Adam Gowdiak

**Name of the Vulnerable Software and Affected Versions** IBM SDK, Java Technology Edition versions 6.0.0 through 6.0.16.24 IBM SDK, Java Technology Edition 6 R1 versions 6.1.0 through 6.1.8.24 IBM SDK, Java Technology Edition 7 versions 7.0.0 through 7.0.9.39 IBM SDK, Java Technology Edition 7 R1 versions 7.1.0 through 7.1.3.39 IBM SDK, Java Technology Edition 8 versions 8.0.0 through 8.0.2.0 **Description** The issue allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code. This is due to the improper deserialization of classes in an AccessController doPrivileged block. The `readValue` method of the `com.ibm.rmi.io.ValueHandlerPool.ValueHandlerSingleton` class, which implements the `javax.rmi.CORBA.ValueHandler` interface, demonstrates this vulnerability. It enables code running under a security manager to escalate its privileges by modifying or removing the security manager. **Recommendations** For IBM SDK, Java Technology Edition 6, update to version 6.0.16.25 or later. For IBM SDK, Java Technology Edition 6 R1, update to version 6.1.8.25 or later. For IBM SDK, Java Technology Edition 7, update to version 7.0.9.40 or later. For IBM SDK, Java Technology Edition 7 R1, update to version 7.1.3.40 or later. For IBM SDK, Java Technology Edition 8, update to version 8.0.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** IBM SDK, Java Technology Edition versions 6.0.0 through 6.0.16.24 IBM SDK, Java Technology Edition 6 R1 versions 6.1.0 through 6.1.8.24 IBM SDK, Java Technology Edition 7 versions 7.0.0 through 7.0.9.39 IBM SDK, Java Technology Edition 7 R1 versions 7.1.0 through 7.1.3.39 IBM SDK, Java Technology Edition 8 versions 8.0.0 through 8.0.2.0 **Description** The issue allows remote attackers to bypass a sandbox protection mechanism, enabling them to execute arbitrary code on the system. This is achieved by calling setSecurityManager via vectors related to a Proxy object instance implementing the `java.lang.reflect.InvocationHandler` interface. The `com.ibm.CORBA.iiop.ClientDelegate` class uses the `invoke` method of the `java.lang.reflect.Method` class in an AccessController doPrivileged block, which contributes to the vulnerability. **Recommendations** For IBM SDK, Java Technology Edition 6, update to version 6.0.16.25 or later. For IBM SDK, Java Technology Edition 6 R1, update to version 6.1.8.25 or later. For IBM SDK, Java Technology Edition 7, update to version 7.0.9.40 or later. For IBM SDK, Java Technology Edition 7 R1, update to version 7.1.3.40 or later. For IBM SDK, Java Technology Edition 8, update to version 8.0.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** IBM Java SDK version 7.0.0 before SR6 **Description** The issue allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code via vectors related to deserialization inside the AccessController doPrivileged block. **Recommendations** For IBM Java SDK version 7.0.0 before SR6, update to SR6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBM Java SDK versions 6.0.0 through 6.0.0 before SR15 IBM Java SDK versions 6.0.1 through 6.0.1 before SR7 IBM Java SDK versions 7.0.0 through 7.0.0 before SR6 **Description** The issue allows remote attackers to execute arbitrary code via unspecified vectors. **Recommendations** For IBM Java SDK versions 6.0.0 through 6.0.0 before SR15, update to SR15 or later. For IBM Java SDK versions 6.0.1 through 6.0.1 before SR7, update to SR7 or later. For IBM Java SDK versions 7.0.0 through 7.0.0 before SR6, update to SR6 or later.

**Name of the Vulnerable Software and Affected Versions** IBM Java SDK version 7.0.0 before SR6 **Description** The issue allows remote attackers to execute arbitrary code via unspecified vectors. It also enables code running under a security manager to escalate its privileges by modifying or removing the security manager. **Recommendations** For IBM Java SDK version 7.0.0 before SR6, update to a version that includes SR6 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM Java versions 6.0.1 before 6.0.1 SR6 IBM Java versions 7 before 7 SR5 **Description** The issue affects confidentiality, availability, and integrity. It can be exploited by remote attackers via unknown vectors. **Recommendations** For IBM Java versions 6.0.1 before 6.0.1 SR6, update to 6.0.1 SR6 or later. For IBM Java versions 7 before 7 SR5, update to 7 SR5 or later.

**Name of the Vulnerable Software and Affected Versions** IBM Java 7 versions prior to 7 SR5 **Description** The issue affects the confidentiality, availability, and integrity of the system, but the specific vectors used by remote attackers are unknown. **Recommendations** For IBM Java 7 versions prior to 7 SR5, update to version 7 SR5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBM Java versions 6.0.1 before 6.0.1 SR6 IBM Java versions 7 before 7 SR5 **Description** The issue affects confidentiality, availability, and integrity. It can be exploited by remote attackers via unknown vectors. **Recommendations** For IBM Java versions 6.0.1 before 6.0.1 SR6, update to 6.0.1 SR6 or later. For IBM Java versions 7 before 7 SR5, update to 7 SR5 or later.

Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3009 and CVE-2013-3011.

**Name of the Vulnerable Software and Affected Versions** IBM Java versions 1.4.2 before 1.4.2 SR13-FP18 IBM Java versions 5.0 before 5.0 SR16-FP3 IBM Java versions 6 before 6 SR14 IBM Java versions 6.0.1 before 6.0.1 SR6 IBM Java versions 7 before 7 SR5 **Description** The issue allows remote attackers to bypass a sandbox protection mechanism. This is achieved by exploiting the improper exposure of the invoke method of the `java.lang.reflect.Method` class in the `com.ibm.CORBA.iiop.ClientDelegate` class. The attack vectors are related to the `AccessController` doPrivileged block, enabling attackers to call `setSecurityManager`. **Recommendations** For IBM Java version 1.4.2, update to 1.4.2 SR13-FP18 or later. For IBM Java version 5.0, update to 5.0 SR16-FP3 or later. For IBM Java version 6, update to 6 SR14 or later. For IBM Java version 6.0.1, update to 6.0.1 SR6 or later. For IBM Java version 7, update to 7 SR5 or later.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 7 Update 17 and earlier Java SE versions 6 Update 43 and earlier Java SE versions 5.0 Update 41 and earlier OpenJDK versions 6 and 7 **Description** The issue affects the Java Runtime Environment (JRE) component, allowing remote attackers to impact confidentiality, integrity, and availability through vectors related to JAXP. It is noted that Oracle has not commented on claims from another vendor that this issue is related to "missing security restrictions." **Recommendations** For Java SE versions 7 Update 17 and earlier, update to a version later than Update 17. For Java SE versions 6 Update 43 and earlier, update to a version later than Update 43. For Java SE versions 5.0 Update 41 and earlier, update to a version later than Update 41. For OpenJDK versions 6 and 7, consider disabling JAXP functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Java Runtime Environment versions prior to Update 11 OpenJDK 7 **Description** The issue allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX. It is also related to the failure to neutralize script-related HTML tags on web pages, which can allow a remote attacker to impact the integrity of protected information. **Recommendations** For Java Runtime Environment versions prior to Update 11, update to a version that includes the fix for this issue. For OpenJDK 7, consider disabling JMX functionality until a patch is available. As a temporary workaround, consider restricting the execution of script-related HTML tags in web pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Java SE 7 Update 10 and Update 11 **Description** The issue allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user. This occurs when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome. **Recommendations** For Java SE 7 Update 10 and Update 11, consider disabling the execution of unsigned Java code until a patch is available. Restrict access to the Java Control Panel to minimize the risk of exploitation. Avoid using the "Very High" security level until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 6 and 7 Update 11 (JRE 1.7.0 11-b21) **Description** The issue allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors. It is noted that as of 20130130, there were no independently-verifiable details and no vendor acknowledgement. This issue also exists in Java SE 6, but it cannot be exploited without a separate vulnerability. **Recommendations** For Oracle Java SE version 7 Update 11 (JRE 1.7.0 11-b21), at the moment, there is no information about a newer version that contains a fix for this issue. For Oracle Java SE version 6, consider restricting access to minimize potential exploitation risks, as it requires a separate vulnerability to be exploitable.

**Name of the Vulnerable Software and Affected Versions** IBM Java versions 7 SR2 and earlier IBM Java versions 6.0.1 SR3 and earlier IBM Java versions 6 SR11 and earlier IBM Java versions 5 SR14 and earlier IBM Java 142 SR13 FP13 and earlier **Description** The issue allows remote attackers to execute arbitrary code via vectors related to insecure use of the `java.lang.ClassLoader` `defineClass()` method. This affects various IBM products, including IBM Rational Host On-Demand, Rational Change, Tivoli Monitoring, Smart Analytics System 5600, Tivoli Remote Control 5.1.2, WebSphere Real Time, Lotus Notes & Domino, Tivoli Storage Productivity Center, and Service Deliver Manager, as well as products from other vendors like Red Hat. **Recommendations** For IBM Java versions 7 SR2 and earlier, update to a version later than 7 SR2. For IBM Java versions 6.0.1 SR3 and earlier, update to a version later than 6.0.1 SR3. For IBM Java versions 6 SR11 and earlier, update to a version later than 6 SR11. For IBM Java versions 5 SR14 and earlier, update to a version later than 5 SR14. For IBM Java 142 SR13 FP13 and earlier, update to a version later than 142 SR13 FP13. As a temporary workaround, consider restricting the use of the `java.lang.ClassLoader` `defineClass()` method until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM Java versions 7 SR2 and earlier IBM Java versions 6.0.1 SR3 and earlier IBM Java versions 6 SR11 and earlier IBM Java versions 5 SR14 and earlier IBM Java 142 SR13 FP13 and earlier **Description** The issue is related to the insecure use of multiple methods in the `java.lang.class` class, allowing remote attackers to execute arbitrary code. This affects various IBM products, including IBM Rational Host On-Demand, Rational Change, Tivoli Monitoring, Smart Analytics System 5600, Tivoli Remote Control 5.1.2, WebSphere Real Time, Lotus Notes & Domino, Tivoli Storage Productivity Center, and Service Deliver Manager, as well as products from other vendors like Red Hat. **Recommendations** For IBM Java versions 7 SR2 and earlier, update to a version later than 7 SR2. For IBM Java versions 6.0.1 SR3 and earlier, update to a version later than 6.0.1 SR3. For IBM Java versions 6 SR11 and earlier, update to a version later than 6 SR11. For IBM Java versions 5 SR14 and earlier, update to a version later than 5 SR14. For IBM Java 142 SR13 FP13 and earlier, update to a version later than 142 SR13 FP13. As a temporary workaround, consider restricting access to the `java.lang.class` class until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM Java versions 7 SR2 and earlier IBM Java versions 6.0.1 SR3 and earlier IBM Java versions 6 SR11 and earlier IBM Java versions 5 SR14 and earlier IBM Java 142 SR13 FP13 and earlier IBM Rational Host On-Demand (affected versions not specified) IBM Rational Change (affected versions not specified) IBM Tivoli Monitoring (affected versions not specified) IBM Smart Analytics System 5600 (affected versions not specified) IBM Tivoli Remote Control 5.1.2 IBM WebSphere Real Time (affected versions not specified) IBM Lotus Notes & Domino (affected versions not specified) IBM Tivoli Storage Productivity Center (affected versions not specified) IBM Service Deliver Manager (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary code via insecure use of the `java.lang.Class` `getDeclaredMethods` or `nd` and `java.lang.reflect.AccessibleObject` `setAccessible()` methods. This affects various IBM products, including IBM Java, IBM Rational Host On-Demand, IBM Rational Change, IBM Tivoli Monitoring, IBM Smart Analytics System 5600, IBM Tivoli Remote Control, IBM WebSphere Real Time, IBM Lotus Notes & Domino, IBM Tivoli Storage Productivity Center, and IBM Service Deliver Manager. **Recommendations** For IBM Java versions 7 SR2 and earlier, update to a version later than 7 SR2. For IBM Java versions 6.0.1 SR3 and earlier, update to a version later than 6.0.1 SR3. For IBM Java versions 6 SR11 and earlier, update to a version later than 6 SR11. For IBM Java versions 5 SR14 and earlier, update to a version later than 5 SR14. For IBM Java 142 SR13 FP13 and earlier, update to a version later than 142 SR13 FP13. For other affected products, apply the recommended updates or patches as provided by the vendor. As a temporary workaround, consider restricting access to the `java.lang.Class` `getDeclaredMethods` and `java.lang.reflect.AccessibleObject` `setAccessible()` methods until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM Java versions prior to 7 SR2 IBM Java 6.0.1 versions prior to SR3 IBM Java 6 versions prior to SR11 IBM Java 5 versions prior to SR14 IBM Java 142 versions prior to SR13 FP13 IBM Rational Host On-Demand (affected versions not specified) IBM Rational Change (affected versions not specified) IBM Tivoli Monitoring (affected versions not specified) IBM Smart Analytics System 5600 (affected versions not specified) IBM Tivoli Remote Control 5.1.2 (affected versions not specified) IBM WebSphere Real Time (affected versions not specified) IBM Lotus Notes & Domino (affected versions not specified) IBM Tivoli Storage Productivity Center (affected versions not specified) IBM Service Deliver Manager (affected versions not specified) **Description** The issue allows remote attackers to gain privileges by modifying or removing the security manager via vectors related to insecure use of the `java.lang.reflect.Method invoke()` method when running under a security manager. **Recommendations** For IBM Java versions prior to 7 SR2, update to a version newer than 7 SR2. For IBM Java 6.0.1 versions prior to SR3, update to a version newer than 6.0.1 SR3. For IBM Java 6 versions prior to SR11, update to a version newer than 6 SR11. For IBM Java 5 versions prior to SR14, update to a version newer than 5 SR14. For IBM Java 142 versions prior to SR13 FP13, update to a version newer than 142 SR13 FP13. For other affected products, apply the recommended updates or patches as provided by the vendors. As a temporary workaround, consider restricting the use of the `java.lang.reflect.Method invoke()` method until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 7 Update 7 and earlier Oracle Java SE versions 6 Update 35 and earlier Oracle Java SE versions 5.0 Update 36 and earlier **Description** The issue allows remote attackers to affect confidentiality, integrity, and availability, related to JMX. **Recommendations** For Oracle Java SE versions 7 Update 7 and earlier, update to a version later than Update 7. For Oracle Java SE versions 6 Update 35 and earlier, update to a version later than Update 35. For Oracle Java SE versions 5.0 Update 36 and earlier, update to a version later than Update 36.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 7 Update 7 and earlier Oracle Java SE versions 6 Update 35 and earlier **Description** The issue affects the confidentiality, integrity, and availability of systems. It is related to the Deployment component in the Java Runtime Environment. The estimated number of potentially affected devices worldwide is not specified. Details about real-world incidents where this issue was exploited are not provided. **Recommendations** For Oracle Java SE versions 7 Update 7 and earlier, update to a version later than Update 7. For Oracle Java SE versions 6 Update 35 and earlier, update to a version later than Update 35.