Oracle Java version 7 with updates 10 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability is due to improper security protections on functions reserved for privileged access. An unauthenticated, remote attacker could exploit this vulnerability by attempting to persuade a user to follow a link to a malicious site using misleading language or instructions. If successful, the attacker could execute arbitrary code on the system with the privileges of the user.
Functional exploit code exists publicly as part of exploit toolkits and the Metasploit framework.
Oracle has confirmed the vulnerability and software updates are available.
Indicators of Compromise
Oracle Java version 7 with updates 10 and prior are vulnerable. Previous versions of Oracle Java, versions 5 and 6, are not affected.
The vulnerability is due to improper security protections on built-in classes in the Java Runtime Environment. An untrusted, unsigned Java applet can use the setSecurityManager() function to bypass security checks and access an elevated security context, allowing attackers to take actions outside the security protections of the sandbox environment.
An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a website that contains a malicious Java applet. When viewed, the applet could take actions in the user's browser outside the security protections of the Java Runtime Environment sandbox. As a result of bypassing the security protections, the attacker could execute arbitrary code on the system with the privileges of the user.
To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.
Functional code that exploits the vulnerability is publicly available and actively exploited in the wild. Reports indicate the Blackhole and Nuclear Pack exploit kits have incorporated this vulnerability, which could help an attacker in a successful exploit. Exploit source code has also been posted publicly, further increasing the likelihood of exploitation.
This vulnerability was first documented in Alert 27841.
Administrators are advised to apply the appropriate updates.
Users may consider using the previous version of Java, which does not contain the vulnerability.
Users are advised to disable Java content in web browsers through the Java control panel applet.
Administrators may consider disabling Java and the Java plug-in in web browsers. Instructions for disabling Java in web browsers can be found at the following links:
Red Hat Enterprise Linux Workstation Supplementary
6 (IA-32, x86_64)
5 (IA-32, PPC, PPC64, S390, S390x, x86_64)
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.