CVE-2013-2422

Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper method-invocation restrictions by the MethodUtil trampoline class, which allows remote attackers to bypass the Java sandbox.

10.0

CVSS

Severity: Critical

CVSS 2.0 •

EPSS 11.48% Top 10%

Vendor Advisory opensuse.org Vendor Advisory gentoo.org Vendor Advisory opensuse.org Vendor Advisory redhat.com Vendor Advisory apple.com Vendor Advisory mandriva.com Vendor Advisory marc.info Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory mandriva.com Vendor Advisory opensuse.org Vendor Advisory redhat.com Vendor Advisory ubuntu.com Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory oracle.com

Affected: n/a n/a

References

Link	Tags
http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html	vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19087	vdb entry signature
http://security.gentoo.org/glsa/glsa-201406-32.xml	vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=952642
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html	mailing list
http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html	vendor advisory
http://rhn.redhat.com/errata/RHSA-2013-0758.html	vendor advisory
http://lists.apple.com/archives/security-announce/2013/Apr/msg00001.html	vendor advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:145	vendor advisory
http://www.us-cert.gov/ncas/alerts/TA13-107A	third party advisory us government resource
http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/
http://marc.info/?l=bugtraq&m=137283787217316&w=2	vendor advisory
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
http://rhn.redhat.com/errata/RHSA-2013-1455.html	vendor advisory
http://rhn.redhat.com/errata/RHSA-2013-0757.html	vendor advisory
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124
http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html	vendor advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:161	vendor advisory
http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html	vendor advisory
http://rhn.redhat.com/errata/RHSA-2013-0752.html	vendor advisory
http://www.ubuntu.com/usn/USN-1806-1	vendor advisory
http://www.securityfocus.com/bid/59228	vdb entry
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2899c3dbf5e8
http://rhn.redhat.com/errata/RHSA-2013-1456.html	vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16561	vdb entry signature
http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html	vendor advisory
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html	vendor advisory
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/

Frequently Asked Questions

What is the severity of CVE-2013-2422?: CVE-2013-2422 has been scored as a critical severity vulnerability.
How to fix CVE-2013-2422?: To fix CVE-2013-2422, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2013-2422 being actively exploited in the wild?: It is possible that CVE-2013-2422 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~11% probability that this vulnerability will be exploited by malicious actors in the next 30 days.