CVE-2013-0401: Code Injection
First published: Fri Mar 08 2013(Updated: )
The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/icedtea6 | <1.11.10 | 1.11.10 |
| redhat/icedtea6 | <1.12.5 | 1.12.5 |
| redhat/icedtea7 | <2.3.9 | 2.3.9 |
| Oracle Java SE 7 | =1.7.0-update17 | |
| Oracle JRE | =1.7.0-update17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/
- http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880
- http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157
- http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044
- http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html
- http://marc.info/?l=bugtraq&m=137283787217316&w=2
- http://rhn.redhat.com/errata/RHSA-2013-0752.html
- http://rhn.redhat.com/errata/RHSA-2013-0757.html
- http://rhn.redhat.com/errata/RHSA-2013-0758.html
- http://rhn.redhat.com/errata/RHSA-2013-1455.html
- http://rhn.redhat.com/errata/RHSA-2013-1456.html
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:145
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
- http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
- http://www.ubuntu.com/usn/USN-1806-1
- http://www.us-cert.gov/ncas/alerts/TA13-107A
- http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/
- https://bugzilla.redhat.com/show_bug.cgi?id=920245
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641
- https://twitter.com/thezdi/status/309784608508100608
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401
- https://rhn.redhat.com/errata/RHSA-2013-0752.html
- https://rhn.redhat.com/errata/RHSA-2013-0751.html
- https://rhn.redhat.com/errata/RHSA-2013-0758.html
- https://rhn.redhat.com/errata/RHSA-2013-0757.html
- https://rhn.redhat.com/errata/RHSA-2013-0770.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022890.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022985.html
- https://rhn.redhat.com/errata/RHSA-2013-0823.html
- https://rhn.redhat.com/errata/RHSA-2013-0822.html
- https://rhn.redhat.com/errata/RHSA-2013-0855.html
- https://rhn.redhat.com/errata/RHSA-2013-1456.html
- https://rhn.redhat.com/errata/RHSA-2013-1455.html
Frequently Asked Questions
What is the severity of CVE-2013-0401?
CVE-2013-0401 is classified as a critical vulnerability allowing remote code execution.
How do I fix CVE-2013-0401?
To fix CVE-2013-0401, users should upgrade to Oracle JDK 1.7.0 Update 21 or later, or the recommended versions of IcedTea packages.
What software versions are affected by CVE-2013-0401?
CVE-2013-0401 affects Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier, as well as OpenJDK 6 and 7.
Is CVE-2013-0401 still a threat today?
While CVE-2013-0401 is an older vulnerability, systems still running affected versions remain vulnerable to exploitation.
What types of attacks does CVE-2013-0401 facilitate?
CVE-2013-0401 allows attackers to execute arbitrary code on affected systems through remote exploitation methods related to AWT.
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-0401
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/oracle
- canonical/oracle java se 7
- version/oracle java se 7/1.7.0-update17
- canonical/oracle jre
- version/oracle jre/1.7.0-update17