Bug 894172 (CVE-2013-0422) - CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
Summary: CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0422
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 894939 894940 894941 894942 895031 895032 895033 895034 895035
Blocks: 894173
TreeView+ depends on / blocked
 
Reported: 2013-01-10 21:54 UTC by Vincent Danen
Modified: 2021-02-04 00:48 UTC (History)
14 users (show)

Fixed In Version: icedtea7 2.1.4, icedtea7 2.2.4, icedtea7 2.3.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-17 11:03:31 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0156 0 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2013-01-15 01:54:05 UTC
Red Hat Product Errata RHSA-2013:0165 0 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2013-01-16 23:24:09 UTC
Red Hat Product Errata RHSA-2013:0626 0 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2013-11-15 00:14:33 UTC

Description Vincent Danen 2013-01-10 21:54:16 UTC
CERT VU#625617 [1] describes a flaw in Java 7 Update 10 and earlier, which contains an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

This is currently being exploited in the wild and is reported to be incorporated into exploit kits.  It is recommended that all users disable the java browser plugin in their browsers.

[1] http://www.kb.cert.org/vuls/id/625617

Other references:

http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/

Comment 2 Vincent Danen 2013-01-10 22:07:06 UTC
Common Vulnerabilities and Exposures assigned an identifier  to
the following vulnerability:

Name: CVE-2013-0422
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422
Assigned: 20121207
Reference: http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
Reference: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
Reference: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Reference: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
Reference: CERT-VN:VU#625617
Reference: http://www.kb.cert.org/vuls/id/625617

Unspecified vulnerability in Oracle Java 7 Update 10 and earlier
allows remote attackers to execute arbitrary code via unknown vectors,
possibly related to "permissions of certain Java classes," as
exploited in the wild in January 2013, and as demonstrated by
Blackhole and Nuclear Pack.

Comment 3 J.H.M. Dassen (Ray) 2013-01-10 22:31:21 UTC
Mainstream IT press is starting to pick this up now, e.g. <http://h-online.com/-1781156>, "Dangerous vulnerability in latest Java version".

Comment 10 Tomas Hoger 2013-01-11 18:09:13 UTC
Attack vector used by the published exploit was confirmed to affect following Java version:

- Oracle Java SE 7 (java-1.7.0-oracle) packages shipped in Red Hat Enterprise
  Linux 5 and 6
- OpenJDK7 (java-1.7.0-openjdk) packages shipped in Fedora

OpenJDK7 packages in Red Hat Enterprise Linux 5 and 6 are not affected by the published exploit.

This issue is currently not know to affect IBM Java SE 7 (java-1.7.0-ibm) packages, or older Java versions.

Comment 11 Eric Rich 2013-01-11 20:39:59 UTC
Have prior version of Java been effected by this exploit, 1.6, 1.5, 1.4 ? 

[0] makes indication of this, yet I have not seen any conformation that prior versions are effected and vulnerable. 

Is this exploit limited to Java 1.7 Update 10?

[0] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422

Comment 13 Mark Wielaard 2013-01-11 22:45:03 UTC
This post has more technical details on how the mbeanserver and reflection mechanism are used to end up with the vulnerable DefiningClassLoader through the ContextFactory createClassLoader() method:
http://seclists.org/bugtraq/2013/Jan/48

Comment 16 David Jorm 2013-01-14 01:51:59 UTC
This flaw affects users of JBoss middleware products who are using the affected implementations of Java 7 and relying on the Java security manager to control the privileges of untrusted deployed applications. A malicious deployed application could use this flaw to circumvent the controls applied by the Java security manager. Affected JBoss middleware users are advised to use a patched or unaffected implementation of Java 7. JBoss middleware users who are not using Java 7 or are not relying on the Java security manager are not affected by this flaw.

Comment 22 Tomas Hoger 2013-01-14 10:49:27 UTC
Created java-1.7.0-openjdk tracking bugs for this issue

Affects: fedora-all [bug 895035]

Comment 23 Tomas Hoger 2013-01-14 18:59:13 UTC
Related commits in upstream OpenJDK7 repositories:

http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/ecc14534318c
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/d9969a953f69

Comment 24 Tomas Hoger 2013-01-14 19:24:30 UTC
Esteban Guillardoy's (Immunity) analysis of the issues used by the published exploit to achieve code execution:

https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf

Adam Gowdiak's (Security Explorations) response to the above analysis, disagreeing with which issue is to be be called the core problem, and which is exploitation technique:

http://seclists.org/fulldisclosure/2013/Jan/77

Oracle fix addresses issue in the new reflection API and its MethodHandles.Lookup.

Comment 25 errata-xmlrpc 2013-01-14 20:54:31 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0156 https://rhn.redhat.com/errata/RHSA-2013-0156.html

Comment 26 Tomas Hoger 2013-01-15 09:12:45 UTC
IBM PSIRT blog post with a statement indicating that IBM JDK/JRE is not affected by this issue:

https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us

Comment 27 Tomas Hoger 2013-01-15 12:34:23 UTC
(In reply to comment #24)
> Oracle fix addresses issue in the new reflection API and its
> MethodHandles.Lookup.

Another follow up form Esteban Guillardoy (Immunity), pointing out that Oracle Java SE 7 Update 11 does not prevent sandboxed code form gaining reference to restricted classes using MBeanInstantiator.findClass:

http://immunityproducts.blogspot.com/2013/01/confirmed-java-only-fixed-one-of-two.html

This currently leads to a confusing CVE description:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422

  Oracle Java 7 before Update 11 allows remote attackers to execute arbitrary
  code via unspecified vectors, as exploited in the wild in January 2013, as
  demonstrated by Blackhole and Nuclear Pack, and a different vulnerability
  than CVE-2012-4681 and CVE-2012-3174. NOTE: as of 20130114, the scope of this
  CVE is not clear due to the lack of technical details from Oracle, the CNA.
  It is currently unknown whether this CVE is related to (1) the findClass
  method in the MBeanInstantiator class, (2) recursive use of the Reflection
  API, (3) an unrelated vulnerability, or (4) a combination of two or more of
  these vulnerabilities. NOTE: it was originally reported that Java 6 was also
  vulnerable, but the reporter has retracted this claim, stating that Java 6
  is not exploitable because the affected code is called differently.

The CVE is used for the combination of MBeanInstantiator and new reflection API issues to achieve code execution, even though only the reflection API issue was addressed in 7u11.

Comment 29 Tomas Hoger 2013-01-16 08:04:10 UTC
Patches integrated in upstream IcedTea versions 2.1.4, 2.2.4 and 2.3.4:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html

Comment 30 Tomas Hoger 2013-01-16 16:55:55 UTC
As noted in comment 10, public exploit did not achieve sandbox bypass with OpenJDK 7 packages in Red Hat Enterprise Linux 5 and 6 because of the different behavior of the sun.org.mozilla.javascript package.  Underlying issue in the reflection API exists in those packages and is fixed in upcoming updates to ensure it can not be exploited using some other way.

Red Hat Enterprise Linux 5 and 6 currently do not provide any browser plugin for use with OpenJDK 7 packages.  Red Hat Enterprise Linux 6 includes IcedTea-Web browser plugin (in icedtea-web package), which currently only uses OpenJDK 6 packages (java-1.6.0-openjdk).

Comment 31 errata-xmlrpc 2013-01-16 18:27:03 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2013:0165 https://rhn.redhat.com/errata/RHSA-2013-0165.html

Comment 33 errata-xmlrpc 2013-03-11 18:57:58 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0626 https://rhn.redhat.com/errata/RHSA-2013-0626.html


Note You need to log in before you can comment on or make changes to this bug.