Red Hat Bugzilla – Bug 906447
CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
Last modified: 2013-03-13 19:13:56 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-0431 to the following vulnerability: Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 52," a different vulnerability than CVE-2013-1490. NOTE: as of 20130130, this vulnerability does not contain any independently-verifiable details, and there is no vendor acknowledgement. A CVE identifier is being assigned because this vulnerability has received significant public attention, and the original researcher has an established history of releasing vulnerability reports that have been fixed by vendors. References: [1] http://www.securityfocus.com/archive/1/525387/30/0/threaded [2] http://seclists.org/fulldisclosure/2013/Jan/142 [3] http://seclists.org/fulldisclosure/2013/Jan/195 [4] http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/ [5] http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53 [6] http://www.informationweek.com/security/application-security/java-hacker-uncovers-two-flaws-in-latest/240146717
Fixed now in Oracle Java SE 7 Update 13. External references: http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
Upstream commit, as included in IcedTea7 repositories: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/b09c28ff798f
Additional details from Adam Gowdiak of Security Explorations: http://seclists.org/fulldisclosure/2013/Feb/12 [Issue 52] Issue 52 relies on the possibility to call no-argument methods on arbitrary objects or classes. The vulnerability has its origin in com.sun.jmx.mbeanserver.Introspector class which is located in the same package as the infamous MBeanInstantiator bug found in the wild in early Jan 2013. The flaw stems from insecure call to invoke method of java.lang.reflect.Method class: if (method != null) return method.invoke(obj, new Object[0]); In our Proof of Concept code we exploit the above implementation by making a call to getDeclaredMethods method of java.lang.Class class to gain access to methods of restricted classes. This is accomplished with the use of the following code sequence: Introspector.elementFromComplex((Object)clazz,"declaredMethods") Access to public method objects of arbitrary restricted classes is sufficient to achieve a complete Java VM security sandbox compromise. We make use of DefiningClassLoader exploit vector for that purpose. Original report: http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0237 https://rhn.redhat.com/errata/RHSA-2013-0237.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0247 https://rhn.redhat.com/errata/RHSA-2013-0247.html
Fixed in upstream IcedTea versions IcedTea7 2.1.5, 2.2.5, and 2.3.6: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021905.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021876.html Note that version 2.3.5 was tagged in upstream mercurial including the security fixes, but was not released. Only 2.3.6 was released, correcting problem introduced by security patches as included in 2.3.5.
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0626 https://rhn.redhat.com/errata/RHSA-2013-0626.html
Exploit for this issue is part of Metasploit: https://github.com/rapid7/metasploit-framework/tree/master/external/source/exploits/cve-2013-0431