The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401 [2] http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157 [3] http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/ [4] https://twitter.com/thezdi/status/309784608508100608
Public now via Oracle Java SE CPU April 2014: http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html Fixed in Oracle Java SE 7u21 and 6u45.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
OpenJDK7 upstream repositories commit: http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2013:0758 https://rhn.redhat.com/errata/RHSA-2013-0758.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0757 https://rhn.redhat.com/errata/RHSA-2013-0757.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0770 https://rhn.redhat.com/errata/RHSA-2013-0770.html
Fixed in IcedTea6 versions 1.11.10 and 1.12.5, and IcedTea7 version 2.3.9: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022890.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022985.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0823 https://rhn.redhat.com/errata/RHSA-2013-0823.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0822 https://rhn.redhat.com/errata/RHSA-2013-0822.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0855 https://rhn.redhat.com/errata/RHSA-2013-0855.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.5 Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html