Bug 906447 (CVE-2013-0431)

Summary: CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, dbhole, jerboaa, jon.vanalten, jvanek, lkundrak, mjw, mmatejov, omajid
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: icedtea7 2.1.5, icedtea7 2.2.5, icedtea7 2.3.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-12 09:21:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 906458, 906729    

Description Jan Lieskovsky 2013-01-31 16:27:55 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-0431 to the following vulnerability:

Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 52," a different vulnerability than CVE-2013-1490. NOTE: as of 20130130, this vulnerability does not contain any independently-verifiable details, and there is no vendor acknowledgement. A CVE identifier is being assigned because this vulnerability has received significant public attention, and the original researcher has an established history of releasing vulnerability reports that have been fixed by vendors.

References:
[1] http://www.securityfocus.com/archive/1/525387/30/0/threaded
[2] http://seclists.org/fulldisclosure/2013/Jan/142
[3] http://seclists.org/fulldisclosure/2013/Jan/195
[4] http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/
[5] http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53
[6] http://www.informationweek.com/security/application-security/java-hacker-uncovers-two-flaws-in-latest/240146717
Comment 1 Tomas Hoger 2013-02-01 21:13:11 UTC 
Fixed now in Oracle Java SE 7 Update 13.

External references:

http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
Comment 2 Tomas Hoger 2013-02-04 16:05:05 UTC 
Upstream commit, as included in IcedTea7 repositories:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/b09c28ff798f
Comment 3 Tomas Hoger 2013-02-04 17:51:29 UTC 
Additional details from Adam Gowdiak of Security Explorations:

http://seclists.org/fulldisclosure/2013/Feb/12

  [Issue 52]
  Issue 52 relies on the possibility to call no-argument methods
  on arbitrary objects or classes. The vulnerability has its origin
  in com.sun.jmx.mbeanserver.Introspector class which is located
  in the same package as the infamous MBeanInstantiator bug found
  in the wild in early Jan 2013. The flaw stems from insecure call
  to invoke method of java.lang.reflect.Method class:
  
           if (method != null)
                 return method.invoke(obj, new Object[0]);
  
  In our Proof of Concept code we exploit the above implementation
  by making a call to getDeclaredMethods method of java.lang.Class
  class to gain access to methods of restricted classes. This is
  accomplished with the use of the following code sequence:
  
  Introspector.elementFromComplex((Object)clazz,"declaredMethods")
  
  Access to public method objects of arbitrary restricted classes
  is sufficient to achieve a complete Java VM security sandbox
  compromise. We make use of DefiningClassLoader exploit vector
  for that purpose.

Original report:
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf
Comment 4 errata-xmlrpc 2013-02-04 23:54:45 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0237 https://rhn.redhat.com/errata/RHSA-2013-0237.html
Comment 6 errata-xmlrpc 2013-02-08 19:26:49 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0247 https://rhn.redhat.com/errata/RHSA-2013-0247.html
Comment 7 Tomas Hoger 2013-02-14 10:20:09 UTC 
Fixed in upstream IcedTea versions IcedTea7 2.1.5, 2.2.5, and 2.3.6:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021905.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021876.html

Note that version 2.3.5 was tagged in upstream mercurial including the security fixes, but was not released.  Only 2.3.6 was released, correcting problem introduced by security patches as included in 2.3.5.
Comment 8 errata-xmlrpc 2013-03-11 18:58:11 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0626 https://rhn.redhat.com/errata/RHSA-2013-0626.html
Comment 9 Tomas Hoger 2013-03-13 23:13:56 UTC 
Exploit for this issue is part of Metasploit:

https://github.com/rapid7/metasploit-framework/tree/master/external/source/exploits/cve-2013-0431