Signature Detail
This site is deprecated. Please CLICK HERE for latest updates
Short Name |
HTTP:STC:JAVA:JNDI-BYPASS |
|---|---|
Severity |
Major |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Oracle Java JNDI Sandbox Bypass |
Release Date |
2014/02/18 |
Update Number |
2346 |
Supported Platforms |
idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
HTTP: Oracle Java JNDI Sandbox Bypass
This signature detects attempts to exploit a known vulnerability against Oracle Java. The vulnerability is due to the insecure getContextClassLoader() method in the JNDI component. A remote unauthenticated attacker can exploit this vulnerability by enticing a user to visit a webpage containing a maliciously crafted Java applet. Successful exploitation could result in arbitrary code execution in the context of the currently logged in user.
Extended Description
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JNDI. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to missing package access checks in the Naming / JNDI component, which allows attackers to escape the sandbox.
Affected Products
- Oracle jdk 1.5.0
- Oracle jdk 1.6.0
- Oracle jdk 1.7.0
- Oracle jre 1.5.0
- Oracle jre 1.6.0
- Oracle jre 1.7.0
References
- BugTraq: 64921
- CVE: CVE-2014-0422