PT-2010-1918 · Oracle+2 · Java Se+3

Published

2010-04-01

Updated

2018-10-10

CVE-2010-0094

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Java SE versions 5.0 through 5.0 Update 23 Java SE versions 6 Update 18

Description The issue affects confidentiality, integrity, and availability. It is reportedly due to missing privilege checks during deserialization of RMIConnectionImpl objects, allowing remote attackers to call system-level Java functions via the ClassLoader of a constructor that is being deserialized. This can lead to remote code execution.

Recommendations For Java SE versions 5.0 through 5.0 Update 23, update to a version later than Update 23 to resolve the issue. For Java SE version 6 Update 18, update to a version later than Update 18 to resolve the issue. As a temporary workaround, consider restricting access to the RMIConnectionImpl object to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2010-0094

HPSBUX02524

RHSA-2010:0130

RHSA-2010:0337

RHSA-2010:0338

RHSA-2010:0339

RHSA-2010:0383

RHSA-2010:0471

RHSA-2010_0339

ZDI-10-051

Affected Products

Hp-Ux

Java Platform

Java Se

Red Hat

PT-2010-1918 · Oracle+2 · Java Se+3

CVE-2010-0094

Related Identifiers

Affected Products

References · 58