CVE-2012-5076
published 2012-10-16CVE-2012-5076: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
91.01%
99.8th percentile
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | jre | — | — |
| suse | linux_enterprise_desktop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit is delivered as a Java Applet JAR file served with Content-Type application/octet-stream; detect HTTP responses serving .jar files with this content type from exploit kit infrastructure ↗
- →The exploit JAR contains the class files Exploit.class and MyPayload.class (JAX-WS vector) or Exploit.class and B.class (AverageRangeStatisticImpl vector); scan JAR contents for these class names as an indicator of CVE-2012-5076 exploitation ↗
- →The exploit was observed in the wild in November 2012 delivered via the Cool Exploit Kit and subsequently Blackhole Exploit Kit; network traffic to booby-trapped sites serving Java applets during this period should be correlated with these kits ↗
- →The exploit targets Java 7 Update 7 and earlier (Java version 7u7); alert on Java applet execution from browser processes running JRE 7u7 or below ↗
- →The Metasploit module generates an HTML page embedding a Java applet with a randomly named JAR (random alpha string + .jar); detect HTML responses containing <applet> tags with archive attributes pointing to .jar files from suspicious hosts ↗
- →CVE-2012-5076 was exploited in the wild exclusively by Cool Exploit Kit and Blackhole Exploit Kit to deliver Reveton ransomware; detections for these kits should include this CVE as a payload delivery mechanism ↗
- ·The Metasploit module randomizes the JAR filename and internal class name strings at runtime, so static filename-based signatures will only catch default/unmodified deployments ↗
- ·The AverageRangeStatisticImpl exploit vector (exploit-db 24309) is described as 'a different exploit vector than the one exploited in the wild', meaning in-the-wild samples used the JAX-WS vector; detections should prioritise the JAX-WS path but not exclude the AverageRangeStatisticImpl path ↗
- ·The CVE affects only Java SE 7 Update 7 and earlier; Java 6 and Java SE 7 Update 8+ are not affected, so detections should be scoped to vulnerable JRE versions ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_ubuntu10.0CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Oracle Java SE Sandbox Bypass Vulnerability
cisa·2022-03-28·CVSS 9.8
CVE-2012-5076 [CRITICAL] Oracle Java SE Sandbox Bypass Vulnerability
Vulnerability: Oracle Java SE Sandbox Bypass Vulnerability
Affected: Oracle Java SE
The default Java security properties configuration did not restrict access to the com.sun.org.glassfish.external and com.sun.org.glassfish.gmbal packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2012-5076
Remediation Due Date: 2022-04-18
Ubuntu
OpenJDK vulnerabilities
vendor_ubuntu·2012-10-26·CVSS 10.0
CVE-2012-1531 [CRITICAL] OpenJDK vulnerabilities
Title: OpenJDK vulnerabilities
Summary: Several security issues were fixed in OpenJDK.
Several information disclosure vulnerabilities were discovered in the
OpenJDK JRE. (CVE-2012-3216, CVE-2012-5069, CVE-2012-5072, CVE-2012-5075,
CVE-2012-5077, CVE-2012-5085)
Vulnerabilities were discovered in the OpenJDK JRE related to information
disclosure and data integrity. (CVE-2012-4416, CVE-2012-5071)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to cause a denial of service. (CVE-2012-1531, CVE-2012-1532, CVE-2012-1533,
CVE-2012-3143, CVE-2012-3159, CVE-2012-5068, CVE-2012-5083, CVE-2012-5084,
CVE-2012-5086, CVE-2012-5089)
Information disclosure vulnerabilities were discovered in the OpenJDK JR
Red Hat
OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198)
vendor_redhat·2012-10-16·CVSS 9.8
CVE-2012-5076 [CRITICAL] OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198)
OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.7.0-ibm (Red Hat Enterprise Linux 5) - Affected
Package: java-1.7.0-openjdk (Red Hat Enterprise Linux 5) - Affected
Package: java-1.7.0-oracle (Red Hat Enterprise Linux 5) - Affected
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 6) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 6) - Not affected
GHSA
GHSA-v7gg-cccr-jpfx: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect c
ghsa_unreviewed·2022-05-17
CVE-2012-5076 [HIGH] CWE-284 GHSA-v7gg-cccr-jpfx: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect c
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.
VulnCheck
Oracle Java SE Sandbox Bypass Vulnerability
vulncheck·2012·CVSS 9.8
CVE-2012-5076 [CRITICAL] Oracle Java SE Sandbox Bypass Vulnerability
Oracle Java SE Sandbox Bypass Vulnerability
The default Java security properties configuration did not restrict access to the com.sun.org.glassfish.external and com.sun.org.glassfish.gmbal packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
Affected: Oracle Java SE
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://threatpost.com/new-java-attack-introduced-cool-exploit-kit-111212/77205/; https://archive.f-secure.com/weblog/archives/00002458; https://cybersecurityworks.com/pdf/ransomware/Spotlight_Ransomware2021.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-18
No detection rules found.
Exploit-DB
Java Applet - AverageRangeStatisticImpl Remote Code Execution (Metasploit)
exploitdb·2013-01-24·CVSS 9.8
CVE-2012-5076 [CRITICAL] Java Applet - AverageRangeStatisticImpl Remote Code Execution (Metasploit)
Java Applet - AverageRangeStatisticImpl Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet AverageRangeStatisticImpl Remote Code Execution',
'Description' => %q{
This module abuses the AverageRangeStatisticImpl from a Java Applet to run
arbitrary Java code outside of the sandbox, a different exploit vector than the one
exploited in the wild in November of 2012. The vulnerability affects Java version
7u7 and earlier.
},
'License'
Exploit-DB
Java Applet - JAX-WS Remote Code Execution (Metasploit)
exploitdb·2012-11-13
CVE-2012-5076 Java Applet - JAX-WS Remote Code Execution (Metasploit)
Java Applet - JAX-WS Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet JAX-WS Remote Code Execution',
'Description' => %q{
This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java
code outside of the sandbox as exploited in the wild in November of 2012. The
vulnerability affects Java version 7u7 and earlier.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability Discovery
'juan vazquez' # meta
Metasploit
Java Applet JAX-WS Remote Code Execution
metasploit
Java Applet JAX-WS Remote Code Execution
Java Applet JAX-WS Remote Code Execution
This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.
Metasploit
Java Applet AverageRangeStatisticImpl Remote Code Execution
metasploit
Java Applet AverageRangeStatisticImpl Remote Code Execution
Java Applet AverageRangeStatisticImpl Remote Code Execution
This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.
Bugzilla
Softblock Java versions affected by CVE-2012-5076
bugzilla·2012-11-18·CVSS 9.8
CVE-2012-5076 [CRITICAL] Softblock Java versions affected by CVE-2012-5076
Softblock Java versions affected by CVE-2012-5076
In October Oracle released a critical security update fixing several issues, including CVE-2012-5076 (see http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html). This bug affects Java 7u7 and below, though the Java 6 branch seems to be unaffected.
Recently, an exploit for this bug was found in the Cool exploit pack: http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html
Furthermore, the exploit was added to the Metasploit framework now.
It is already planned that the affected versions are CTP in Firefox 17 and higher, but now that the exploit is public, we should also block them in Firefox 16 and below to protect our users from drive-by malware infections.
Discussion:
These are now
Bugzilla
CVE-2012-5074 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887)
bugzilla·2012-10-11·CVSS 6.4
CVE-2012-5074 [MEDIUM] CVE-2012-5074 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887)
CVE-2012-5074 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887)
The default Java security properties configuration did not restrict access to the com.sun.org.glassfish.external and com.sun.org.glassfish.gmbal packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. This update lists those packages as restricted in the java.security file.
Note that the addition of the mentioned packages to the package.access properly list is tracked under CVE-2012-5076 and CVE-2012-5074 (see also bug 865352).
Discussion:
Fixed now in Oracle JDK 7u9.
External Reference:
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
---
This issue has been addressed in following products:
Red Hat Enterprise Li
Bugzilla
CVE-2012-5076 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198)
bugzilla·2012-10-11·CVSS 6.4
CVE-2012-5076 [MEDIUM] CVE-2012-5076 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198)
CVE-2012-5076 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198)
The default Java security properties configuration did not restrict access to the com.sun.org.glassfish.external and com.sun.org.glassfish.gmbal packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. This update lists those packages as restricted in the java.security file.
Note that the addition of the mentioned packages to the package.access properly list is tracked under CVE-2012-5076 and CVE-2012-5074 (see also bug 865359).
Discussion:
Fixed now in Oracle JDK 7u9.
External Reference:
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
---
This issue has been addressed in following products:
Red Hat Enterprise Li
Krebs
Crimeware Author Funds Exploit Buying Spree
blogs_krebs·2013-01-07·CVSS 8.8
[HIGH] Crimeware Author Funds Exploit Buying Spree
The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.
Cool Exploit Kit.
An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October 2012,
Krebs
Crimeware Author Funds Exploit Buying Spree – Krebs on Security
blogs_krebs·2013-01-01·CVSS 8.8
[HIGH] Crimeware Author Funds Exploit Buying Spree – Krebs on Security
The author of Blackhole , an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.
Cool Exploit Kit.
An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October 2012,
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1386.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1391.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1467.htmlhttp://secunia.com/advisories/51029http://secunia.com/advisories/51326http://secunia.com/advisories/51390http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16641http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1386.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1391.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1467.htmlhttp://secunia.com/advisories/51029http://secunia.com/advisories/51326http://secunia.com/advisories/51390http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16641https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-5076
2012-10-16
Published
2022-03-28
Added to CISA KEV
Exploited in the wild