CVE-2013-2426 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update

CVE-2013-2426

Summary

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect invocation of the defaultReadObject method in the ConcurrentHashMap class, which allows remote attackers to bypass the Java sandbox.

References

Vulnerable Configurations

cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 19-09-2017 - 01:36)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

oval via4

accepted

2013-06-03T04:03:25.961-04:00

class

vulnerability

contributors

name	Sergey Artykhov
organization	ALTX-SOFT

definition_extensions

comment	Java SE Runtime Environment 7 is installed
oval	oval:org.mitre.oval:def:16050

description

family

windows

oval:org.mitre.oval:def:16683

status

accepted

submitted

2013-04-17T10:26:26.748+04:00

title

Vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and before.Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.

version

redhat via4

advisories

rhsa
id RHSA-2013:0752
rhsa
id RHSA-2013:0757

rpms

java-1.7.0-openjdk-1:1.7.0.19-2.3.9.1.el6_4
java-1.7.0-openjdk-debuginfo-1:1.7.0.19-2.3.9.1.el6_4
java-1.7.0-openjdk-demo-1:1.7.0.19-2.3.9.1.el6_4
java-1.7.0-openjdk-devel-1:1.7.0.19-2.3.9.1.el6_4
java-1.7.0-openjdk-javadoc-1:1.7.0.19-2.3.9.1.el6_4
java-1.7.0-openjdk-src-1:1.7.0.19-2.3.9.1.el6_4
java-1.7.0-openjdk-1:1.7.0.19-2.3.9.1.el5_9
java-1.7.0-openjdk-debuginfo-1:1.7.0.19-2.3.9.1.el5_9
java-1.7.0-openjdk-demo-1:1.7.0.19-2.3.9.1.el5_9
java-1.7.0-openjdk-devel-1:1.7.0.19-2.3.9.1.el5_9
java-1.7.0-openjdk-javadoc-1:1.7.0.19-2.3.9.1.el5_9
java-1.7.0-openjdk-src-1:1.7.0.19-2.3.9.1.el5_9
java-1.7.0-oracle-1:1.7.0.21-1jpp.1.el5
java-1.7.0-oracle-1:1.7.0.21-1jpp.1.el6
java-1.7.0-oracle-devel-1:1.7.0.21-1jpp.1.el5
java-1.7.0-oracle-devel-1:1.7.0.21-1jpp.1.el6
java-1.7.0-oracle-javafx-1:1.7.0.21-1jpp.1.el5
java-1.7.0-oracle-javafx-1:1.7.0.21-1jpp.1.el6
java-1.7.0-oracle-jdbc-1:1.7.0.21-1jpp.1.el5
java-1.7.0-oracle-jdbc-1:1.7.0.21-1jpp.1.el6
java-1.7.0-oracle-plugin-1:1.7.0.21-1jpp.1.el5
java-1.7.0-oracle-plugin-1:1.7.0.21-1jpp.1.el6
java-1.7.0-oracle-src-1:1.7.0.21-1jpp.1.el5
java-1.7.0-oracle-src-1:1.7.0.21-1jpp.1.el6
java-1.6.0-openjdk-1:1.6.0.0-1.40.1.11.11.el5_9
java-1.6.0-openjdk-1:1.6.0.0-1.61.1.11.11.el6_4
java-1.6.0-openjdk-debuginfo-1:1.6.0.0-1.40.1.11.11.el5_9
java-1.6.0-openjdk-debuginfo-1:1.6.0.0-1.61.1.11.11.el6_4
java-1.6.0-openjdk-demo-1:1.6.0.0-1.40.1.11.11.el5_9
java-1.6.0-openjdk-demo-1:1.6.0.0-1.61.1.11.11.el6_4
java-1.6.0-openjdk-devel-1:1.6.0.0-1.40.1.11.11.el5_9
java-1.6.0-openjdk-devel-1:1.6.0.0-1.61.1.11.11.el6_4
java-1.6.0-openjdk-javadoc-1:1.6.0.0-1.40.1.11.11.el5_9
java-1.6.0-openjdk-javadoc-1:1.6.0.0-1.61.1.11.11.el6_4
java-1.6.0-openjdk-src-1:1.6.0.0-1.40.1.11.11.el5_9
java-1.6.0-openjdk-src-1:1.6.0.0-1.61.1.11.11.el6_4
java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el5_9
java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el6_4
java-1.7.0-ibm-demo-1:1.7.0.4.2-1jpp.1.el5_9
java-1.7.0-ibm-demo-1:1.7.0.4.2-1jpp.1.el6_4
java-1.7.0-ibm-devel-1:1.7.0.4.2-1jpp.1.el5_9
java-1.7.0-ibm-devel-1:1.7.0.4.2-1jpp.1.el6_4
java-1.7.0-ibm-jdbc-1:1.7.0.4.2-1jpp.1.el5_9
java-1.7.0-ibm-jdbc-1:1.7.0.4.2-1jpp.1.el6_4
java-1.7.0-ibm-plugin-1:1.7.0.4.2-1jpp.1.el5_9
java-1.7.0-ibm-plugin-1:1.7.0.4.2-1jpp.1.el6_4
java-1.7.0-ibm-src-1:1.7.0.4.2-1jpp.1.el5_9
java-1.7.0-ibm-src-1:1.7.0.4.2-1jpp.1.el6_4

refmap via4

cert	TA13-107A
confirm	http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/ http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/ http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
gentoo	GLSA-201406-32
mandriva	MDVSA-2013:145 MDVSA-2013:161
misc	http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/98ad2f1e25d1 https://bugzilla.redhat.com/show_bug.cgi?id=952653
mlist	[distro-pkg-dev] 20130417 [SECURITY] IcedTea 1.11.10 for OpenJDK 6 Released!
suse	SUSE-SU-2013:0814 openSUSE-SU-2013:0777 openSUSE-SU-2013:0964
ubuntu	USN-1806-1

Last major update

19-09-2017 - 01:36

Published

17-04-2013 - 18:55

Last modified

19-09-2017 - 01:36