CVE-2012-4681: Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability
First published: Tue Aug 28 2012(Updated: )
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.6.0 | |
| Oracle JDK | =1.6.0-update1 | |
| Oracle JDK | =1.6.0-update10 | |
| Oracle JDK | =1.6.0-update11 | |
| Oracle JDK | =1.6.0-update12 | |
| Oracle JDK | =1.6.0-update13 | |
| Oracle JDK | =1.6.0-update14 | |
| Oracle JDK | =1.6.0-update15 | |
| Oracle JDK | =1.6.0-update16 | |
| Oracle JDK | =1.6.0-update17 | |
| Oracle JDK | =1.6.0-update18 | |
| Oracle JDK | =1.6.0-update19 | |
| Oracle JDK | =1.6.0-update2 | |
| Oracle JDK | =1.6.0-update20 | |
| Oracle JDK | =1.6.0-update21 | |
| Oracle JDK | =1.6.0-update22 | |
| Oracle JDK | =1.6.0-update23 | |
| Oracle JDK | =1.6.0-update24 | |
| Oracle JDK | =1.6.0-update25 | |
| Oracle JDK | =1.6.0-update26 | |
| Oracle JDK | =1.6.0-update27 | |
| Oracle JDK | =1.6.0-update29 | |
| Oracle JDK | =1.6.0-update3 | |
| Oracle JDK | =1.6.0-update30 | |
| Oracle JDK | =1.6.0-update31 | |
| Oracle JDK | =1.6.0-update32 | |
| Oracle JDK | =1.6.0-update33 | |
| Oracle JDK | =1.6.0-update34 | |
| Oracle JDK | =1.6.0-update4 | |
| Oracle JDK | =1.6.0-update5 | |
| Oracle JDK | =1.6.0-update6 | |
| Oracle JDK | =1.6.0-update7 | |
| Oracle JDK | =1.6.0-update8 | |
| Oracle JDK | =1.6.0-update9 | |
| Oracle JDK | =1.7.0 | |
| Oracle JDK | =1.7.0-update1 | |
| Oracle JDK | =1.7.0-update2 | |
| Oracle JDK | =1.7.0-update3 | |
| Oracle JDK | =1.7.0-update4 | |
| Oracle JDK | =1.7.0-update5 | |
| Oracle JDK | =1.7.0-update6 | |
| Oracle JRE | =1.6.0 | |
| Oracle JRE | =1.6.0-update1 | |
| Oracle JRE | =1.6.0-update10 | |
| Oracle JRE | =1.6.0-update11 | |
| Oracle JRE | =1.6.0-update12 | |
| Oracle JRE | =1.6.0-update13 | |
| Oracle JRE | =1.6.0-update14 | |
| Oracle JRE | =1.6.0-update15 | |
| Oracle JRE | =1.6.0-update16 | |
| Oracle JRE | =1.6.0-update17 | |
| Oracle JRE | =1.6.0-update18 | |
| Oracle JRE | =1.6.0-update19 | |
| Oracle JRE | =1.6.0-update2 | |
| Oracle JRE | =1.6.0-update20 | |
| Oracle JRE | =1.6.0-update21 | |
| Oracle JRE | =1.6.0-update22 | |
| Oracle JRE | =1.6.0-update23 | |
| Oracle JRE | =1.6.0-update24 | |
| Oracle JRE | =1.6.0-update25 | |
| Oracle JRE | =1.6.0-update26 | |
| Oracle JRE | =1.6.0-update27 | |
| Oracle JRE | =1.6.0-update29 | |
| Oracle JRE | =1.6.0-update3 | |
| Oracle JRE | =1.6.0-update30 | |
| Oracle JRE | =1.6.0-update31 | |
| Oracle JRE | =1.6.0-update32 | |
| Oracle JRE | =1.6.0-update33 | |
| Oracle JRE | =1.6.0-update34 | |
| Oracle JRE | =1.6.0-update4 | |
| Oracle JRE | =1.6.0-update5 | |
| Oracle JRE | =1.6.0-update6 | |
| Oracle JRE | =1.6.0-update7 | |
| Oracle JRE | =1.6.0-update9 | |
| Oracle JRE | =1.7.0 | |
| Oracle JRE | =1.7.0-update1 | |
| Oracle JRE | =1.7.0-update2 | |
| Oracle JRE | =1.7.0-update3 | |
| Oracle JRE | =1.7.0-update4 | |
| Oracle JRE | =1.7.0-update5 | |
| Oracle JRE | =1.7.0-update6 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Eus | =6.3 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
- http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html
- http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/
- http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html
- http://marc.info/?l=bugtraq&m=135109152819176&w=2
- http://rhn.redhat.com/errata/RHSA-2012-1225.html
- http://secunia.com/advisories/51044
- http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html
- http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
- http://www.securityfocus.com/bid/55213
- http://www.us-cert.gov/cas/techalerts/TA12-240A.html
- https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
- https://nvd.nist.gov/vuln/detail/CVE-2012-4681
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/description
- agent/title
- agent/severity
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/references
- agent/tags
- collector/nvd-cve
- source/NVD
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.6.0
- version/oracle jdk/1.6.0-update1
- version/oracle jdk/1.6.0-update10
- version/oracle jdk/1.6.0-update11
- version/oracle jdk/1.6.0-update12
- version/oracle jdk/1.6.0-update13
- version/oracle jdk/1.6.0-update14
- version/oracle jdk/1.6.0-update15
- version/oracle jdk/1.6.0-update16
- version/oracle jdk/1.6.0-update17
- version/oracle jdk/1.6.0-update18
- version/oracle jdk/1.6.0-update19
- version/oracle jdk/1.6.0-update2
- version/oracle jdk/1.6.0-update20
- version/oracle jdk/1.6.0-update21
- version/oracle jdk/1.6.0-update22
- version/oracle jdk/1.6.0-update23
- version/oracle jdk/1.6.0-update24
- version/oracle jdk/1.6.0-update25
- version/oracle jdk/1.6.0-update26
- version/oracle jdk/1.6.0-update27
- version/oracle jdk/1.6.0-update29
- version/oracle jdk/1.6.0-update3
- version/oracle jdk/1.6.0-update30
- version/oracle jdk/1.6.0-update31
- version/oracle jdk/1.6.0-update32
- version/oracle jdk/1.6.0-update33
- version/oracle jdk/1.6.0-update34
- version/oracle jdk/1.6.0-update4
- version/oracle jdk/1.6.0-update5
- version/oracle jdk/1.6.0-update6
- version/oracle jdk/1.6.0-update7
- version/oracle jdk/1.6.0-update8
- version/oracle jdk/1.6.0-update9
- version/oracle jdk/1.7.0
- version/oracle jdk/1.7.0-update1
- version/oracle jdk/1.7.0-update2
- version/oracle jdk/1.7.0-update3
- version/oracle jdk/1.7.0-update4
- version/oracle jdk/1.7.0-update5
- version/oracle jdk/1.7.0-update6
- canonical/oracle jre
- version/oracle jre/1.6.0
- version/oracle jre/1.6.0-update1
- version/oracle jre/1.6.0-update10
- version/oracle jre/1.6.0-update11
- version/oracle jre/1.6.0-update12
- version/oracle jre/1.6.0-update13
- version/oracle jre/1.6.0-update14
- version/oracle jre/1.6.0-update15
- version/oracle jre/1.6.0-update16
- version/oracle jre/1.6.0-update17
- version/oracle jre/1.6.0-update18
- version/oracle jre/1.6.0-update19
- version/oracle jre/1.6.0-update2
- version/oracle jre/1.6.0-update20
- version/oracle jre/1.6.0-update21
- version/oracle jre/1.6.0-update22
- version/oracle jre/1.6.0-update23
- version/oracle jre/1.6.0-update24
- version/oracle jre/1.6.0-update25
- version/oracle jre/1.6.0-update26
- version/oracle jre/1.6.0-update27
- version/oracle jre/1.6.0-update29
- version/oracle jre/1.6.0-update3
- version/oracle jre/1.6.0-update30
- version/oracle jre/1.6.0-update31
- version/oracle jre/1.6.0-update32
- version/oracle jre/1.6.0-update33
- version/oracle jre/1.6.0-update34
- version/oracle jre/1.6.0-update4
- version/oracle jre/1.6.0-update5
- version/oracle jre/1.6.0-update6
- version/oracle jre/1.6.0-update7
- version/oracle jre/1.6.0-update9
- version/oracle jre/1.7.0
- version/oracle jre/1.7.0-update1
- version/oracle jre/1.7.0-update2
- version/oracle jre/1.7.0-update3
- version/oracle jre/1.7.0-update4
- version/oracle jre/1.7.0-update5
- version/oracle jre/1.7.0-update6
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/6.3
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- canonical/oracle java se