cbcvebase.
CVE-2013-2460
published 2013-06-18

CVE-2013-2460: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to…

PriorityP184critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.25%
99.3th percentile
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.

Affected

4 ranges
VendorProductVersion rangeFixed in
oraclejdk<= 1.7.0
oraclejdk
oraclejre<= 1.7.0
oraclejre

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/cve-2013-2460/Exploit.class
pathdata/exploits/cve-2013-2460/ExpProvider.class
pathdata/exploits/cve-2013-2460/DisableSecurityManagerAction.class
urlhttp://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf
urlhttp://www.security-explorations.com/materials/se-2012-01-61.zip
urlhttp://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a
  • Exploit delivers a JAR containing Exploit.class, ExpProvider.class, and DisableSecurityManagerAction.class; detect HTTP responses serving a JAR with these class file names (or randomized variants via Metasploit's identifier randomization).
  • Exploit JAR is served with Content-Type 'application/octet-stream' in response to a .jar URI request; monitor for Java applet loads of JARs served as octet-stream containing ProviderSkeleton-related class files.
  • Exploit HTML page uses an applet tag to load the malicious JAR; detect HTML responses containing <applet> tags referencing .jar files in browser traffic.
  • The exploit abuses ProviderSkeleton's insecure invoke() method to call arbitrary static methods; monitor JVM tracing/serviceability APIs for unexpected invocations via ProviderSkeleton or GetInvocationHandler.
  • Metasploit module randomizes 'metasploit' and 'payload' identifier strings within the JAR to evade signature detection; static signatures on these strings alone may be insufficient.
  • ·The Metasploit module randomizes class/identifier names (e.g., 'Exploit', 'metasploit', 'payload') within the JAR at runtime, so static name-based signatures will not reliably detect all variants.
  • ·Vulnerability only affects Java SE 7 Update 21 and earlier, and OpenJDK 7; Java 6 and IBM JRE packages on RHEL 5/6 are listed as not affected.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu3.6LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.