|Summary:||CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||ahughes, aneelica, aph, dbhole, djorm, erich, jerboaa, jvanek, michele, mjw, omajid, pep, rdassen, wdormann|
|Fixed In Version:||icedtea7 2.1.4, icedtea7 2.2.4, icedtea7 2.3.4||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-01-17 11:03:31 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||894939, 894940, 894941, 894942, 895031, 895032, 895033, 895034, 895035|
Description Vincent Danen 2013-01-10 21:54:16 UTC
CERT VU#625617  describes a flaw in Java 7 Update 10 and earlier, which contains an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This is currently being exploited in the wild and is reported to be incorporated into exploit kits. It is recommended that all users disable the java browser plugin in their browsers.  http://www.kb.cert.org/vuls/id/625617 Other references: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Comment 2 Vincent Danen 2013-01-10 22:07:06 UTC
Common Vulnerabilities and Exposures assigned an identifier to the following vulnerability: Name: CVE-2013-0422 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 Assigned: 20121207 Reference: http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html Reference: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ Reference: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ Reference: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html Reference: CERT-VN:VU#625617 Reference: http://www.kb.cert.org/vuls/id/625617 Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack.
Comment 3 J.H.M. Dassen (Ray) 2013-01-10 22:31:21 UTC
Mainstream IT press is starting to pick this up now, e.g. <http://h-online.com/-1781156>, "Dangerous vulnerability in latest Java version".
Comment 8 Tomas Hoger 2013-01-11 15:09:39 UTC
Metasploit module: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_jre17_jmxbean.rb https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/cve-2013-0422 Based on the publicly posted reproducer: http://pastebin.com/cUG2ayjh Decompiled embedded class: http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
Comment 9 Mark Wielaard 2013-01-11 15:36:50 UTC
Comment 10 Tomas Hoger 2013-01-11 18:09:13 UTC
Attack vector used by the published exploit was confirmed to affect following Java version: - Oracle Java SE 7 (java-1.7.0-oracle) packages shipped in Red Hat Enterprise Linux 5 and 6 - OpenJDK7 (java-1.7.0-openjdk) packages shipped in Fedora OpenJDK7 packages in Red Hat Enterprise Linux 5 and 6 are not affected by the published exploit. This issue is currently not know to affect IBM Java SE 7 (java-1.7.0-ibm) packages, or older Java versions.
Comment 11 Eric Rich 2013-01-11 20:39:59 UTC
Have prior version of Java been effected by this exploit, 1.6, 1.5, 1.4 ?  makes indication of this, yet I have not seen any conformation that prior versions are effected and vulnerable. Is this exploit limited to Java 1.7 Update 10?  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422
Comment 12 J.H.M. Dassen (Ray) 2013-01-11 22:25:29 UTC
Comment 13 Mark Wielaard 2013-01-11 22:45:03 UTC
This post has more technical details on how the mbeanserver and reflection mechanism are used to end up with the vulnerable DefiningClassLoader through the ContextFactory createClassLoader() method: http://seclists.org/bugtraq/2013/Jan/48
Comment 16 David Jorm 2013-01-14 01:51:59 UTC
This flaw affects users of JBoss middleware products who are using the affected implementations of Java 7 and relying on the Java security manager to control the privileges of untrusted deployed applications. A malicious deployed application could use this flaw to circumvent the controls applied by the Java security manager. Affected JBoss middleware users are advised to use a patched or unaffected implementation of Java 7. JBoss middleware users who are not using Java 7 or are not relying on the Java security manager are not affected by this flaw.
Comment 18 David Jorm 2013-01-14 04:00:15 UTC
Fixed in Oracle Java SE 7 Update 11. https://blogs.oracle.com/security/entry/security_alert_for_cve_2013 http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html External Reference: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Comment 22 Tomas Hoger 2013-01-14 10:49:27 UTC
Created java-1.7.0-openjdk tracking bugs for this issue Affects: fedora-all [bug 895035]
Comment 23 Tomas Hoger 2013-01-14 18:59:13 UTC
Related commits in upstream OpenJDK7 repositories: http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/ecc14534318c http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/d9969a953f69
Comment 24 Tomas Hoger 2013-01-14 19:24:30 UTC
Esteban Guillardoy's (Immunity) analysis of the issues used by the published exploit to achieve code execution: https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf Adam Gowdiak's (Security Explorations) response to the above analysis, disagreeing with which issue is to be be called the core problem, and which is exploitation technique: http://seclists.org/fulldisclosure/2013/Jan/77 Oracle fix addresses issue in the new reflection API and its MethodHandles.Lookup.
Comment 25 errata-xmlrpc 2013-01-14 20:54:31 UTC
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0156 https://rhn.redhat.com/errata/RHSA-2013-0156.html
Comment 26 Tomas Hoger 2013-01-15 09:12:45 UTC
IBM PSIRT blog post with a statement indicating that IBM JDK/JRE is not affected by this issue: https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
Comment 27 Tomas Hoger 2013-01-15 12:34:23 UTC
(In reply to comment #24) > Oracle fix addresses issue in the new reflection API and its > MethodHandles.Lookup. Another follow up form Esteban Guillardoy (Immunity), pointing out that Oracle Java SE 7 Update 11 does not prevent sandboxed code form gaining reference to restricted classes using MBeanInstantiator.findClass: http://immunityproducts.blogspot.com/2013/01/confirmed-java-only-fixed-one-of-two.html This currently leads to a confusing CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 Oracle Java 7 before Update 11 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: as of 20130114, the scope of this CVE is not clear due to the lack of technical details from Oracle, the CNA. It is currently unknown whether this CVE is related to (1) the findClass method in the MBeanInstantiator class, (2) recursive use of the Reflection API, (3) an unrelated vulnerability, or (4) a combination of two or more of these vulnerabilities. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the affected code is called differently. The CVE is used for the combination of MBeanInstantiator and new reflection API issues to achieve code execution, even though only the reflection API issue was addressed in 7u11.
Comment 29 Tomas Hoger 2013-01-16 08:04:10 UTC
Patches integrated in upstream IcedTea versions 2.1.4, 2.2.4 and 2.3.4: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html
Comment 30 Tomas Hoger 2013-01-16 16:55:55 UTC
Comment 31 errata-xmlrpc 2013-01-16 18:27:03 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2013:0165 https://rhn.redhat.com/errata/RHSA-2013-0165.html