CVE-2013-3009

Severity

93%

Complexity

86%

Confidentiality

165%

The com.ibm.CORBA.iiop.ClientDelegate class in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 improperly exposes the invoke method of the java.lang.reflect.Method class, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to the AccessController doPrivileged block.

The com.ibm.CORBA.iiop.ClientDelegate class in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 improperly exposes the invoke method of the java.lang.reflect.Method class, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to the AccessController doPrivileged block.

CVSS 2.0 Base Score 9.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C).

Overview

Type

IBM Java

First reported 11 years ago

2013-07-23 11:03:00

Last updated 7 years ago

2017-11-29 02:29:00

Affected Software

IBM Java 1.4.2

1.4.2

IBM Java 1.4.2.13 Service Refresh 13

1.4.2.13

IBM Java 1.4.2.13.1 Service Refresh 13 (FixPack 1)

1.4.2.13.1

IBM Java 1.4.2.13.2 Service Refresh 13 (FixPack 2)

1.4.2.13.2

IBM Java 1.4.2.13.3 Service Refresh 13 (FixPack 3)

1.4.2.13.3

IBM Java 1.4.2.13.4 Service Refresh 13 (FixPack 4)

1.4.2.13.4

IBM Java 1.4.2.13.5 Service Refresh 13 (FixPack 5)

1.4.2.13.5

IBM Java 1.4.2.13.6 Service Refresh 13 (FixPack 6)

1.4.2.13.6

IBM Java 1.4.2.13.7 Service Refresh 13 (FixPack 7)

1.4.2.13.7

IBM Java 1.4.2.13.8 Service Refresh 13 (FixPack 8)

1.4.2.13.8

IBM Java 1.4.2.13.9 Service Refresh 13 (FixPack 9)

1.4.2.13.9

IBM Java 1.4.2.13.10 Service Refresh 13 (FixPack 10)

1.4.2.13.10

IBM Java 1.4.2.13.11 Service Refresh 13 (FixPack 11)

1.4.2.13.11

IBM Java 1.4.2.13.12 Service Refresh 13 (FixPack 12)

1.4.2.13.12

IBM Java 1.4.2.13.13 Service Refresh 13 (FixPack 13)

1.4.2.13.13

IBM Java 1.4.2.13.14 Service Refresh 13 (FixPack 14)

1.4.2.13.14

IBM Java 1.4.2.13.15 Service Refresh 13 (FixPack 15)

1.4.2.13.15

IBM Java 1.4.2.13.16 Service Refresh 13 (FixPack 16)

1.4.2.13.16

IBM Java 1.4.2.13.17 Service Refresh 13 (FixPack 17)

1.4.2.13.17

IBM Java 7.0.0.0

7.0.0.0

IBM Java 7.0.1.0 Service Refresh 1

7.0.1.0

IBM Java 7.0.2.0 Service Refresh 2

7.0.2.0

IBM Java 7.0.3.0 Service Refresh 3

7.0.3.0

IBM Java 7.0.4.0 Service Refresh 4

7.0.4.0

IBM Java 7.0.4.1 Service Refresh 4 (Fix Pack 1)

7.0.4.1

IBM Java 7.0.4.2 Service Refresh 4 (Fix Pack 2)

7.0.4.2

IBM Java 6.0.0.0

6.0.0.0

IBM Java 6.0.1.0 Service Refresh 1

6.0.1.0

IBM Java 6.0.2.0 Service Refresh 2

6.0.2.0

IBM Java 6.0.3.0 Service Refresh 3

6.0.3.0

IBM Java 6.0.4.0 Service Refresh 4

6.0.4.0

IBM Java 6.0.5.0 Service Refresh 5

6.0.5.0

IBM Java 6.0.6.0 Service Refresh 6

6.0.6.0

IBM Java 6.0.7.0 Service Refresh 7

6.0.7.0

IBM Java 6.0.8.0 Service Refresh 8

6.0.8.0

IBM Java 6.0.8.1 Service Refresh 8 (FixPack 1)

6.0.8.1

IBM Java 6.0.9.0 Service Refresh 9

6.0.9.0

IBM Java 6.0.9.1 Service Refresh 9 (FixPack 1)

6.0.9.1

IBM Java 6.0.9.2 Service Refresh 9 (FixPack 2)

6.0.9.2

IBM Java 6.0.10.0 Service Refresh 10

6.0.10.0

IBM Java 6.0.10.1 Service Refresh 10 (FixPack 1)

6.0.10.1

IBM Java 6.0.11.0 Service Refresh 11

6.0.11.0

IBM Java 6.0.12.0 Service Refresh 12

6.0.12.0

IBM Java 6.0.13.0 Service Refresh 13

6.0.13.0

IBM Java 6.0.13.1 Service Refresh 13 (Fix Pack 1)

6.0.13.1

IBM Java 6.0.13.2 Service Refresh 13 (Fix Pack 2)

6.0.13.2

IBM Java 5.0.0.0

5.0.0.0

IBM Java 5.0.11.0 Service Refresh 11

5.0.11.0

IBM Java 5.0.11.1 Service Refresh 11 (FixPack 1)

5.0.11.1

IBM Java 5.0.11.2 Service Refresh 11 (FixPack 2)

5.0.11.2

IBM Java 5.0.12.0 Service Refresh 12

5.0.12.0

IBM Java 5.0.12.1 Service Refresh 12 (FixPack 1)

5.0.12.1

IBM Java 5.0.12.2 Service Refresh 12 (FixPack 2)

5.0.12.2

IBM Java 5.0.12.3 Service Refresh 12 (FixPack 3)

5.0.12.3

IBM Java 5.0.12.4 Service Refresh 12 (FixPack 4)

5.0.12.4

IBM Java 5.0.12.5 Service Refresh 12 (FixPack 5)

5.0.12.5

IBM Java 5.0.13.0 Service Refresh 13

5.0.13.0

IBM Java 5.0.14.0 Service Refresh 14

5.0.14.0

IBM Java 5.0.15.0 Service Refresh 15

5.0.15.0

IBM Java 5.0.16.0 Service Refresh 16

5.0.16.0

IBM Java 5.0.16.1 Service Refresh 16 (Fix Pack 1)

5.0.16.1

IBM Java 5.0.16.2 Service Refresh 16 (Fix Pack 2)

5.0.16.2

References

SUSE-SU-2013:1255

SUSE-SU-2013:1256

SUSE-SU-2013:1257

SUSE-SU-2013:1263

SUSE-SU-2013:1264

SUSE-SU-2013:1293

SUSE-SU-2013:1305

RHSA-2013:1059

RHSA-2013:1060

RHSA-2013:1081

20160405 Re: [SE-2012-01] Broken security fix in IBM Java 7/8

20160404 [SE-2012-01] Broken security fix in IBM Java 7/8

54154

Vendor Advisory

http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013

Vendor Advisory

http://www.security-explorations.com/materials/SE-2012-01-IBM-2.pdf

http://www.security-explorations.com/materials/SE-2012-01-IBM-4.pdf

IV44792

IX90118

PM91727

http://www-01.ibm.com/support/docview.wss?uid=swg21642336

Vendor Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg21644197

Vendor Advisory

ibm-java-cve20133009(84150)

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.