A flaw was found in the java.beans MethodElementHandler implementation. A Java code running in the Java sandbox could use this flaw to bypass sandbox restrictions and run arbitrary code with the Java Virtual Machine privileges.
Public now via Oracle Java SE 7 Update 7: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html https://blogs.oracle.com/security/entry/security_alert_for_cve_20121 http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html External Reference: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Upstream fix, as applied in IcedTea 7 2.3 repositories: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/5f709891901c
OpenJDK7 repositories commit: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/83163c4895e3
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1223 https://rhn.redhat.com/errata/RHSA-2012-1223.html
Fixed in IcedTea versions: 2.1.2, 2.2.2 and 2.3.2 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020127.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020144.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-September/020151.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1225 https://rhn.redhat.com/errata/RHSA-2012-1225.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1289 https://rhn.redhat.com/errata/RHSA-2012-1289.html