CVE-2013-2423
published 2013-04-17CVE-2013-2423: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to…
PriorityP186low3.7CVSS 3.1
AVNACHPRNUINSUCNILAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
85.33%
99.7th percentile
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| opensuse | opensuse | — | — |
| oracle | jre | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SIDs: 26569 through 26572, 26603 and 26668
- →The LightsOut exploit kit uses JavaScript IDS evasion by embedding digits within strings that must be removed to reveal the actual string (e.g., 'forName' encoded as '836f4974362o65679305r82637150N61617044a77736359m99323481e9388'). ↗
- →The CVE-2013-2423 exploit was distributed via malvertising through ad networks yieldmanager.net, smxchange.com, and glispa.com redirecting to FlimKit drop domains. ↗
- →The dropper executable copies itself with a trailing space in the filename ('WbemMonitor .exe') under a 'Broker services' directory in AppData, which is an evasion technique to detect. ↗
- →The Styx exploit kit referenced CVE-2013-2423 internally as exploit number '12'; traffic analysis of Styx panels can use this numbering to identify the specific exploit being served. ↗
- ·The exploit does not bypass click-to-play in the basic Metasploit module variant; the user must accept the Java security warning for the malicious applet to execute. ↗
- ·A separate Metasploit module variant (rapid7/metasploit-framework) does bypass click-to-play via a specially crafted JNLP file, but this bypass applies mainly to IE via the Java Web Start ActiveX control. ↗
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck3.7LOW
cisa3.7LOW
vendor_ubuntu10.0CRITICAL
vendor_redhat3.7LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wq4h-35pf-mp23: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote atta
ghsa_unreviewed·2022-05-17
CVE-2013-2423 [MEDIUM] CWE-284 GHSA-wq4h-35pf-mp23: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote atta
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.
VulnCheck
Oracle JRE Unspecified Vulnerability
vulncheck·2013·CVSS 3.7
CVE-2013-2423 [LOW] Oracle JRE Unspecified Vulnerability
Oracle JRE Unspecified Vulnerability
Unspecified vulnerability in hotspot for Java Runtime Environment (JRE) allows remote attackers to affect integrity.
Affected: Oracle Java Runtime Environment (JRE)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html; https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/; https://cybersecurityworks.com/pdf/ransomware/Spotlight_Ransomware2021.pdf; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.mandiant.com/sites/default/files/2021-09/rpt-java-vulnerabilities.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Rem
CISA
Oracle JRE Unspecified Vulnerability
cisa·2022-05-25·CVSS 3.7
CVE-2013-2423 [LOW] Oracle JRE Unspecified Vulnerability
Vulnerability: Oracle JRE Unspecified Vulnerability
Affected: Oracle Java Runtime Environment (JRE)
Unspecified vulnerability in hotspot for Java Runtime Environment (JRE) allows remote attackers to affect integrity.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-2423
Remediation Due Date: 2022-06-15
Ubuntu
OpenJDK 7 vulnerabilities
vendor_ubuntu·2013-04-23·CVSS 10.0
CVE-2013-0401 [CRITICAL] OpenJDK 7 vulnerabilities
Title: OpenJDK 7 vulnerabilities
Summary: Several security issues were fixed in OpenJDK 7.
Ben Murphy discovered a vulnerability in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit this
to execute arbitrary code. (CVE-2013-0401)
James Forshaw discovered a vulnerability in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit this to execute arbitrary code. (CVE-2013-1488)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2013-1518, CVE-2013-1537, CVE-2013-1557, CVE-2013-1569,
CVE-2013-2383, CVE-2013-23
Red Hat
OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
vendor_redhat·2013-04-16·CVSS 3.7
CVE-2013-2423 [LOW] OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-sun (Red Hat Enterprise Li
No detection rules found.
Exploit-DB
Java Applet - Reflection Type Confusion Remote Code Execution (Metasploit)
exploitdb·2013-04-23
CVE-2013-2423 Java Applet - Reflection Type Confusion Remote Code Execution (Metasploit)
Java Applet - Reflection Type Confusion Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet Reflection Type Confusion Remote Code Execution',
'Description' => %q{
This module abuses Java Reflection to generate a Type Confusion, due to a weak
access control when setting final fields on static classes, and run code outside of
the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This
exploit doesn't bypass click
Metasploit
Java Applet Reflection Type Confusion Remote Code Execution
metasploit
Java Applet Reflection Type Confusion Remote Code Execution
Java Applet Reflection Type Confusion Remote Code Execution
This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
- Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
1. Was our software used outside of its intended functionality to pull classified information from a person’s c
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
Was our software used outside of its intended functionality to pull classified information from a person’s comput
Talos
Continued analysis of the LightsOut Exploit Kit
blogs_talos·2014-05-02·CVSS 9.8
[CRITICAL] Continued analysis of the LightsOut Exploit Kit
## Continued analysis of the LightsOut Exploit Kit
At the end of March, we disclosed the coverage of an Exploit Kit we called “Hello”: http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html , or “LightsOut”, we thought we’d do a follow up post to tear this exploit kit apart a bit more. This variant of the LightsOut exploit kit uses a number of Java vulnerabilities, and targets multiple browsers. The primary goal is to drop & execute a downloader executable, which in turn downloads and executes more malware samples. These secondary malware samples are run in a sequence, and do some information harvesting, and potentially exfiltrate the information harvested. Overall, not fun for visitors to sites compromised with the LightsOut exploit kit. Because of the number of Java vulnerabiliti
Talos
Continued analysis of the LightsOut Exploit Kit
blogs_talos·2014-05-02·CVSS 9.8
[CRITICAL] Continued analysis of the LightsOut Exploit Kit
At the end of March, we disclosed the coverage of an Exploit Kit we called “Hello”: http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html, or “LightsOut”, we thought we’d do a follow up post to tear this exploit kit apart a bit more. This variant of the LightsOut exploit kit uses a number of Java vulnerabilities, and targets multiple browsers. The primary goal is to drop & execute a downloader executable, which in turn downloads and executes more malware samples. These secondary malware samples are run in a sequence, and do some information harvesting, and potentially exfiltrate the information harvested. Overall, not fun for visitors to sites compromised with the LightsOut exploit kit.
Because of the number of Java vulnerabilities leveraged by this kit; it's important to keep Jav
Zscaler
FlimKit Coughs Up More Malvertising | Zscaler
blogs_zscaler·2013-07-11
FlimKit Coughs Up More Malvertising | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Krebs
Styx Exploit Pack: Domo Arigato, PC Roboto
blogs_krebs·2013-07-08
Styx Exploit Pack: Domo Arigato, PC Roboto
Not long ago, miscreants who wanted to buy an exploit kit — automated software that helps booby-trap hacked sites to deploy malicious code — had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.”
Styx Pack victims, by browser and OS version.
Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com. The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available to
Krebs
Styx Exploit Pack: Domo Arigato, PC Roboto – Krebs on Security
blogs_krebs·2013-07-01
Styx Exploit Pack: Domo Arigato, PC Roboto – Krebs on Security
Not long ago, miscreants who wanted to buy an exploit kit — automated software that helps booby-trap hacked sites to deploy malicious code — had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.”
Styx Pack victims, by browser and OS version.
Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com . The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available t
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Bugzilla
CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
bugzilla·2013-04-15·CVSS 3.7
CVE-2013-2423 [LOW] CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
java.lang.invoke.MethodHandles did not perform access checks correctly. An untrusted Java application or applet could use this to set value of a final field.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in Oracle Java SE 7u21.
---
OpenJDK7 upstream repositories commit:
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https:
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/http://blog.spiderlabs.com/2013/04/java-is-so-confusing.htmlhttp://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3fhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00099.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0752.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0757.htmlhttp://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0http://www.exploit-db.com/exploits/24976http://www.mandriva.com/security/advisories?name=MDVSA-2013:161http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.htmlhttp://www.ubuntu.com/usn/USN-1806-1http://www.us-cert.gov/ncas/alerts/TA13-107Ahttps://bugzilla.redhat.com/show_bug.cgi?id=952398https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/http://blog.spiderlabs.com/2013/04/java-is-so-confusing.htmlhttp://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3fhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00099.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0752.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0757.htmlhttp://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0http://www.exploit-db.com/exploits/24976http://www.mandriva.com/security/advisories?name=MDVSA-2013:161http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.htmlhttp://www.ubuntu.com/usn/USN-1806-1http://www.us-cert.gov/ncas/alerts/TA13-107Ahttps://bugzilla.redhat.com/show_bug.cgi?id=952398https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2423
2013-04-17
Published
2022-05-25
Added to CISA KEV
Exploited in the wild