CVE-2014-2397
First published: Mon Apr 14 2014(Updated: )
It was discovered that the class file parser did not properly parse class files with an invalid BootstrapMethods attribute length. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/icedtea | <1.13.3 | 1.13.3 |
| redhat/icedtea | <2.4.7 | 2.4.7 |
| Ubuntu | =10.04 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 | |
| Ubuntu | =13.10 | |
| Ubuntu | =14.04 | |
| Oracle OpenJDK 1.8.0 | =1.7.0-update51 | |
| Oracle OpenJDK 1.8.0 | =1.8.0 | |
| Oracle JRE | =1.7.0-update51 | |
| Oracle JRE | =1.8.0 | |
| Debian | =6.0 | |
| Debian | =7.0 | |
| Debian | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027214.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027222.html
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2014-0407.html
- https://rhn.redhat.com/errata/RHSA-2014-0406.html
- https://rhn.redhat.com/errata/RHSA-2014-0408.html
- https://rhn.redhat.com/errata/RHSA-2014-0413.html
- https://rhn.redhat.com/errata/RHSA-2014-0412.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/rev/9b289963cb9a
- https://rhn.redhat.com/errata/RHSA-2014-0675.html
- https://rhn.redhat.com/errata/RHSA-2014-0685.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1087423
- http://marc.info/?l=bugtraq&m=140852886808946&w=2
- http://rhn.redhat.com/errata/RHSA-2014-0675.html
- http://rhn.redhat.com/errata/RHSA-2014-0685.html
- http://secunia.com/advisories/58415
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://security.gentoo.org/glsa/glsa-201502-12.xml
- http://www.debian.org/security/2014/dsa-2912
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
- http://www.securityfocus.com/bid/66893
- http://www.ubuntu.com/usn/USN-2187-1
- http://www.ubuntu.com/usn/USN-2191-1
- https://access.redhat.com/errata/RHSA-2014:0413
Frequently Asked Questions
What is the severity of CVE-2014-2397?
CVE-2014-2397 is considered a medium severity vulnerability due to its potential to bypass Java sandbox restrictions.
How do I fix CVE-2014-2397?
To remediate CVE-2014-2397, update your Java version to at least 1.7.0-update55 or 1.8.0 or apply the appropriate patches for your operating system.
What causes CVE-2014-2397?
CVE-2014-2397 is caused by improper parsing of class files with an invalid BootstrapMethods attribute length in Java applications.
Which Java versions are affected by CVE-2014-2397?
CVE-2014-2397 affects Oracle Java SE 7u51 and 8, as well as various releases of IcedTea and Oracle JDK.
Can CVE-2014-2397 be exploited by untrusted applications?
Yes, CVE-2014-2397 allows untrusted Java applications or applets to potentially bypass Java sandbox restrictions.
- agent/references
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-2397
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/12.04
- version/ubuntu/12.10
- version/ubuntu/13.10
- version/ubuntu/14.04
- vendor/oracle
- canonical/oracle openjdk 1.8.0
- version/oracle openjdk 1.8.0/1.7.0-update51
- version/oracle openjdk 1.8.0/1.8.0
- canonical/oracle jre
- version/oracle jre/1.7.0-update51
- version/oracle jre/1.8.0
- vendor/debian
- canonical/debian
- version/debian/6.0
- version/debian/7.0
- version/debian/8.0