oss-sec mailing list archives
CVE-2013-0422 assigned to today's Oracle Java 0-day
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Thu, 10 Jan 2013 19:13:45 -0500 (EST)
FYI - I saw a CERT/CC blog post that said this was exploitable on Linux. ====================================================== Name: CVE-2013-0422 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 Reference: MISC:http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html Reference: MISC:http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ Reference: MISC:http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ Reference: MISC:http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html Reference: MISC:https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013 Reference: CERT-VN:VU#625617 Reference: URL:http://www.kb.cert.org/vuls/id/625617 The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via vectors related to unspecified classes that allow access to the class loader, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681.
Current thread:
- CVE-2013-0422 assigned to today's Oracle Java 0-day Steven M. Christey (Jan 10)