Vulnerability ID 5548

Oracle Java SE JRE up to 7 Update 4 Hotspot buffer overflow

Oracle
CVSSv3 Temp ScoreCurrent Exploit Price (≈)
9.5$0-$1k

A vulnerability has been found in Oracle Java SE JRE up to 7 Update 4 and classified as critical. This vulnerability affects an unknown function of the component Hotspot. The manipulation with an unknown input leads to a buffer overflow vulnerability. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

The weakness was presented 06/12/2012 by Andrei Costin with Oracle as confirmed bulletin. The advisory is shared for download at oracle.com. The public release was coordinated in cooperation with the vendor. This vulnerability was named CVE-2012-1723 since 03/16/2012. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are unknown but a private exploit is available.

After 2 months, there has been an exploit disclosed. The exploit is shared for download at exploit-db.com. As 0-day the estimated underground price was around $25k-$50k. The vulnerability scanner Nessus provides a plugin with the ID 69695 (Amazon Linux AMI : java-1.6.0-openjdk Multiple Vulnerabilities (ALAS-2012-88)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Amazon Linux Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 120282.

Applying a patch is able to eliminate this problem. The bugfix is ready for download at oracle.com. A possible mitigation has been published immediately after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 21438. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 12877.

The vulnerability is also documented in the databases at SecurityFocus (BID 52161), Secunia (SA49472), SecurityTracker (ID 1027153) and Vulnerability Center (SBV-35344). Additional details are provided at support.apple.com. Similar entries are available at 5000, 5539, 5540 and 5541.

Video


CVSSv3

Base Score: 10.0 [?]
Temp Score: 9.5 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:X/RL:O/RC:C [?]
Reliability: High

CVSSv2

Base Score: 9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C) [?]
Temp Score: 8.1 (CVSS2#E:ND/RL:OF/RC:C) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Buffer overflow
Local: No
Remote: Yes

Availability: Yes
Access: Private
Download: exploit-db.com

Current Price Estimation: $25k-$50k (0-day) / $0-$1k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k


Nessus ID: 69695
Nessus Name: Amazon Linux AMI : java-1.6.0-openjdk Multiple Vulnerabilities (ALAS-2012-88)
Nessus File: ala_ALAS-2012-88.nasl
Nessus Family: Amazon Linux Local Security Checks
OpenVAS ID: 71486
OpenVAS Name: Debian Security Advisory DSA 2507-1 (openjdk-6)
OpenVAS File: deb_2507_1.nasl
OpenVAS Family: Debian Local Security Checks

Saint ID: exploit_info/oracle_java_hotspot_bytecode_verifier
Saint Name: Oracle Java Runtime Hotspot Bytecode Verifier Type Confusion

Qualys ID: 120282

MetaSploit ID: java_verifier_field_access.rb
MetaSploit File: metasploit-framework/modules/exploits/multi/browser/java_verifier_field_access.rb
MetaSploit Name: Java Applet Field Bytecode Verifier Cache Remote Code Execution

Exploit-DB: 19717

Countermeasures

Recommended: Patch
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known
Exploit Delay Time: 29 days since known

Patch: oracle.com

Snort ID: 21438
Snort Class: trojan-activity
Snort Message: EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet

Suricata ID: 2015849
Suricata Class: trojan-activity
Suricata Message: ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12

TippingPoint: 12877
PaloAlto IPS: 34888

Fortigate IPS: 32475

Timeline

03/16/2012 CVE assigned
06/12/2012 +88 days Advisory disclosed
06/12/2012 +0 days Countermeasure disclosed
06/12/2012 +0 days OSVDB entry created
06/14/2012 +2 days VulDB entry created
06/16/2012 +2 days NVD disclosed
06/16/2012 +0 days VulnerabilityCenter entry assigned
06/18/2012 +2 days VulnerabilityCenter entry created
07/11/2012 +23 days Exploit disclosed
03/22/2015 +984 days VulnerabilityCenter entry updated
07/08/2015 +109 days VulDB entry updated

Sources

Advisory: oracle.com
Researcher: Andrei Costin
Organization: Oracle
Status: Confirmed
Confirmation: oracle.com
Coordinated: Yes

CVE: CVE-2012-1723 (mitre.org) (nvd.nist.org) (cvedetails.com)

SecurityFocus: 52161 - Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability
Secunia: 49472 - Oracle Java Multiple Vulnerabilities, Highly Critical
SecurityTracker: 1027153 - Oracle Java SE Multiple Flaws Let Remote Users Execute Arbitrary Code and Deny Service
Vulnerability Center: 35344 - [javacpujun2012-1515912] JRE Component in Oracle Java SE Remote Unspecified Vulnerability via Vectors Related to Hotspot, Critical
OSVDB: 82877 - Oracle Java SE / JRE Hotspot Bytecode Verifier Type Confusion Remote Code Execution

Misc.: support.apple.com
See also: 5000, 5539, 5540, 5541, 5542, 5543, 5544, 5545, 5546, 5547, 5549, 5550, 5551

Entry

Created: 06/14/2012
Updated: 07/08/2015
Entry: 100% complete