⚠ Actively exploited

Added to CISA KEV on 2022-03-28. Federal agencies required to patch by 2022-04-18. Required action: Apply updates per vendor instructions..

CVE-2012-5076 — Improper Access Control in Oracle JRE

CWE-284 — Improper Access Control16 documents11 sources

Severity

9.8CRITICALNVD

EPSS

91.7%

top 0.31%

CISA KEV

KEV

Added 2022-03-28

Due 2022-04-18

Exploit

Exploited in wild

Active exploitation observed

Affected products

Oracle JRE Suse Linux Enterprise Desktop

Timeline

PublishedOct 16

KEV addedMar 28

KEV dueApr 18

Latest updateMay 17

CISA Required Action: Apply updates per vendor instructions.

Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDoracle/jre1.7.0

▶NVDsuse/linux_enterprise_desktop11

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-v7gg-cccr-jpfx: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect c↗2022-05-17

▶

CVEList

CVE-2012-5076: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect c↗2012-10-16

▶

VulnCheck

Oracle Java SE Sandbox Bypass Vulnerability↗2012

▶

💥Exploits & PoCs

Exploit-DB

Java Applet - AverageRangeStatisticImpl Remote Code Execution (Metasploit)↗2013-01-24

▶

Exploit-DB

Java Applet - JAX-WS Remote Code Execution (Metasploit)↗2012-11-13

▶

Metasploit

Java Applet JAX-WS Remote Code Execution↗

▶

Metasploit

Java Applet AverageRangeStatisticImpl Remote Code Execution↗

▶

📋Vendor Advisories

CISA

Oracle Java SE Sandbox Bypass Vulnerability↗2022-03-28

▶

Ubuntu

OpenJDK vulnerabilities↗2012-10-26

▶

Red Hat

OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198)↗2012-10-16

▶

🕵️Threat Intelligence

Krebs

Crimeware Author Funds Exploit Buying Spree↗2013-01-07

▶

Krebs

Crimeware Author Funds Exploit Buying Spree – Krebs on Security↗2013-01-01

▶

💬Community

Bugzilla

Softblock Java versions affected by CVE-2012-5076↗2012-11-18

▶

Bugzilla

CVE-2012-5074 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887)↗2012-10-11

▶

Bugzilla

CVE-2012-5076 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198)↗2012-10-11

▶