cbcvebase.
CVE-2013-0431
published 2013-01-31

CVE-2013-0431: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote…

PriorityP187medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
89.99%
99.8th percentile
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.

Affected

3 ranges
VendorProductVersion rangeFixed in
oraclejdk
oraclejre
oracleopenjdk

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/cve-2013-0431/Exploit.ser
filenameExploit.ser
filenameExploit.class
filenameB.class
urlhttp://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html
  • Detect delivery of a JAR file containing the specific exploit class files Exploit.ser, Exploit.class, and B.class packed together, served with Content-Type application/octet-stream from a browser exploit kit landing page.
  • The Metasploit module serves the malicious JAR when the URI ends in .jar (case-insensitive) and serves an HTML applet page when the URI ends with /. Monitor for browser requests matching this pattern originating from exploit kit infrastructure.
  • The exploit abuses JMX classes from a Java Applet to escape the sandbox. Monitor for Java processes spawning unexpected child processes, particularly following applet execution in a browser context.
  • The exploit bypasses the unsigned applet security warning introduced in Java 7 Update 10. Alert on unsigned Java applets executing without user prompts on JRE 7u10 and 7u11 systems.
  • Successful exploitation by RedKit was used to drop the ZeroAccess trojan. Post-exploitation, hunt for ZeroAccess indicators (Bitcoin mining activity, peer-to-peer C2 traffic) on hosts that ran Java applets from untrusted sites.
  • ·The vulnerability affects Oracle Java SE 7 through Update 11 and OpenJDK 7 only. Java SE 6 is listed as not affected for this specific CVE (though a separate vulnerability CVE-2013-1490/CVE-2013-1518 exists for SE 6).
  • ·Exploitation requires user assistance (user-assisted remote attack vector), meaning the victim must interact with the malicious applet page, though the module bypasses the unsigned applet warning dialog introduced in Java 7u10.
  • ·The Metasploit module targets Java, Windows x86, Mac OS X x86, and Linux x86 platforms, indicating cross-platform exploitation capability.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.