Published: 08/03/2013 Updated: 19/09/2017

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

VMScore: 1000

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and previous versions, and OpenJDK 6 and 7, allows remote malicious users to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.

Vulnerable Product	Search on Vulmon	Subscribe to Product
oracle jre 1.7.0
oracle jdk 1.7.0

Synopsis Important: java-160-openjdk security update Type/Severity Security Advisory: Important Topic Updated java-160-openjdk packages that fix various security issues arenow available for Red Hat Enterprise Linux 5 and 6The Red Hat Security Response Team has rated this update as havingimportant secur ...

Synopsis Important: java-170-openjdk security update Type/Severity Security Advisory: Important Topic Updated java-170-openjdk packages that fix various security issues arenow available for Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as havingimportant security im ...

Synopsis Critical: java-170-oracle security update Type/Severity Security Advisory: Critical Topic Updated java-170-oracle packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 5 and 6 SupplementaryThe Red Hat Security Response Team has rated this update as having crit ...

Synopsis Critical: java-170-openjdk security update Type/Severity Security Advisory: Critical Topic Updated java-170-openjdk packages that fix various security issues arenow available for Red Hat Enterprise Linux 6The Red Hat Security Response Team has rated this update as having criticalsecurity impac ...

Several security issues were fixed in OpenJDK 6 ...

Several security issues were fixed in OpenJDK 7 ...

Multiple flaws were discovered in the font layout engine in the 2D component An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384) Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI compone ...

The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 20 ...

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking incl ...

PoC Java exploit based on http://www.contextis.com/research/blog/java-pwn2own/

Java Pwn2Own exploit - CVE-2013-1488 Proof-of-Concept exploit by axt based on the writeup by James Forshaw Affects JRE versions before 7u21

CWE-94 https://twitter.com/thezdi/status/309425888188043264 http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157 http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html https://bugzilla.redhat.com/show_bug.cgi?id=920247 http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/a19614a3dabb http://rhn.redhat.com/errata/RHSA-2013-0752.html http://www.ubuntu.com/usn/USN-1806-1 http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/http://rhn.redhat.com/errata/RHSA-2013-0757.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html http://www.us-cert.gov/ncas/alerts/TA13-107A http://www.mandriva.com/security/advisories?name=MDVSA-2013:161 http://www.mandriva.com/security/advisories?name=MDVSA-2013:145 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html http://security.gentoo.org/glsa/glsa-201406-32.xml https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16511 https://nvd.nist.gov https://access.redhat.com/errata/RHSA-2013:0770 https://usn.ubuntu.com/1819-1/https://www.exploit-db.com/exploits/26135/https://access.redhat.com/security/cve/cve-2013-1488

CVE-2013-1488

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect