1. CVE-Search
  2. CVE-2010-0840
ID CVE-2010-0840
Summary Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:jre:1.6.0:update18:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.6.0:update18:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.5.0:update23:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.5.0:update23:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.4.2_25:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.4.2_25:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:11.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:11.1:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:11.0:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:11.0:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:11.2:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:11.2:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
CVSS
Base: 7.5 (as of 28-06-2024 - 17:36)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2015-03-23T04:00:33.787-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization DTCC
    • name Dragos Prisaca
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    definition_extensions
    • comment Java SE Development Kit 6 is installed
      oval oval:org.mitre.oval:def:15831
    • comment Java SE Runtime Environment 6 is installed
      oval oval:org.mitre.oval:def:16362
    • comment Java SE Runtime Environment 5 is installed
      oval oval:org.mitre.oval:def:15748
    • comment Java SE Development Kit 5 is installed
      oval oval:org.mitre.oval:def:16292
    description Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."
    family windows
    id oval:org.mitre.oval:def:13971
    status accepted
    submitted 2011-11-25T18:03:41.000-05:00
    title Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."
    version 11
  • accepted 2013-04-29T04:23:48.590-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Remote Code Execution Vulnerability."
    family unix
    id oval:org.mitre.oval:def:9974
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Remote Code Execution Vulnerability."
    version 18
redhat via4
advisories
  • rhsa
    id RHSA-2010:0337
  • rhsa
    id RHSA-2010:0338
  • rhsa
    id RHSA-2010:0339
  • rhsa
    id RHSA-2010:0383
  • rhsa
    id RHSA-2010:0471
  • rhsa
    id RHSA-2010:0489
rpms
  • java-1.6.0-sun-1:1.6.0.19-1jpp.1.el4
  • java-1.6.0-sun-1:1.6.0.19-1jpp.1.el5
  • java-1.6.0-sun-demo-1:1.6.0.19-1jpp.1.el4
  • java-1.6.0-sun-demo-1:1.6.0.19-1jpp.1.el5
  • java-1.6.0-sun-devel-1:1.6.0.19-1jpp.1.el4
  • java-1.6.0-sun-devel-1:1.6.0.19-1jpp.1.el5
  • java-1.6.0-sun-jdbc-1:1.6.0.19-1jpp.1.el4
  • java-1.6.0-sun-jdbc-1:1.6.0.19-1jpp.1.el5
  • java-1.6.0-sun-plugin-1:1.6.0.19-1jpp.1.el4
  • java-1.6.0-sun-plugin-1:1.6.0.19-1jpp.1.el5
  • java-1.6.0-sun-src-1:1.6.0.19-1jpp.1.el4
  • java-1.6.0-sun-src-1:1.6.0.19-1jpp.1.el5
  • java-1.5.0-sun-uninstall-0:1.5.0.22-1jpp.3.el4
  • java-1.5.0-sun-uninstall-0:1.5.0.22-1jpp.3.el5
  • java-1.6.0-openjdk-1:1.6.0.0-1.11.b16.el5
  • java-1.6.0-openjdk-debuginfo-1:1.6.0.0-1.11.b16.el5
  • java-1.6.0-openjdk-demo-1:1.6.0.0-1.11.b16.el5
  • java-1.6.0-openjdk-devel-1:1.6.0.0-1.11.b16.el5
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-1.11.b16.el5
  • java-1.6.0-openjdk-src-1:1.6.0.0-1.11.b16.el5
  • java-1.6.0-ibm-1:1.6.0.8-1jpp.1.el4
  • java-1.6.0-ibm-1:1.6.0.8-1jpp.1.el5
  • java-1.6.0-ibm-accessibility-1:1.6.0.8-1jpp.1.el5
  • java-1.6.0-ibm-demo-1:1.6.0.8-1jpp.1.el4
  • java-1.6.0-ibm-demo-1:1.6.0.8-1jpp.1.el5
  • java-1.6.0-ibm-devel-1:1.6.0.8-1jpp.1.el4
  • java-1.6.0-ibm-devel-1:1.6.0.8-1jpp.1.el5
  • java-1.6.0-ibm-javacomm-1:1.6.0.8-1jpp.1.el4
  • java-1.6.0-ibm-javacomm-1:1.6.0.8-1jpp.1.el5
  • java-1.6.0-ibm-jdbc-1:1.6.0.8-1jpp.1.el4
  • java-1.6.0-ibm-jdbc-1:1.6.0.8-1jpp.1.el5
  • java-1.6.0-ibm-plugin-1:1.6.0.8-1jpp.1.el4
  • java-1.6.0-ibm-plugin-1:1.6.0.8-1jpp.1.el5
  • java-1.6.0-ibm-src-1:1.6.0.8-1jpp.1.el4
  • java-1.6.0-ibm-src-1:1.6.0.8-1jpp.1.el5
  • java-1.6.0-ibm-1:1.6.0.8-1jpp.1.el4
  • java-1.6.0-ibm-1:1.6.0.8-1jpp.1.el5
  • java-1.6.0-ibm-devel-1:1.6.0.8-1jpp.1.el4
  • java-1.6.0-ibm-devel-1:1.6.0.8-1jpp.1.el5
  • java-1.5.0-ibm-1:1.5.0.11.2-1jpp.1.el4
  • java-1.5.0-ibm-1:1.5.0.11.2-1jpp.1.el5
  • java-1.5.0-ibm-accessibility-1:1.5.0.11.2-1jpp.1.el5
  • java-1.5.0-ibm-demo-1:1.5.0.11.2-1jpp.1.el4
  • java-1.5.0-ibm-demo-1:1.5.0.11.2-1jpp.1.el5
  • java-1.5.0-ibm-devel-1:1.5.0.11.2-1jpp.1.el4
  • java-1.5.0-ibm-devel-1:1.5.0.11.2-1jpp.1.el5
  • java-1.5.0-ibm-javacomm-1:1.5.0.11.2-1jpp.1.el4
  • java-1.5.0-ibm-javacomm-1:1.5.0.11.2-1jpp.1.el5
  • java-1.5.0-ibm-jdbc-1:1.5.0.11.2-1jpp.1.el4
  • java-1.5.0-ibm-jdbc-1:1.5.0.11.2-1jpp.1.el5
  • java-1.5.0-ibm-plugin-1:1.5.0.11.2-1jpp.1.el4
  • java-1.5.0-ibm-plugin-1:1.5.0.11.2-1jpp.1.el5
  • java-1.5.0-ibm-src-1:1.5.0.11.2-1jpp.1.el4
  • java-1.5.0-ibm-src-1:1.5.0.11.2-1jpp.1.el5
  • java-1.4.2-ibm-0:1.4.2.13.5-1jpp.1.el3
  • java-1.4.2-ibm-0:1.4.2.13.5-1jpp.1.el4
  • java-1.4.2-ibm-0:1.4.2.13.5-1jpp.1.el5
  • java-1.4.2-ibm-demo-0:1.4.2.13.5-1jpp.1.el3
  • java-1.4.2-ibm-demo-0:1.4.2.13.5-1jpp.1.el4
  • java-1.4.2-ibm-demo-0:1.4.2.13.5-1jpp.1.el5
  • java-1.4.2-ibm-devel-0:1.4.2.13.5-1jpp.1.el3
  • java-1.4.2-ibm-devel-0:1.4.2.13.5-1jpp.1.el4
  • java-1.4.2-ibm-devel-0:1.4.2.13.5-1jpp.1.el5
  • java-1.4.2-ibm-javacomm-0:1.4.2.13.5-1jpp.1.el4
  • java-1.4.2-ibm-javacomm-0:1.4.2.13.5-1jpp.1.el5
  • java-1.4.2-ibm-jdbc-0:1.4.2.13.5-1jpp.1.el3
  • java-1.4.2-ibm-jdbc-0:1.4.2.13.5-1jpp.1.el4
  • java-1.4.2-ibm-jdbc-0:1.4.2.13.5-1jpp.1.el5
  • java-1.4.2-ibm-plugin-0:1.4.2.13.5-1jpp.1.el3
  • java-1.4.2-ibm-plugin-0:1.4.2.13.5-1jpp.1.el4
  • java-1.4.2-ibm-plugin-0:1.4.2.13.5-1jpp.1.el5
  • java-1.4.2-ibm-src-0:1.4.2.13.5-1jpp.1.el3
  • java-1.4.2-ibm-src-0:1.4.2.13.5-1jpp.1.el4
  • java-1.4.2-ibm-src-0:1.4.2.13.5-1jpp.1.el5
  • java-1.4.2-ibm-sap-0:1.4.2.13.5.sap-1jpp.1.el4_8
  • java-1.4.2-ibm-sap-0:1.4.2.13.5.sap-1jpp.1.el5
  • java-1.4.2-ibm-sap-demo-0:1.4.2.13.5.sap-1jpp.1.el4_8
  • java-1.4.2-ibm-sap-demo-0:1.4.2.13.5.sap-1jpp.1.el5
  • java-1.4.2-ibm-sap-devel-0:1.4.2.13.5.sap-1jpp.1.el4_8
  • java-1.4.2-ibm-sap-devel-0:1.4.2.13.5.sap-1jpp.1.el5
  • java-1.4.2-ibm-sap-javacomm-0:1.4.2.13.5.sap-1jpp.1.el4_8
  • java-1.4.2-ibm-sap-javacomm-0:1.4.2.13.5.sap-1jpp.1.el5
  • java-1.4.2-ibm-sap-src-0:1.4.2.13.5.sap-1jpp.1.el4_8
  • java-1.4.2-ibm-sap-src-0:1.4.2.13.5.sap-1jpp.1.el5
refmap via4
apple
  • APPLE-SA-2010-05-18-1
  • APPLE-SA-2010-05-18-2
bid 39065
bugtraq
  • 20100405 ZDI-10-056: Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability
  • 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
confirm
hp
  • HPSBMA02547
  • HPSBMU02799
  • HPSBUX02524
  • SSRT100089
  • SSRT100179
mandriva MDVSA-2010:084
misc http://www.zerodayinitiative.com/advisories/ZDI-10-056
secunia
  • 39292
  • 39317
  • 39659
  • 39819
  • 40211
  • 40545
  • 43308
suse
  • SUSE-SR:2010:008
  • SUSE-SR:2010:011
  • SUSE-SR:2010:017
ubuntu USN-923-1
vupen
  • ADV-2010-1107
  • ADV-2010-1191
  • ADV-2010-1454
  • ADV-2010-1523
  • ADV-2010-1793
Last major update 28-06-2024 - 17:36
Published 01-04-2010 - 16:30
Last modified 28-06-2024 - 17:36
Back to Top