apple has issued an update for Mac OS X installations of Java that fixes at least one critical security vulnerability in the software.
If you own a Mac, take a moment today to run the Software Update application and check if there is a Java update available. Delaying this action could set your Mac up for a date with malware. In April, the Flashback Trojan infected more than 650,000 Mac systems using an exploit for a critical Java flaw.
Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005 are available for Java installations on OS X 10.6, OS X Lion and Mountain Lion systems, via Software Update or from Apple Downloads .
Apple stopped bundling Java by default in OS X 10.7 (Lion), but it offers instructions for downloading and installing the software framework when users access webp
Krebs
Researchers: Java Zero-Day Leveraged Two Flaws
blogs_krebs·2012-08-29·CVSS 10.0
[CRITICAL] Researchers: Java Zero-Day Leveraged Two Flaws
New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.
Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.
“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”
ONE BILLION USERS AT
Talos
CVE-2012-4681: bypassing built-in java security
blogs_talos·2012-08-28·CVSS 9.8
CVE-2012-4681 [CRITICAL] CVE-2012-4681: bypassing built-in java security
A new Java 0-day is running rampant around the internet this week. With a code paste Sunday night and a Metasploit module coming in early yesterday morning, along with myriad research and blog posts, this Java vuln is sure to be the topic of the week. Based on information in the pastie link and the usage of the Gondzz and Gondvv class files in the alienvault blog post, plus analysis we've done on the samples we've seen in the wild, we've deduced that the exploit runs as follows:
-Use the Statement() method to set up a new SecurityManager.
-Create an object with the following attributes:
a. Permissions object with AllPermissions() set.
b. A ProtectionDomain for the url, using local file "file:///"
c. Set up an AccessControlContext for that ProtectionDomain
-Call to the user defined functio
Talos
CVE-2012-4681: bypassing built-in java security
blogs_talos·2012-08-28·CVSS 9.8
CVE-2012-4681 [CRITICAL] CVE-2012-4681: bypassing built-in java security
## CVE-2012-4681: bypassing built-in java security
A new Java 0-day is running rampant around the internet this week. With a code paste Sunday night and a Metasploit module coming in early yesterday morning, along with myriad research and blog posts, this Java vuln is sure to be the topic of the week. Based on information in the pastie link and the usage of the Gondzz and Gondvv class files in the alienvault blog post , plus analysis we've done on the samples we've seen in the wild, we've deduced that the exploit runs as follows:
-Use the Statement() method to set up a new SecurityManager. -Create an object with the following attributes: a. Permissions object with AllPermissions() set. b. A ProtectionDomain for the url, using local file "file:///" c. Set up an AccessControlContext for th
Krebs
Attackers Pounce on Zero-Day Java Exploit
blogs_krebs·2012-08-27·CVSS 9.8
CVE-2012-4681 [CRITICAL] Attackers Pounce on Zero-Day Java Exploit
Attackers have seized upon a previously unknown security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.
A Metasploit module developed to target this Java 0-day.
News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the
Krebs
Researchers: Java Zero-Day Leveraged Two Flaws – Krebs on Security
blogs_krebs·2012-08-01·CVSS 10.0
[CRITICAL] Researchers: Java Zero-Day Leveraged Two Flaws – Krebs on Security
New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.
Esteban Guillardoy , a developer at the security firm Immunity Inc. , said the underlying vulnerability has been around since July 28, 2011.
“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”
ONE BILLION USERS A
Krebs
Attackers Pounce on Zero-Day Java Exploit – Krebs on Security
blogs_krebs·2012-08-01·CVSS 9.8
CVE-2012-4681 [CRITICAL] Attackers Pounce on Zero-Day Java Exploit – Krebs on Security
Attackers have seized upon a previously unknown security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole .
A Metasploit module developed to target this Java 0-day.
News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye , which said the exploit seemed to work against the latest version of Java 7 , which is version 1.7, Update 6 . This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that
Bugzilla
CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
bugzilla·2013-01-10·CVSS 9.8
CVE-2013-0422 [CRITICAL] CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
CERT VU#625617 [1] describes a flaw in Java 7 Update 10 and earlier, which contains an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
This is currently being exploited in the wild and is reported to be incorporated into exploit kits. It is recommended that all users disable the java browser plugin in their browsers.
[1] http://www.kb.cert.org/vuls/id/625617
Other references:
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Discussion:
Common Vulnerabilities and Exposures assigned an identifier to
the
Bugzilla
CVE-2012-4681 OpenJDK: Java 7 0day vulnerability [fedora-17]
bugzilla·2012-08-30·CVSS 9.8
CVE-2012-4681 [CRITICAL] CVE-2012-4681 OpenJDK: Java 7 0day vulnerability [fedora-17]
CVE-2012-4681 OpenJDK: Java 7 0day vulnerability [fedora-17]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=852051
f
Bugzilla
CVE-2012-4681 OpenJDK: Java 7 0day vulnerability [fedora-16]
bugzilla·2012-08-30·CVSS 9.8
CVE-2012-4681 [CRITICAL] CVE-2012-4681 OpenJDK: Java 7 0day vulnerability [fedora-16]
CVE-2012-4681 OpenJDK: Java 7 0day vulnerability [fedora-16]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=852051
f
Bugzilla
CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
bugzilla·2012-08-30
CVE-2012-0547 [NONE] CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
Oracle Java SE 7 Update 7 and 6 Update 35 include a "security-in-depth" fix for the AWT component. This fix changes the component to remove functionality that can be used in exploits trying to bypass Java sandbox restrictions, such as the 0day exploit published in August 2012 (see bug 852051), which took advantage of SunToolkit.getField method to modify object's private field.
References:
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html
http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html
External Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Discussion:
Mitre descriptio
Bugzilla
CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476)
bugzilla·2012-08-30·CVSS 10.0
CVE-2012-1682 [CRITICAL] CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476)
CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476)
A flaw was found in the java.beans ClassFinder implementation, which allowed Java code running in the Java sandbox to obtain a reference to a restricted class, possibly allowing it to bypass sandbox restrictions.
This flaw is one of the issues exploited by the Java 7 0day exploit published in August 2012, see bug 852051.
Reference:
http://seclists.org/fulldisclosure/2012/Aug/336 (Vuln 1 / Issue 11)
Discussion:
Public now via Oracle Java SE 7 Update 7:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html
External Reference:
htt
Bugzilla
CVE-2012-3136 OpenJDK: beans MethodElementHandler insufficient permission checks (beans, 7194567)
bugzilla·2012-08-30·CVSS 10.0
CVE-2012-3136 [CRITICAL] CVE-2012-3136 OpenJDK: beans MethodElementHandler insufficient permission checks (beans, 7194567)
CVE-2012-3136 OpenJDK: beans MethodElementHandler insufficient permission checks (beans, 7194567)
A flaw was found in the java.beans MethodElementHandler implementation. A Java code running in the Java sandbox could use this flaw to bypass sandbox restrictions and run arbitrary code with the Java Virtual Machine privileges.
Discussion:
Public now via Oracle Java SE 7 Update 7:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html
External Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
---
Upstream fix, as applied in IcedTea 7 2.3 repositories:
http://icedtea.classpath
Bugzilla
CVE-2012-4681 OpenJDK: beans insufficient permission checks, Java 7 0day (beans, 7162473)
bugzilla·2012-08-27·CVSS 9.8
CVE-2012-4681 [CRITICAL] CVE-2012-4681 OpenJDK: beans insufficient permission checks, Java 7 0day (beans, 7162473)
CVE-2012-4681 OpenJDK: beans insufficient permission checks, Java 7 0day (beans, 7162473)
A 0-day flaw exploited in the wild has been reported to affect Java 7:
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
http://pastie.org/4594319
This issue was confirmed to allow unsigned applet to bypass Java applet restrictions and run arbitrary code on users' systems.
Discussion:
Code execution was confirmed with the latest Oracle and IBM Java 7 web browser plugin. IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin).
Java 6 is currently not known to be affected.
---
Secunia: http://secunia.com/advisories/50133/
---
All the info in this bug is now public, see e.g:
arXiv
MalCVE: Malware Detection and CVE Association Using Large Language Models
arxiv_fulltext·2026-02-02
MalCVE: Malware Detection and CVE Association Using Large Language Models
MalCVE: Malware Detection and CVE Association
Using Large Language Models
Eduard Andrei Cristea
Norwegian University of Science and Technology
Trondheim
Norway
[email protected]
Petter Molnes
Norwegian University of Science and Technology
Trondheim
Norway
[email protected]
Jingyue Li
Norwegian University of Science and Technology
Trondheim
Norway
[email protected]
Cristea, Molnes, and Li
## Abstract
Malicious software attacks are having an increasingly significant economic impact. Commercial malware detection software can be costly, and tools that attribute malware to the specific software vulnerabilities it exploits are largely lacking. Understanding the connection between malware and the vulnerabilities it targets is crucial for analyzing past threats and proactively defending
CTF
Secured Java / README
ctf_writeups·2022·CVSS 9.8
[CRITICAL] Secured Java / README
# Secured Java
The challenge is [a single python file](./secured_java.py) that allows you to run Java in a "secure way".
The code boils down to:
1. you upload two files: `Main.java` and `dep.jar`
2. it compile Main
3. it runs Main with an empty _security policy_
Pseudocode:
```python
get_file("Main.java")
get_file("dep.jar")
subprocess.run(
["javac", "-cp", DEP_FILE, SOURCE_FILE],
check=True,
)
subprocess.run(["java", "--version"])
subprocess.run(
[
"java",
"-cp", f".:{DEP_FILE}",
"-Djava.security.manager",
"-Djava.security.policy==/dev/null",
"Main",
],
check=True,
)
```
Obviously running arbitrary Java code is dangerous, but because we are running it with a _SecurityManager_ and not explicitly granting permissions (e.g. "`grant { permission java.net.SocketPermission "localhost:133
arXiv
ProPatrol: Attack Investigation via Extracted High-Level Tasks
arxiv_fulltext·2018-10-12
ProPatrol: Attack Investigation via Extracted High-Level Tasks
secnumdepth3
[1]
#10 ?? #1
ProPatrol
Active Execution Unit
Active execution unit
active execution unit
Active Execution Units
Active execution units
active execution units
Active-Execution-Units
[2] [inline] : #1: #2
[1]Venkat#1
[1]Birhanu#1
[1]Rigel#1
[1]Sadegh#1
todoListItems
[2][]
todoListItems1
[inline][caption=todo . #2, #1]
todo#2
ProPatrol: Attack Investigation via Extracted High-Level Tasks
Sadegh M. Milajerdi1
Birhanu Eshete2^,The second author performed this work as a postdoctoral associate at the University of Illinois at Chicago.
Rigel Gjomemo1
V.N. Venkatakrishnan1
S. M. Milajerdi et al.
University of Illinois at Chicago, Chicago IL 60607, USA
\smomen2,rgjome1,venkat\@uic.edu
University of Michigan-Dearborn, Dearborn MI 48128, USA
[email protected]
## Abstract
Kern
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.htmlhttp://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.htmlhttp://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.htmlhttp://marc.info/?l=bugtraq&m=135109152819176&w=2http://rhn.redhat.com/errata/RHSA-2012-1225.htmlhttp://secunia.com/advisories/51044http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.htmlhttp://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.htmlhttp://www.securityfocus.com/bid/55213http://www.us-cert.gov/cas/techalerts/TA12-240A.htmlhttps://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0dayhttp://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.htmlhttp://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.htmlhttp://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.htmlhttp://marc.info/?l=bugtraq&m=135109152819176&w=2http://rhn.redhat.com/errata/RHSA-2012-1225.htmlhttp://secunia.com/advisories/51044http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.htmlhttp://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.htmlhttp://www.securityfocus.com/bid/55213http://www.us-cert.gov/cas/techalerts/TA12-240A.htmlhttps://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0dayhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-4681
2012-08-28
Published
2022-03-03
Added to CISA KEV
Exploited in the wild