CVE-2013-0431
published 2013-01-31CVE-2013-0431: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote…
PriorityP187medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
89.99%
99.8th percentile
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | jdk | — | — |
| oracle | jre | — | — |
| oracle | openjdk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect delivery of a JAR file containing the specific exploit class files Exploit.ser, Exploit.class, and B.class packed together, served with Content-Type application/octet-stream from a browser exploit kit landing page. ↗
- →The Metasploit module serves the malicious JAR when the URI ends in .jar (case-insensitive) and serves an HTML applet page when the URI ends with /. Monitor for browser requests matching this pattern originating from exploit kit infrastructure. ↗
- →The exploit abuses JMX classes from a Java Applet to escape the sandbox. Monitor for Java processes spawning unexpected child processes, particularly following applet execution in a browser context. ↗
- →The exploit bypasses the unsigned applet security warning introduced in Java 7 Update 10. Alert on unsigned Java applets executing without user prompts on JRE 7u10 and 7u11 systems. ↗
- →Successful exploitation by RedKit was used to drop the ZeroAccess trojan. Post-exploitation, hunt for ZeroAccess indicators (Bitcoin mining activity, peer-to-peer C2 traffic) on hosts that ran Java applets from untrusted sites. ↗
- ·The vulnerability affects Oracle Java SE 7 through Update 11 and OpenJDK 7 only. Java SE 6 is listed as not affected for this specific CVE (though a separate vulnerability CVE-2013-1490/CVE-2013-1518 exists for SE 6). ↗
- ·Exploitation requires user assistance (user-assisted remote attack vector), meaning the victim must interact with the malicious applet page, though the module bypasses the unsigned applet warning dialog introduced in Java 7u10. ↗
- ·The Metasploit module targets Java, Windows x86, Mac OS X x86, and Linux x86 platforms, indicating cross-platform exploitation capability. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Oracle JRE Sandbox Bypass Vulnerability
cisa·2022-05-25·CVSS 5.3
CVE-2013-0431 [MEDIUM] Oracle JRE Sandbox Bypass Vulnerability
Vulnerability: Oracle JRE Sandbox Bypass Vulnerability
Affected: Oracle Java Runtime Environment (JRE)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle allows remote attackers to bypass the Java security sandbox.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-0431
Remediation Due Date: 2022-06-15
Red Hat
mysql: unspecified DoS related to InnoDB subcomponent (CPU Jan 2014)
vendor_redhat·2014-01-14·CVSS 4.0
CVE-2013-5881 [MEDIUM] mysql: unspecified DoS related to InnoDB subcomponent (CPU Jan 2014)
mysql: unspecified DoS related to InnoDB subcomponent (CPU Jan 2014)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2014-0431.
Statement: Not Vulnerable. This issue does not affect the version of mysql55-mysql package as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of mysql as shipped with Red Hat Enterprise Linux 6.
Package: mysql55-mysql (Red Hat Enterprise Linux 5) - Not affected
Package: mysql (Red Hat Enterprise Linux 6) - Not affected
Package: mariadb (Red Hat Enterprise Linux 7) - Not affected
Package: mariadb55-mariadb (Red Hat Software Collections) - Not affected
Pack
Red Hat
mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014)
vendor_redhat·2014-01-14·CVSS 4.0
CVE-2014-0431 [MEDIUM] mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014)
mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-5881.
Statement: Not Vulnerable. This issue does not affect the version of mysql55-mysql package as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of mysql as shipped with Red Hat Enterprise Linux 6.
Package: mysql55-mysql (Red Hat Enterprise Linux 5) - Not affected
Package: mysql (Red Hat Enterprise Linux 6) - Not affected
Package: mariadb (Red Hat Enterprise Linux 7) - Not affected
Package: mariadb55-mariadb (Red Hat Software Collections) - Not affected
Pac
Red Hat
JDK: complete Java security sandbox bypass (Issue 51)
vendor_redhat·2013-01-27·CVSS 5.3
CVE-2013-1490 [MEDIUM] JDK: complete Java security sandbox bypass (Issue 51)
JDK: complete Java security sandbox bypass (Issue 51)
Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 51," a different vulnerability than CVE-2013-0431. NOTE: as of 20130130, this vulnerability does not contain any independently-verifiable details, and there is no vendor acknowledgement. A CVE identifier is being assigned because this vulnerability has received significant public attention, and the original researcher has an established history of releasing vulnerability reports that have been fixed by vendors. NOTE: this issue also exists in SE 6, but it cannot be exploited without a separate vulnerability.
Statement: This flaw was found to be a duplic
Red Hat
OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
vendor_redhat·2013-01-27·CVSS 5.3
CVE-2013-0431 [MEDIUM] OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.
Package: java-1.4.2-ibm (Red Hat Enterprise Linux 5) - Will not fix
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-ibm (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 6) -
GHSA
GHSA-hxjj-qvrq-6x75: Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1
ghsa_unreviewed·2022-05-17·CVSS 5.3
CVE-2013-1490 [MEDIUM] GHSA-hxjj-qvrq-6x75: Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1
Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 51," a different vulnerability than CVE-2013-0431. NOTE: as of 20130130, this vulnerability does not contain any independently-verifiable details, and there is no vendor acknowledgement. A CVE identifier is being assigned because this vulnerability has received significant public attention, and the original researcher has an established history of releasing vulnerability reports that have been fixed by vendors. NOTE: this issue also exists in SE 6, but it cannot be exploited without a separate vulnerability.
GHSA
GHSA-h3cw-j9j9-5pc4: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted r
ghsa_unreviewed·2022-05-05·CVSS 4.3
CVE-2013-0431 [MEDIUM] CWE-693 GHSA-h3cw-j9j9-5pc4: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted r
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.
VulnCheck
Oracle JRE Sandbox Bypass Vulnerability
vulncheck·2013·CVSS 5.3
CVE-2013-0431 [MEDIUM] Oracle JRE Sandbox Bypass Vulnerability
Oracle JRE Sandbox Bypass Vulnerability
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle allows remote attackers to bypass the Java security sandbox.
Affected: Oracle Java Runtime Environment (JRE)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.malwarebytes.com/threat-analysis/2013/03/new-exploit-kit-ransomware-and-av-evasion/; https://cybersecurityworks.com/pdf/ransomware/Spotlight_Ransomware2021.pdf; https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-15
No detection rules found.
Exploit-DB
Java Applet JMX - Remote Code Execution (Metasploit) (2)
exploitdb·2013-02-25
CVE-2013-0431 Java Applet JMX - Remote Code Execution (Metasploit) (2)
Java Applet JMX - Remote Code Execution (Metasploit) (2)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet JMX Remote Code Execution',
'Description' => %q{
This module abuses the JMX classes from a Java Applet to run arbitrary Java code
outside of the sandbox as exploited in the wild in February of 2013. Additionally,
this module bypasses default security settings introduced in Java 7 Update 10 to run
unsigned applet without displaying any warning to the user.
},
Metasploit
Java Applet JMX Remote Code Execution
metasploit
Java Applet JMX Remote Code Execution
Java Applet JMX Remote Code Execution
This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.
Bugzilla
CVE-2014-0431 mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014)
bugzilla·2014-01-15·CVSS 4.0
CVE-2014-0431 [MEDIUM] CVE-2014-0431 mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014)
CVE-2014-0431 mysql: unspecified vulnerability related to InnoDB DoS (CPU Jan 2014)
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0431 to
the following vulnerability:
Name: CVE-2014-0431
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0431
Assigned: 20131212
Reference: http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.6.14 and earlier allows remote authenticated users to affect
availability via unknown vectors related to InnoDB, a different
vulnerability than CVE-2013-5881.
Discussion:
Upstream data suggests that this issue only affects the version of MySQL 5.6.14 and earlier.
This issue does not affect the version of mysql as shipped with Red Hat Enter
Bugzilla
CVE-2013-1490 JDK: complete Java security sandbox bypass (Issue 51)
bugzilla·2013-01-31·CVSS 5.3
CVE-2013-1490 [MEDIUM] CVE-2013-1490 JDK: complete Java security sandbox bypass (Issue 51)
CVE-2013-1490 JDK: complete Java security sandbox bypass (Issue 51)
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1490 to the following vulnerability:
Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 51," a different vulnerability than CVE-2013-0431. NOTE: as of 20130130, this vulnerability does not contain any independently-verifiable details, and there is no vendor acknowledgement. A CVE identifier is being assigned because this vulnerability has received significant public attention, and the original researcher has an established history of releasing vulnerability reports that have been fixed by vendors. NOTE: this issue also ex
Bugzilla
CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
bugzilla·2013-01-31·CVSS 5.3
CVE-2013-0431 [MEDIUM] CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-0431 to the following vulnerability:
Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 52," a different vulnerability than CVE-2013-1490. NOTE: as of 20130130, this vulnerability does not contain any independently-verifiable details, and there is no vendor acknowledgement. A CVE identifier is being assigned because this vulnerability has received significant public attention, and the original researcher has an established history of releasing vulnerability reports that have been fixed
Qualys
Assess Your Risk From Ransomware Attacks, Powered by Qualys Research
blogs_qualys·2021-10-05
Assess Your Risk From Ransomware Attacks, Powered by Qualys Research
## Table of Contents
Clear guidelines from authorities for ransomware prevention
Qualys undertakes research on ransomware to deliver actionable insights
Challenges in following guidelines for preventing ransomware attacks
Assess & continuously monitor your ransomware risk, powered by Qualys Research
Learn more and see for yourself
Resources
References
Ransomware attacks are among the most significant cyber threats facing businesses today. Recent warnings about Conti ransomware, issued by a joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI and National Security Agency, are a strong signal that ransomware attacks are becoming even more sophisticated and massive via the ransomware-as-a-service operating model. This new model allows
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
- Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
1. Was our software used outside of its intended functionality to pull classified information from a person’s c
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
Was our software used outside of its intended functionality to pull classified information from a person’s comput
Recorded Future
Visualizing RedKit Exploits
blogs_recorded_future·CVSS 7.8
[HIGH] Visualizing RedKit Exploits
## Visualizing RedKit Exploits
The private but popular RedKit exploit kit appears to be experiencing a resurgence based on a report by Kahu Security. Initially spotted back in May 2012 , the exploit kit drew attention after cybercriminals used it in drive-by-download attacks from NBC’s compromised website in January 2013 and spam campaigns immediately after the Boston Marathon bombings .
These attacks featured iframes on the compromised websites performing simultaneous actions when rendered in a victim’s web browser. The exploit kit competes against and leverages some of the same exploits as CritXPack, Gong Da, Nuclear Pack, Cool, and Blackhole 2.0. Monitoring developments and adoption of RedKit may be of particular interest given the recent arrest in Russia of Blackhole’s creator .
Cyb
Recorded Future
Visualizing RedKit Exploits
blogs_recorded_future·CVSS 7.8
[HIGH] Visualizing RedKit Exploits
# Visualizing RedKit Exploits
The private but popular RedKit exploit kit appears to be experiencing a resurgence based on a report by Kahu Security. Initially spotted back in May 2012, the exploit kit drew attention after cybercriminals used it in drive-by-download attacks from NBC’s compromised website in January 2013 and spam campaigns immediately after the Boston Marathon bombings.
These attacks featured iframes on the compromised websites performing simultaneous actions when rendered in a victim’s web browser. The exploit kit competes against and leverages some of the same exploits as CritXPack, Gong Da, Nuclear Pack, Cool, and Blackhole 2.0. Monitoring developments and adoption of RedKit may be of particular interest given the recent arrest in Russia of Blackhole’s creator.
Cybercr
http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00001.htmlhttp://marc.info/?l=bugtraq&m=136439120408139&w=2http://marc.info/?l=bugtraq&m=136733161405818&w=2http://rhn.redhat.com/errata/RHSA-2013-0237.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0247.htmlhttp://seclists.org/fulldisclosure/2013/Jan/142http://seclists.org/fulldisclosure/2013/Jan/195http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www.informationweek.com/security/application-security/java-hacker-uncovers-two-flaws-in-latest/240146717http://www.kb.cert.org/vuls/id/858729http://www.mandriva.com/security/advisories?name=MDVSA-2013:095http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.htmlhttp://www.securityfocus.com/archive/1/525387/30/0/threadedhttp://www.us-cert.gov/cas/techalerts/TA13-032A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16579https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19418https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0056http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00001.htmlhttp://marc.info/?l=bugtraq&m=136439120408139&w=2http://marc.info/?l=bugtraq&m=136733161405818&w=2http://rhn.redhat.com/errata/RHSA-2013-0237.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0247.htmlhttp://seclists.org/fulldisclosure/2013/Jan/142http://seclists.org/fulldisclosure/2013/Jan/195http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www.informationweek.com/security/application-security/java-hacker-uncovers-two-flaws-in-latest/240146717http://www.kb.cert.org/vuls/id/858729http://www.mandriva.com/security/advisories?name=MDVSA-2013:095http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.htmlhttp://www.securityfocus.com/archive/1/525387/30/0/threadedhttp://www.us-cert.gov/cas/techalerts/TA13-032A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16579https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19418https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0056https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0431
2013-01-31
Published
2022-05-25
Added to CISA KEV
Exploited in the wild