CVE-2012-4681

Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 7 Update 6 and earlier

Description The issue allows remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions. This is achieved by using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit. Then, it uses "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields. The vulnerability was exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

Recommendations For Oracle Java SE versions 7 Update 6 and earlier, update to a version later than 7 Update 6 to resolve the issue. As a temporary workaround, consider disabling the use of crafted applets until a patch is available. Restrict access to the com.sun.beans.finder.ClassFinder.findClass and forName method to minimize the risk of exploitation. Avoid using the getField method in the affected API endpoint until the issue is resolved. At the moment, there is no information about additional mitigation measures.