CERT VU#625617 [1] describes a flaw in Java 7 Update 10 and earlier, which contains an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This is currently being exploited in the wild and is reported to be incorporated into exploit kits. It is recommended that all users disable the java browser plugin in their browsers. [1] http://www.kb.cert.org/vuls/id/625617 Other references: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Common Vulnerabilities and Exposures assigned an identifier to the following vulnerability: Name: CVE-2013-0422 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 Assigned: 20121207 Reference: http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html Reference: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ Reference: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ Reference: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html Reference: CERT-VN:VU#625617 Reference: http://www.kb.cert.org/vuls/id/625617 Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack.
Mainstream IT press is starting to pick this up now, e.g. <http://h-online.com/-1781156>, "Dangerous vulnerability in latest Java version".
Metasploit module: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_jre17_jmxbean.rb https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/cve-2013-0422 Based on the publicly posted reproducer: http://pastebin.com/cUG2ayjh Decompiled embedded class: http://www.reddit.com/r/netsec/comments/16b4n1/0day_exploit_fo_java_17u10_spotted_in_the_wild/c7ulpd7
source: https://github.com/rapid7/metasploit-framework/tree/master/external/source/exploits/cve-2013-0422
Attack vector used by the published exploit was confirmed to affect following Java version: - Oracle Java SE 7 (java-1.7.0-oracle) packages shipped in Red Hat Enterprise Linux 5 and 6 - OpenJDK7 (java-1.7.0-openjdk) packages shipped in Fedora OpenJDK7 packages in Red Hat Enterprise Linux 5 and 6 are not affected by the published exploit. This issue is currently not know to affect IBM Java SE 7 (java-1.7.0-ibm) packages, or older Java versions.
Have prior version of Java been effected by this exploit, 1.6, 1.5, 1.4 ? [0] makes indication of this, yet I have not seen any conformation that prior versions are effected and vulnerable. Is this exploit limited to Java 1.7 Update 10? [0] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422
Further mainstream IT press coverage: <http://arstechnica.com/security/2013/01/critical-java-vulnerability-made-possible-by-earlier-incomplete-patch/>, <http://reviews.cnet.com/8301-13727_7-57563567-263/new-malware-exploiting-java-7-in-windows-and-unix-systems/>
This post has more technical details on how the mbeanserver and reflection mechanism are used to end up with the vulnerable DefiningClassLoader through the ContextFactory createClassLoader() method: http://seclists.org/bugtraq/2013/Jan/48
This flaw affects users of JBoss middleware products who are using the affected implementations of Java 7 and relying on the Java security manager to control the privileges of untrusted deployed applications. A malicious deployed application could use this flaw to circumvent the controls applied by the Java security manager. Affected JBoss middleware users are advised to use a patched or unaffected implementation of Java 7. JBoss middleware users who are not using Java 7 or are not relying on the Java security manager are not affected by this flaw.
Fixed in Oracle Java SE 7 Update 11. https://blogs.oracle.com/security/entry/security_alert_for_cve_2013 http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html External Reference: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Created java-1.7.0-openjdk tracking bugs for this issue Affects: fedora-all [bug 895035]
Related commits in upstream OpenJDK7 repositories: http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/ecc14534318c http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/d9969a953f69
Esteban Guillardoy's (Immunity) analysis of the issues used by the published exploit to achieve code execution: https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf Adam Gowdiak's (Security Explorations) response to the above analysis, disagreeing with which issue is to be be called the core problem, and which is exploitation technique: http://seclists.org/fulldisclosure/2013/Jan/77 Oracle fix addresses issue in the new reflection API and its MethodHandles.Lookup.
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0156 https://rhn.redhat.com/errata/RHSA-2013-0156.html
IBM PSIRT blog post with a statement indicating that IBM JDK/JRE is not affected by this issue: https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
(In reply to comment #24) > Oracle fix addresses issue in the new reflection API and its > MethodHandles.Lookup. Another follow up form Esteban Guillardoy (Immunity), pointing out that Oracle Java SE 7 Update 11 does not prevent sandboxed code form gaining reference to restricted classes using MBeanInstantiator.findClass: http://immunityproducts.blogspot.com/2013/01/confirmed-java-only-fixed-one-of-two.html This currently leads to a confusing CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 Oracle Java 7 before Update 11 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: as of 20130114, the scope of this CVE is not clear due to the lack of technical details from Oracle, the CNA. It is currently unknown whether this CVE is related to (1) the findClass method in the MBeanInstantiator class, (2) recursive use of the Reflection API, (3) an unrelated vulnerability, or (4) a combination of two or more of these vulnerabilities. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the affected code is called differently. The CVE is used for the combination of MBeanInstantiator and new reflection API issues to achieve code execution, even though only the reflection API issue was addressed in 7u11.
Patches integrated in upstream IcedTea versions 2.1.4, 2.2.4 and 2.3.4: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html
As noted in comment 10, public exploit did not achieve sandbox bypass with OpenJDK 7 packages in Red Hat Enterprise Linux 5 and 6 because of the different behavior of the sun.org.mozilla.javascript package. Underlying issue in the reflection API exists in those packages and is fixed in upcoming updates to ensure it can not be exploited using some other way. Red Hat Enterprise Linux 5 and 6 currently do not provide any browser plugin for use with OpenJDK 7 packages. Red Hat Enterprise Linux 6 includes IcedTea-Web browser plugin (in icedtea-web package), which currently only uses OpenJDK 6 packages (java-1.6.0-openjdk).
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2013:0165 https://rhn.redhat.com/errata/RHSA-2013-0165.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0626 https://rhn.redhat.com/errata/RHSA-2013-0626.html