cbcvebase.
CVE-2013-0422
published 2013-01-10

CVE-2013-0422: Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
97.61%
99.9th percentile
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
opensuseopensuse
oraclejdk
oraclejre

Detection & IOCsextracted from sources · hover to see the quote

domainstyx-crypt.com
  • CVE-2013-0422 exploitation involves calling the public getMBeanInstantiator method in JmxMBeanServer to obtain a reference to a private MBeanInstantiator object, then using findClass to retrieve arbitrary Class references — monitor for unusual JMX/MBean reflection calls in Java processes.
  • CVE-2013-0422 exploitation also involves recursive use of the Reflection API to bypass java.lang.invoke.MethodHandles.Lookup.checkSecurityManager — monitor for recursive reflection calls in Java browser plugin processes.
  • CVE-2013-0422 was actively incorporated into the Blackhole and Nuclear Pack exploit kits as a zero-day in January 2013 — detections of these kits on hacked/malicious sites should be correlated with this CVE.
  • A public Metasploit module exists for CVE-2013-0422 — scan for Metasploit-generated Java exploit payloads in network traffic targeting Java browser plugin processes.
  • ·Java 6 was initially reported as vulnerable but the reporter retracted this claim — Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.
  • ·A reliable third party claimed the findClass/MBeanInstantiator vector was NOT fully fixed in Java 7 Update 11 — a separate CVE may apply if that vector remains exploitable post-patch.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
cisa9.8CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.