⚠ Actively exploited
Added to CISA KEV on 2022-05-25. Federal agencies required to patch by 2022-06-15. Required action: Apply updates per vendor instructions..

CVE-2013-2423Improper Access Control in Oracle JRE

CWE-284Improper Access Control17 documents14 sources
Severity
3.7LOWNVD
EPSS
93.4%
top 0.18%
CISA KEV
KEV
Added 2022-05-25
Due 2022-06-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
3
Canonical Ubuntu LinuxOpensuseOracle JRE
Timeline
PublishedApr 17
KEV addedMay 25
KEV dueJun 15
CISA Required Action: Apply updates per vendor instructions.

Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages2 packages

NVDoracle/jre1.7.0

Also affects: Ubuntu Linux 12.10

Patches

Patch: hg.openjdk.java.netPatch: hg.openjdk.java.net

🔴Vulnerability Details

2
GHSA
GHSA-wq4h-35pf-mp23: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote atta2022-05-17
VulnCheck
Oracle JRE Unspecified Vulnerability2013

💥Exploits & PoCs

2
Exploit-DB
Java Applet - Reflection Type Confusion Remote Code Execution (Metasploit)2013-04-23
Metasploit
Java Applet Reflection Type Confusion Remote Code Execution

📋Vendor Advisories

3
CISA
Oracle JRE Unspecified Vulnerability2022-05-25
Ubuntu
OpenJDK 7 vulnerabilities2013-04-23
Red Hat
OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)2013-04-16

🕵️Threat Intelligence

8
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US2017-11-16
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US2017-11-16
Talos
Continued analysis of the LightsOut Exploit Kit2014-05-02
Talos
Continued analysis of the LightsOut Exploit Kit2014-05-02
Zscaler
FlimKit Coughs Up More Malvertising | Zscaler2013-07-11

💬Community

1
Bugzilla
CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)2013-04-15