PT-2014-1243 · Oracle+6 · Oracle Java Se+8

Published

2014-01-15

·

Updated

2024-06-15

·

CVE-2014-0416

CVSS v2.0

5.0

Medium

VectorAV:N/AC:L/Au:N/C:N/I:P/A:N
Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 5.0u55, 6u65, and 7u45 Java SE Embedded version 7u45 OpenJDK version 7
Description The issue allows remote attackers to affect integrity via vectors related to JAAS. It is claimed that the problem is related to how principals are set for the Subject class, which allows attackers to escape the sandbox using deserialization of a crafted Subject instance. This can potentially disrupt confidentiality, integrity, and availability of data.
Recommendations For Oracle Java SE versions 5.0u55, 6u65, and 7u45, consider updating to a newer version to mitigate the risk. For Java SE Embedded version 7u45, consider updating to a newer version to mitigate the risk. For OpenJDK version 7, consider updating to a newer version to mitigate the risk. As a temporary workaround, consider restricting the use of the JAAS component to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-461

Related Identifiers

BDU:2014-00453
BDU:2014-00454
CESA-2014_0026
CESA-2014_0097
CVE-2014-0416
HPSBUX02972
HPSBUX02973
MGASA-2014-0023
OPENSUSE-SU-2024:10534-1
RHSA-2014:0026
RHSA-2014:0027
RHSA-2014:0030
RHSA-2014:0097
RHSA-2014:0134
RHSA-2014:0135
RHSA-2014:0136
RHSA-2014:0414
RHSA-2014:0705
RHSA-2014:0982
RHSA-2014_0026
RHSA-2014_0027
RHSA-2014_0030
RHSA-2014_0097
RHSA-2014_0134
RHSA-2014_0135
RHSA-2014_0136
RHSA-2014_0414
RHSA-2014_0705

Affected Products

Centos
Hp-Ux
Ibm Aix
Java Platform
Java Se Embedded
Openjdk
Oracle Java Se
Red Hat
Suse