Computer Security
[EN] securityvulns.ru no-pyccku


Java environment limitations bypass
updated since 29.08.2012
Published:02.09.2012
Source:
SecurityVulns ID:12548
Type:library
Threat Level:
8/10
Description:There are few ways to bypass limitations and execute privileged code from the applet.
Affected:ORACLE : JDK 7
 ORACLE : JRE 7
CVE:CVE-2012-4681 (Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.)
Original documentdocumentSecurity Explorations, [SE-2012-01] New security issue affecting Java SE 7 Update 7 (02.09.2012)
 documentCERT, US-CERT Alert TA12-240A - Oracle Java 7 Security Manager Bypass Vulnerability (29.08.2012)
 documentSecurity Explorations, [SE-2012-01] information regarding recently discovered Java 7 attack (29.08.2012)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod