CVE Reference: CVE-2012-4681

NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE:
CVE-2012-4681

Description:
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

CVE Status:
Candidate

References:

SUSE
  http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html
  http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html

SAID
  Secunia Advisory: SA51044

REDHAT
  http://rhn.redhat.com/errata/RHSA-2012-1225.html

MISC
  http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/
  http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html
  http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html
  http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

HP
  http://marc.info/?l=bugtraq&m=135109152819176&w=2

CONFIRM
  http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

CERT
  http://www.us-cert.gov/cas/techalerts/TA12-240A.html


Return to the previous page.