CVE-2013-5456 - The com.ibm.rmi.io.SunSerializableFactory class in IBM Java SDK 7.0.0 before SR6 allows remote attac

CVE-2013-5456

Summary

The com.ibm.rmi.io.SunSerializableFactory class in IBM Java SDK 7.0.0 before SR6 allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code via vectors related to deserialization inside the AccessController doPrivileged block.

References

Vulnerable Configurations

cpe:2.3:a:ibm:java:7.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:java:7.0.0.0:*:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 29-08-2017 - 01:33)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

redhat via4

advisories

rhsa

id	RHSA-2013:1507

rpms

java-1.7.0-ibm-1:1.7.0.6.0-1jpp.1.el5_10
java-1.7.0-ibm-1:1.7.0.6.0-1jpp.1.el6_4
java-1.7.0-ibm-demo-1:1.7.0.6.0-1jpp.1.el5_10
java-1.7.0-ibm-demo-1:1.7.0.6.0-1jpp.1.el6_4
java-1.7.0-ibm-devel-1:1.7.0.6.0-1jpp.1.el5_10
java-1.7.0-ibm-devel-1:1.7.0.6.0-1jpp.1.el6_4
java-1.7.0-ibm-jdbc-1:1.7.0.6.0-1jpp.1.el5_10
java-1.7.0-ibm-jdbc-1:1.7.0.6.0-1jpp.1.el6_4
java-1.7.0-ibm-plugin-1:1.7.0.6.0-1jpp.1.el5_10
java-1.7.0-ibm-plugin-1:1.7.0.6.0-1jpp.1.el6_4
java-1.7.0-ibm-src-1:1.7.0.6.0-1jpp.1.el5_10
java-1.7.0-ibm-src-1:1.7.0.6.0-1jpp.1.el6_4

refmap via4

aixapar	IV51329
confirm	http://www-01.ibm.com/support/docview.wss?uid=swg21655201 http://www-01.ibm.com/support/docview.wss?uid=swg21655202 https://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2013
misc	http://www.security-explorations.com/materials/SE-2012-01-IBM-3.pdf http://www.security-explorations.com/materials/SE-2012-01-IBM-5.pdf
secunia	56338
suse	SUSE-SU-2013:1677
xf	ibm-java-cve20135456-code-exec(88255)

Last major update

29-08-2017 - 01:33

Published

24-11-2013 - 18:55

Last modified

29-08-2017 - 01:33