Signature Detail
Short Name |
HTTP:STC:JAVA:JNDI-BYPASS |
|---|---|
Severity |
High |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Oracle Java JNDI Sandbox Bypass |
Release Date |
2014/02/18 |
Update Number |
2346 |
Supported Platforms |
idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Oracle Java JNDI Sandbox Bypass
This signature detects attempts to exploit a known vulnerability against Oracle Java. The vulnerability is due to the insecure getContextClassLoader() method in the JNDI component. A remote unauthenticated attacker can exploit this vulnerability by enticing a user to visit a webpage containing a maliciously crafted Java applet. Successful exploitation could result in arbitrary code execution in the context of the currently logged in user.
Extended Description
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java SE Embedded 7u45, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JNDI.
Affected Products
- oracle jdk 1.5.0 (update_55)
- oracle jdk 1.6.0 (update_65)
- oracle jdk 1.7.0 (update_45)
- oracle jre 1.5.0 (update_55)
- oracle jre 1.6.0 (update_65)
- oracle jre 1.7.0 (update_45)
References
- BugTraq: 64921
- CVE: CVE-2014-0422