BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Partial Security Bypass Vulnerability in Java

Disclosed March 18, 2013    No Patch Available

Vulnerability Description:

Java SE does not include proper security checks within a family of MethodHandle resolving methods. This can be abused by attackers, in combination with another partial security bypass, to create a full sandbox bypass, which could be used to allow attackers to run arbitrary remote code within the context of the current user.

Oracle has stated that this issue is “allowed behavior”, despite the notion that it can be used against end-users.

Vendors:

Oracle

Vulnerable Software/Devices:

Java SE 7 Update 17 and prior

Vulnerability Severity:

Medium

Exploit Availability:

N/A

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability:

  • 18545 - Oracle Java Security Bypass Remote Code Execution - Windows - JDK
  • 18546 - Oracle Java Security Bypass Remote Code Execution - Windows - JRE
  • 18547 - Oracle Java Security Bypass Remote Code Execution - UNIX/Linux - JDK
  • 18549 - Oracle Java Security Bypass Remote Code Execution - UNIX/Linux - JRE
  • 18550 - Oracle Java Security Bypass Remote Code Execution - Mac OS X

Mitigation:

Disable Java in browsers.

Links:

CVE(s):

None