Michael Schierl

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 7 Update 6 and earlier **Description** The issue allows remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions. This is achieved by using `com.sun.beans.finder.ClassFinder.findClass` and leveraging an exception with the `forName` method to access restricted classes from arbitrary packages such as `sun.awt.SunToolkit`. Then, it uses "reflection with a trusted immediate caller" to leverage the `getField` method to access and modify private fields. The vulnerability was exploited in the wild in August 2012 using `Gondzz.class` and `Gondvv.class`. **Recommendations** For Oracle Java SE versions 7 Update 6 and earlier, update to a version later than 7 Update 6 to resolve the issue. As a temporary workaround, consider disabling the use of crafted applets until a patch is available. Restrict access to the `com.sun.beans.finder.ClassFinder.findClass` and `forName` method to minimize the risk of exploitation. Avoid using the `getField` method in the affected API endpoint until the issue is resolved. At the moment, there is no information about additional mitigation measures.