Bug 906447 (CVE-2013-0431)
Summary: | CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ahughes, dbhole, jerboaa, jon.vanalten, jvanek, lkundrak, mjw, mmatejov, omajid |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | icedtea7 2.1.5, icedtea7 2.2.5, icedtea7 2.3.6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-03-12 09:21:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 906458, 906729 |
Description
Jan Lieskovsky
2013-01-31 16:27:55 UTC
Fixed now in Oracle Java SE 7 Update 13. External references: http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html Upstream commit, as included in IcedTea7 repositories: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/b09c28ff798f Additional details from Adam Gowdiak of Security Explorations: http://seclists.org/fulldisclosure/2013/Feb/12 [Issue 52] Issue 52 relies on the possibility to call no-argument methods on arbitrary objects or classes. The vulnerability has its origin in com.sun.jmx.mbeanserver.Introspector class which is located in the same package as the infamous MBeanInstantiator bug found in the wild in early Jan 2013. The flaw stems from insecure call to invoke method of java.lang.reflect.Method class: if (method != null) return method.invoke(obj, new Object[0]); In our Proof of Concept code we exploit the above implementation by making a call to getDeclaredMethods method of java.lang.Class class to gain access to methods of restricted classes. This is accomplished with the use of the following code sequence: Introspector.elementFromComplex((Object)clazz,"declaredMethods") Access to public method objects of arbitrary restricted classes is sufficient to achieve a complete Java VM security sandbox compromise. We make use of DefiningClassLoader exploit vector for that purpose. Original report: http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0237 https://rhn.redhat.com/errata/RHSA-2013-0237.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0247 https://rhn.redhat.com/errata/RHSA-2013-0247.html Fixed in upstream IcedTea versions IcedTea7 2.1.5, 2.2.5, and 2.3.6: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021905.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021876.html Note that version 2.3.5 was tagged in upstream mercurial including the security fixes, but was not released. Only 2.3.6 was released, correcting problem introduced by security patches as included in 2.3.5. This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0626 https://rhn.redhat.com/errata/RHSA-2013-0626.html Exploit for this issue is part of Metasploit: https://github.com/rapid7/metasploit-framework/tree/master/external/source/exploits/cve-2013-0431 |