CVE-2013-2460
published 2013-06-18CVE-2013-2460: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to…
PriorityP184critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.25%
99.3th percentile
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | jdk | <= 1.7.0 | — |
| oracle | jdk | — | — |
| oracle | jre | <= 1.7.0 | — |
| oracle | jre | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit delivers a JAR containing Exploit.class, ExpProvider.class, and DisableSecurityManagerAction.class; detect HTTP responses serving a JAR with these class file names (or randomized variants via Metasploit's identifier randomization). ↗
- →Exploit JAR is served with Content-Type 'application/octet-stream' in response to a .jar URI request; monitor for Java applet loads of JARs served as octet-stream containing ProviderSkeleton-related class files. ↗
- →Exploit HTML page uses an applet tag to load the malicious JAR; detect HTML responses containing <applet> tags referencing .jar files in browser traffic. ↗
- →The exploit abuses ProviderSkeleton's insecure invoke() method to call arbitrary static methods; monitor JVM tracing/serviceability APIs for unexpected invocations via ProviderSkeleton or GetInvocationHandler. ↗
- →Metasploit module randomizes 'metasploit' and 'payload' identifier strings within the JAR to evade signature detection; static signatures on these strings alone may be insufficient. ↗
- ·The Metasploit module randomizes class/identifier names (e.g., 'Exploit', 'metasploit', 'payload') within the JAR at runtime, so static name-based signatures will not reliably detect all variants. ↗
- ·Vulnerability only affects Java SE 7 Update 21 and earlier, and OpenJDK 7; Java 6 and IBM JRE packages on RHEL 5/6 are listed as not affected. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu3.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenJDK 7 vulnerabilities
vendor_ubuntu·2013-07-16·CVSS 3.6
CVE-2013-1500 [LOW] OpenJDK 7 vulnerabilities
Title: OpenJDK 7 vulnerabilities
Summary: Several security issues were fixed in OpenJDK 7.
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2013-1500, CVE-2013-2454,
CVE-2013-2458)
A vulnerability was discovered in the OpenJDK Javadoc related to data
integrity. (CVE-2013-1571)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and availability. An attacker could exploit this to cause a
denial of service or expose sensitive data over the network.
(CVE-2013-2407)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data o
Ubuntu
IcedTea Web update
vendor_ubuntu·2013-07-16·CVSS 3.6
CVE-2013-1500 [LOW] IcedTea Web update
Title: IcedTea Web update
Summary: IcedTea Web updated to work with new OpenJDK 7.
USN-1907-1 fixed vulnerabilities in OpenJDK 7. Due to upstream changes,
IcedTea Web needed an update to work with the new OpenJDK 7.
Original advisory details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2013-1500, CVE-2013-2454,
CVE-2013-2458)
A vulnerability was discovered in the OpenJDK Javadoc related to data
integrity. (CVE-2013-1571)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and availability. An attacker could exploit this to cause a
denial of service or expose sensitive data over the network.
(CVE-2013-2407)
Red Hat
OpenJDK: tracing insufficient access checks (Serviceability, 8010209)
vendor_redhat·2013-06-18·CVSS 9.3
CVE-2013-2460 [CRITICAL] OpenJDK: tracing insufficient access checks (Serviceability, 8010209)
OpenJDK: tracing insufficient access checks (Serviceability, 8010209)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
Package: java-1.5.0-ibm (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-ibm (Red Hat Enterprise Linux 5) - Not affected
Package: java-1.6.0-openjdk (Red Hat Enterprise Linux 5) - Not affected
P
GHSA
GHSA-fmcw-8c9j-mwj4: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote atta
ghsa_unreviewed·2022-05-17
CVE-2013-2460 [HIGH] GHSA-fmcw-8c9j-mwj4: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote atta
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
VulnCheck
Oracle Java Runtime Environment Insufficient Access Checks Bypass Vulnerability
vulncheck·2013·CVSS 9.3
CVE-2013-2460 [CRITICAL] Oracle Java Runtime Environment Insufficient Access Checks Bypass Vulnerability
Oracle Java Runtime Environment Insufficient Access Checks Bypass Vulnerability
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
Affected: Oracle Java Runtime Environment (JRE)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailabl
No detection rules found.
Exploit-DB
Java Applet - ProviderSkeleton Insecure Invoke Method (Metasploit)
exploitdb·2013-07-01
CVE-2013-2460 Java Applet - ProviderSkeleton Insecure Invoke Method (Metasploit)
Java Applet - ProviderSkeleton Insecure Invoke Method (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 false })
EXPLOIT_STRING = "Exploit"
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet ProviderSkeleton Insecure Invoke Method',
'Description' => %q{
This module abuses the insecure invoke() method of the ProviderSkeleton class that
allows to call arbitrary static methods with user supplied arguments. The vulnerability
affects Java version 7u21 and earlier.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Adam
Metasploit
Java Applet ProviderSkeleton Insecure Invoke Method
metasploit
Java Applet ProviderSkeleton Insecure Invoke Method
Java Applet ProviderSkeleton Insecure Invoke Method
This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.
Bugzilla
CVE-2013-2460 OpenJDK: tracing insufficient access checks (Serviceability, 8010209)
bugzilla·2013-06-17·CVSS 9.3
CVE-2013-2460 [CRITICAL] CVE-2013-2460 OpenJDK: tracing insufficient access checks (Serviceability, 8010209)
CVE-2013-2460 OpenJDK: tracing insufficient access checks (Serviceability, 8010209)
Common Vulnerabilities and Exposures have assigned the CVE identifier of CVE-2013-2460 to the following vulnerability:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability.
External References:
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
Discussion:
Upstream commit:
http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0958 https://rhn.redhat.com/errata/RHSA-2013-0958.html
--
Zscaler
Dissecting The CVE-2013-2460 Java Exploit | Zscaler Blog
blogs_zscaler·2014-07-28·CVSS 9.3
[CRITICAL] Dissecting The CVE-2013-2460 Java Exploit | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
http://advisories.mageia.org/MGASA-2013-0185.htmlhttp://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1ahttp://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.htmlhttp://marc.info/?l=bugtraq&m=137545505800971&w=2http://rhn.redhat.com/errata/RHSA-2013-0963.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1060.htmlhttp://secunia.com/advisories/54154http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21642336http://www.mandriva.com/security/advisories?name=MDVSA-2013:183http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.htmlhttp://www.us-cert.gov/ncas/alerts/TA13-169Ahttps://bugzilla.redhat.com/show_bug.cgi?id=975122https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17116https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19129http://advisories.mageia.org/MGASA-2013-0185.htmlhttp://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1ahttp://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.htmlhttp://marc.info/?l=bugtraq&m=137545505800971&w=2http://rhn.redhat.com/errata/RHSA-2013-0963.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1060.htmlhttp://secunia.com/advisories/54154http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21642336http://www.mandriva.com/security/advisories?name=MDVSA-2013:183http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.htmlhttp://www.us-cert.gov/ncas/alerts/TA13-169Ahttps://bugzilla.redhat.com/show_bug.cgi?id=975122https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17116https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19129
2013-06-18
Published
Exploited in the wild