Vulnerability ID 5000

Oracle Java SE/JRE AtomicReferenceArray Sandbox buffer overflow

Oracle
CVSSv3 Temp ScoreCurrent Exploit Price (≈)
9.5$0-$1k

A vulnerability was found in Oracle Java SE and JRE (the affected version is unknown) and classified as very critical. Affected by this issue is an unknown function of the component AtomicReferenceArray Sandbox. The manipulation with an unknown input leads to a buffer overflow vulnerability. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.

The weakness was published 02/14/2012 with Oracle. The advisory is shared for download at blogs.technet.com. This vulnerability is handled as CVE-2012-0507 since 01/11/2012. The attack may be launched remotely. The successful exploitation requires a single authentication. Technical details are unknown but a public exploit is available. This vulnerability has a historic impact due to its background and reception.

A public exploit has been developed by metasploit in Java and been published 2 months after the advisory. It is declared as highly functional. The exploit is shared for download at exploit-db.com. As 0-day the estimated underground price was around $100k-$500k. A worm is spreading, which is automatically exploiting this vulnerability. The vulnerability scanner Nessus provides a plugin with the ID 802947 , which helps to determine the existence of the flaw in a target environment. The commercial vulnerability scanner Qualys is able to test this issue with plugin 119995.

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 21438. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 12771.

The vulnerability is also documented in the databases at SecurityFocus (BID 52161), X-Force (72513), Secunia (SA48692), SecurityTracker (ID 1026724) and Vulnerability Center (SBV-34788). news.drweb.com is providing further details. Similar entries are available at 5253 and 5548.

Video


CVSSv3

Base Score: 9.9 [?]
Temp Score: 9.5 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C [?]
Reliability: High

CVSSv2

Base Score: 8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C) [?]
Temp Score: 7.4 (CVSS2#E:H/RL:OF/RC:C) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Buffer overflow
Local: No
Remote: Yes

Availability: Yes
Access: Public
Status: Highly functional
Wormified: Yes
Reliability: 98%
Programming Language: Java
Author: metasploit
Download: exploit-db.com

Current Price Estimation: $100k-$500k (0-day) / $0-$1k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k


Nessus ID: 802947
Nessus File: centos_RHSA-2012-0135.nasl
Nessus Risk: Critical
OpenVAS ID: 71148
OpenVAS Name: Debian Security Advisory DSA 2420-1 (openjdk-6)
OpenVAS File: deb_2420_1.nasl
OpenVAS Family: Debian Local Security Checks

Saint ID: exploit_info/java_se_atomicreferencearray_unsafe
Saint Name: Java SE AtomicReferenceArray Unsafe Security Bypass

Qualys ID: 119995

MetaSploit ID: java_atomicreferencearray.rb
MetaSploit File: metasploit-framework/modules/exploits/multi/browser/java_atomicreferencearray.rb
MetaSploit Name: Java AtomicReferenceArray Type Violation Vulnerability

Exploit-DB: 18679

Countermeasures

Recommended: Patch
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known
Exploit Delay Time: 43 days since known
Snort ID: 21438
Snort Class: trojan-activity
Snort Message: EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet

Suricata ID: 2014461
Suricata Class: bad-unknown
Suricata Message: ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific

TippingPoint: 12771
PaloAlto IPS: 34712

Fortigate IPS: 31415

Timeline

01/11/2012 CVE assigned
02/14/2012 +34 days Advisory disclosed
02/14/2012 +0 days Countermeasure disclosed
02/14/2012 +0 days SecurityFocus entry assigned
02/22/2012 +8 days SecurityTracker entry created
03/06/2012 +13 days VulnerabilityCenter entry assigned
03/28/2012 +22 days Exploit disclosed
03/30/2012 +2 days EDB entry disclosed
03/31/2012 +1 days OSVDB entry created
04/03/2012 +3 days VulDB entry created
04/03/2012 +0 days VulnerabilityCenter entry created
06/07/2012 +65 days NVD disclosed
08/22/2012 +76 days Nessus plugin released
03/22/2015 +942 days VulnerabilityCenter entry updated
07/08/2015 +109 days VulDB entry updated

Sources

Advisory: blogs.technet.com
Organization: Oracle
Status: Confirmed
Confirmation: oracle.com

CVE: CVE-2012-0507 (mitre.org) (nvd.nist.org) (cvedetails.com)

SecurityFocus: 52161 - Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability
Secunia: 48692 - HP-UX update for Java, Highly Critical
X-Force: 72513 - Oracle Virtualization Virtual Desktop Infrastructure (VDI) code execution, High Risk
SecurityTracker: 1026724 - (Red Hat Issues Fix) Oracle Java SE Multiple Flaws Let Remote Users Execute Arbitrary Code and Deny Service
Vulnerability Center: 34788 - [javacpufeb2012-366318] Oracle JRE Improper Handling of Arrays Allows Unspecified Remote Vulnerability, Critical
OSVDB: 80724

Misc.: news.drweb.com
See also: 5253 , 5548

Entry

Created: 04/03/2012
Updated: 07/08/2015
Entry: 100% complete