PT-2013-2299 · Oracle+4 · Java Se+6

Published

2013-03-08

·

Updated

2024-06-15

·

CVE-2013-0401

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Java SE versions 7 Update 17 and earlier Java SE versions 6 Update 43 and earlier Java SE versions 5.0 Update 41 and earlier OpenJDK versions 6 and 7
Description The issue allows remote attackers to execute arbitrary code via vectors related to AWT. This was demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. The problem may be related to the invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which could allow remote attackers to bypass Java sandbox restrictions.
Recommendations For Java SE versions 7 Update 17 and earlier, update to a version later than Update 17. For Java SE versions 6 Update 43 and earlier, update to a version later than Update 43. For Java SE versions 5.0 Update 41 and earlier, update to a version later than Update 41. For OpenJDK versions 6 and 7, consider disabling the sun.awt.datatransfer.ClassLoaderObjectInputStream class as a temporary workaround until a patch is available.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CESA-2013_0751
CESA-2013_0770
CVE-2013-0401
HPSBUX02889
HPSBUX02922
OPENSUSE-SU-2024:10534-1
RHSA-2013:0751
RHSA-2013:0752
RHSA-2013:0757
RHSA-2013:0758
RHSA-2013:0770
RHSA-2013:0822
RHSA-2013:0823
RHSA-2013:0855
RHSA-2013:1455
RHSA-2013:1456
RHSA-2013_0751
RHSA-2013_0752
RHSA-2013_0757
RHSA-2013_0758
RHSA-2013_0770
RHSA-2013_0822
RHSA-2013_0823
RHSA-2013_0855
SUSE-SU-2013_0814-1
SUSE-SU-2013_0835-1
SUSE-SU-2013_0835-2
SUSE-SU-2013_0835-3
SUSE-SU-2013_0871-1
SUSE-SU-2013_0871-2
ZDI-13-089

Affected Products

Centos
Hp-Ux
Java Platform
Java Se
Openjdk
Red Hat
Suse