CVE-2012-4681
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
Analysis
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName methods, enabling complete sandbox escape for untrusted applets. Massively exploited by exploit kits in 2012.
Technical Context
The CWE-284 sandbox bypass chains two flaws: (1) com.sun.beans.finder.ClassFinder.findClass allows access to restricted classes, and (2) exception handling during forName() leaks class references that should be inaccessible. Together, these allow full SecurityManager bypass from unsigned applets.
Affected Products
['Oracle Java SE 7 Update 6 and earlier', 'Oracle Java SE JRE 7 Update 6 and earlier']
Remediation
Java browser plugins are deprecated and should be removed. Update to latest Java version if JRE is required for desktop applications. Disable Java in web browsers via Java Control Panel.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today