876387 – (CVE-2012-4821) CVE-2012-4821 IBM JDK: getDeclaredMethods() and setAccessible() code execution

Bug 876387 (CVE-2012-4821) - CVE-2012-4821 IBM JDK: getDeclaredMethods() and setAccessible() code execution

Summary: CVE-2012-4821 IBM JDK: getDeclaredMethods() and setAccessible() code execution

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-4821
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	862579
TreeView+	depends on / blocked

Reported:	2012-11-14 00:43 UTC by Vincent Danen
Modified:	2021-02-17 08:24 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-11-16 07:40:03 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:1467	0	normal	SHIPPED_LIVE	Critical: java-1.7.0-ibm security update	2012-11-16 02:06:24 UTC

Description Vincent Danen 2012-11-14 00:43:17 UTC

IBM Java could allow a remote attacker to execute arbitrary code on the system, caused by insecure use of the java.lang.Class getDeclaredMethods() and java.lang.reflect.AccessibleObject setAccessible() methods. By persuading a victim to visit a malicious Web site containing a specially-crafted applet, an attacker could exploit this vulnerability to bypass sandbox restrictions and execute arbitrary Java code.

External Reference:

http://xforce.iss.net/xforce/xfdb/78765

Comment 1 Tomas Hoger 2012-11-14 08:24:19 UTC

Other references:

http://www-01.ibm.com/support/docview.wss?uid=swg21616617
http://seclists.org/bugtraq/2012/Sep/38
http://www.security-explorations.com/en/SE-2012-01.html

Comment 2 errata-xmlrpc 2012-11-15 21:09:56 UTC

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1467 https://rhn.redhat.com/errata/RHSA-2012-1467.html

Comment 3 Jan Lieskovsky 2013-01-11 13:25:45 UTC

Other references:
  http://www-01.ibm.com/support/docview.wss?uid=swg21615705
  http://www-01.ibm.com/support/docview.wss?uid=swg21615800
  http://www-01.ibm.com/support/docview.wss?uid=swg21616490
  http://www-01.ibm.com/support/docview.wss?uid=swg21616594
  http://www-01.ibm.com/support/docview.wss?uid=swg21616616
  http://www-01.ibm.com/support/docview.wss?uid=swg21616617
  http://www-01.ibm.com/support/docview.wss?uid=swg21616652
  http://www-01.ibm.com/support/docview.wss?uid=swg21616708
  http://www-01.ibm.com/support/docview.wss?uid=swg21621154
  https://www-304.ibm.com/support/docview.wss?uid=swg21616546
  http://www-01.ibm.com/support/docview.wss?uid=swg1IV29659
  http://www.securityfocus.com/bid/55495
  http://secunia.com/advisories/51634

Note You need to log in before you can comment on or make changes to this bug.