CVE-2013-0401
published 2013-03-08CVE-2013-0401: The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6…
PriorityP354critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
10.15%
95.1th percentile
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | jdk | — | — |
| oracle | jre | — | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenJDK 6 vulnerabilities
vendor_ubuntu·2013-05-07·CVSS 10.0
CVE-2013-0401 [CRITICAL] OpenJDK 6 vulnerabilities
Title: OpenJDK 6 vulnerabilities
Summary: Several security issues were fixed in OpenJDK 6.
Ben Murphy discovered a vulnerability in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit this
to execute arbitrary code. (CVE-2013-0401)
James Forshaw discovered a vulnerability in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit this to execute arbitrary code. (CVE-2013-1488)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2013-1518, CVE-2013-1537, CVE-2013-1557, CVE-2013-1558,
CVE-2013-1569, CVE-2013-23
Ubuntu
OpenJDK 7 vulnerabilities
vendor_ubuntu·2013-04-23·CVSS 10.0
CVE-2013-0401 [CRITICAL] OpenJDK 7 vulnerabilities
Title: OpenJDK 7 vulnerabilities
Summary: Several security issues were fixed in OpenJDK 7.
Ben Murphy discovered a vulnerability in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit this
to execute arbitrary code. (CVE-2013-0401)
James Forshaw discovered a vulnerability in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit this to execute arbitrary code. (CVE-2013-1488)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2013-1518, CVE-2013-1537, CVE-2013-1557, CVE-2013-1569,
CVE-2013-2383, CVE-2013-23
Red Hat
OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)
vendor_redhat·2013-04-16·CVSS 10.0
CVE-2013-0401 [CRITICAL] OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)
OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.
GHSA
GHSA-7fc2-vc87-69w8: The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5
ghsa_unreviewed·2022-05-05
CVE-2013-0401 [HIGH] CWE-94 GHSA-7fc2-vc87-69w8: The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.
No detection rules found.
No public exploits indexed.
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2013-05/msg00017.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00099.htmlhttp://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.htmlhttp://marc.info/?l=bugtraq&m=137283787217316&w=2http://rhn.redhat.com/errata/RHSA-2013-0752.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0757.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0758.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1455.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1456.htmlhttp://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:145http://www.mandriva.com/security/advisories?name=MDVSA-2013:161http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.htmlhttp://www.ubuntu.com/usn/USN-1806-1http://www.us-cert.gov/ncas/alerts/TA13-107Ahttp://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/https://bugzilla.redhat.com/show_bug.cgi?id=920245https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641https://twitter.com/thezdi/status/309784608508100608https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2013-05/msg00017.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00099.htmlhttp://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.htmlhttp://marc.info/?l=bugtraq&m=137283787217316&w=2http://rhn.redhat.com/errata/RHSA-2013-0752.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0757.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0758.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1455.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1456.htmlhttp://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:145http://www.mandriva.com/security/advisories?name=MDVSA-2013:161http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.htmlhttp://www.ubuntu.com/usn/USN-1806-1http://www.us-cert.gov/ncas/alerts/TA13-107Ahttp://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/https://bugzilla.redhat.com/show_bug.cgi?id=920245https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641https://twitter.com/thezdi/status/309784608508100608https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
2013-03-08
Published