Date: Thu, 10 Jan 2013 19:13:45 -0500 (EST) From: "Steven M. Christey" <coley@...-smtp.mitre.org> To: oss-security@...ts.openwall.com Subject: CVE-2013-0422 assigned to today's Oracle Java 0-day FYI - I saw a CERT/CC blog post that said this was exploitable on Linux. ====================================================== Name: CVE-2013-0422 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 Reference: MISC:http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html Reference: MISC:http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ Reference: MISC:http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ Reference: MISC:http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html Reference: MISC:https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013 Reference: CERT-VN:VU#625617 Reference: URL:http://www.kb.cert.org/vuls/id/625617 The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via vectors related to unspecified classes that allow access to the class loader, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ