cbcvebase.
CVE-2012-5076
published 2012-10-16

CVE-2012-5076: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
91.01%
99.8th percentile
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.

Affected

2 ranges
VendorProductVersion rangeFixed in
oraclejre
suselinux_enterprise_desktop

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/cve-2012-5076/Exploit.class
pathdata/exploits/cve-2012-5076/MyPayload.class
pathdata/exploits/cve-2012-5076_2/Exploit.class
pathdata/exploits/cve-2012-5076_2/B.class
  • The exploit is delivered as a Java Applet JAR file served with Content-Type application/octet-stream; detect HTTP responses serving .jar files with this content type from exploit kit infrastructure
  • The exploit JAR contains the class files Exploit.class and MyPayload.class (JAX-WS vector) or Exploit.class and B.class (AverageRangeStatisticImpl vector); scan JAR contents for these class names as an indicator of CVE-2012-5076 exploitation
  • The exploit was observed in the wild in November 2012 delivered via the Cool Exploit Kit and subsequently Blackhole Exploit Kit; network traffic to booby-trapped sites serving Java applets during this period should be correlated with these kits
  • The exploit targets Java 7 Update 7 and earlier (Java version 7u7); alert on Java applet execution from browser processes running JRE 7u7 or below
  • The Metasploit module generates an HTML page embedding a Java applet with a randomly named JAR (random alpha string + .jar); detect HTML responses containing <applet> tags with archive attributes pointing to .jar files from suspicious hosts
  • CVE-2012-5076 was exploited in the wild exclusively by Cool Exploit Kit and Blackhole Exploit Kit to deliver Reveton ransomware; detections for these kits should include this CVE as a payload delivery mechanism
  • ·The Metasploit module randomizes the JAR filename and internal class name strings at runtime, so static filename-based signatures will only catch default/unmodified deployments
  • ·The AverageRangeStatisticImpl exploit vector (exploit-db 24309) is described as 'a different exploit vector than the one exploited in the wild', meaning in-the-wild samples used the JAX-WS vector; detections should prioritise the JAX-WS path but not exclude the AverageRangeStatisticImpl path
  • ·The CVE affects only Java SE 7 Update 7 and earlier; Java 6 and Java SE 7 Update 8+ are not affected, so detections should be scoped to vulnerable JRE versions

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_ubuntu10.0CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.