ID CVE-2013-2460
Summary Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component. Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.'
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update21:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update21:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update21:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update21:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 19-09-2017 - 01:36)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
oval via4
  • accepted 2015-03-23T04:00:58.162-04:00
    class vulnerability
    contributors
    • name Maria Kedovskaya
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    definition_extensions
    comment Java SE Runtime Environment 7 is installed
    oval oval:org.mitre.oval:def:16050
    description Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
    family windows
    id oval:org.mitre.oval:def:17116
    status accepted
    submitted 2013-06-19T10:26:26.748+04:00
    title integrity, and availability via unknown vectors related to Serviceability.
    version 8
  • accepted 2015-04-20T04:00:55.190-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
    family unix
    id oval:org.mitre.oval:def:19129
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
    version 44
redhat via4
advisories
  • rhsa
    id RHSA-2013:0963
  • rhsa
    id RHSA-2013:1060
rpms
  • java-1.7.0-openjdk-1:1.7.0.25-2.3.10.3.el6_4
  • java-1.7.0-openjdk-demo-1:1.7.0.25-2.3.10.3.el6_4
  • java-1.7.0-openjdk-devel-1:1.7.0.25-2.3.10.3.el6_4
  • java-1.7.0-openjdk-javadoc-1:1.7.0.25-2.3.10.3.el6_4
  • java-1.7.0-openjdk-src-1:1.7.0.25-2.3.10.3.el6_4
  • java-1.7.0-openjdk-1:1.7.0.25-2.3.10.4.el5_9
  • java-1.7.0-openjdk-demo-1:1.7.0.25-2.3.10.4.el5_9
  • java-1.7.0-openjdk-devel-1:1.7.0.25-2.3.10.4.el5_9
  • java-1.7.0-openjdk-javadoc-1:1.7.0.25-2.3.10.4.el5_9
  • java-1.7.0-openjdk-src-1:1.7.0.25-2.3.10.4.el5_9
refmap via4
cert TA13-169A
confirm
gentoo GLSA-201406-32
hp HPSBUX02907
mandriva MDVSA-2013:183
misc http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a
secunia 54154
suse
  • SUSE-SU-2013:1256
  • SUSE-SU-2013:1257
saint via4
bid 60635
description Oracle Java Serviceability Subcomponent ProviderSkeleton Class Vulnerability
id web_client_jre
osvdb 94346
title oracle_java_serviceability_providerskeleton
type client
Last major update 19-09-2017 - 01:36
Published 18-06-2013 - 22:55
Back to Top