CVE-2012-4681
Published: 28 August 2012
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
Priority
Medium
Status
| Package | Release | Status |
|---|---|---|
|
icedtea-web Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| quantal |
Not vulnerable
|
|
| raring |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
|
openjdk-6 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(reached end-of-life)
|
| lucid |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
(tested with exploit)
|
|
| quantal |
Not vulnerable
|
|
| raring |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
|
openjdk-6b18 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Released
(7u9-2.3.3-0ubuntu1~11.10.1)
|
|
| precise |
Not vulnerable
(7u7-2.3.2-1ubuntu0.12.04.1)
|
|
| quantal |
Not vulnerable
(7u7-2.3.2-1ubuntu1)
|
|
| raring |
Not vulnerable
(7u7-2.3.2-1ubuntu1)
|
|
| upstream |
Needs triage
|
|
|
sun-java5 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(upstream sun-java5 is EoL)
|
| lucid |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
sun-java6 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(upstream version is not redistributable)
|
| lucid |
Does not exist
(removed from archive)
|
|
| natty |
Does not exist
(removed from archive)
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| upstream |
Needs triage
|
Notes
| Author | Note |
|---|---|
| mdeslaur | in lucid+, NetX and the plugin moved to the icedtea-web package |
| tyhicks | Per oss-security thread, OpenJDK <= 7u4-b31 is also affected sbeattie verified that the openjdk vulnerability test does not work on openjdk-6 in precise |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4681
- https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
- http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/
- http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
- http://seclists.org/oss-sec/2012/q3/308
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html
- NVD
- Launchpad
- Debian