CVE-2013-2423

high-risk
Published 2013-04-17

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.

Do I need to act?

!
93.4% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
24976
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

Affected Products (15)

Jre
Jre
Jre
Jre
Jre
Jre
Jre
Jre
Jre
Jre
Jre
Jre
Jre

Affected Vendors

Opensuse Oracle Canonical

References (33)

Broken Link http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk...
Not Applicable http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html
Patch http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
Third Party Advisory http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
Third Party Advisory http://rhn.redhat.com/errata/RHSA-2013-0752.html
Third Party Advisory http://rhn.redhat.com/errata/RHSA-2013-0757.html
Third Party Advisory http://security.gentoo.org/glsa/glsa-201406-32.xml
Broken Link http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0
Third Party Advisory http://www.exploit-db.com/exploits/24976
Third Party Advisory http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
Vendor Advisory http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Third Party Advisory http://www.ubuntu.com/usn/USN-1806-1
Third Party Advisory http://www.us-cert.gov/ncas/alerts/TA13-107A
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=952398
Broken Link https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3...
Third Party Advisory https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
Broken Link http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk...
Not Applicable http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html
Patch http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
Third Party Advisory http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
and 13 more references
65
/ 100
high-risk
Severity 13/34 · Low
Exploitability 34/34 · Critical
Exposure 18/34 · Moderate