⚠ Actively exploited
Added to CISA KEV on 2022-05-25. Federal agencies required to patch by 2022-06-15. Required action: Apply updates per vendor instructions..

CVE-2013-0422Improper Access Control in Oracle JDK

CWE-284Improper Access ControlCWE-26431 documents15 sources
Severity
10.0CRITICALNVD
NVD9.8VulnCheck9.8CISA9.8
EPSS
93.6%
top 0.16%
CISA KEV
KEV
Added 2022-05-25
Due 2022-06-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Canonical Ubuntu LinuxOpensuseOracle JDK+1 more
Timeline
PublishedJan 10
KEV addedMay 25
KEV dueJun 15
Latest updateFeb 2
CISA Required Action: Apply updates per vendor instructions.

Description

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inabilit

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDoracle/jdk1.7.0
NVDoracle/jre1.7.0

Also affects: Ubuntu Linux 12.10

🔴Vulnerability Details

4
GHSA
GHSA-xcww-3952-xr69: Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown2022-05-17
GHSA
GHSA-r293-6mhc-29xx: Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiat2022-05-05
VulnCheck
Oracle JRE Remote Code Execution Vulnerability2013
VulnCheck
Oracle Java 7 before Update 11 Unspecified Vulnerability2012

💥Exploits & PoCs

2
Exploit-DB
Java Applet JMX - Remote Code Execution (Metasploit) (1)2013-01-11
Metasploit
Java Applet JMX Remote Code Execution

🔍Detection Rules

1
YARA
CVE_2013_0422

📋Vendor Advisories

4
CISA
Oracle JRE Remote Code Execution Vulnerability2022-05-25
Ubuntu
OpenJDK 7 vulnerabilities2013-01-16
Red Hat
OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)2013-01-13
Red Hat
OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)2013-01-10

🕵️Threat Intelligence

11
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US2017-11-16
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US2017-11-16
Krebs
Styx Exploit Pack: Domo Arigato, PC Roboto2013-07-08
Krebs
Styx Exploit Pack: Domo Arigato, PC Roboto – Krebs on Security2013-07-01
Krebs
Flaw Flood Busts Bug Bank2013-02-04

📄Research Papers

3
arXiv
MalCVE: Malware Detection and CVE Association Using Large Language Models2026-02-02
CTF
Secured Java / README2022
arXiv
Web Tracking: Mechanisms, Implications, and Defenses2015-07-28

💬Community

4
Bugzilla
CVE-2013-0422 CVE-2012-3174 java-1.7.0-openjdk various flaws [fedora-all]2013-01-14
Bugzilla
CVE-2012-3174 OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)2013-01-14
Bugzilla
Blocklist with severity CTP for all versions of Java due to zero-day remote code execution vulnerability being actively exploited2013-01-10
Bugzilla
CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)2013-01-10
CVE-2013-0422 — Improper Access Control in Oracle JDK | cvebase