CVE-2013-2460
CRITICALCVSS Vector
AV:N/AC:M/Au:N/C:C/I:C/A:C
Lifecycle Timeline
3Description
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
Analysis
Oracle Java SE 7 Update 21 and earlier contains an unspecified vulnerability in the JRE Serviceability component that allows remote attackers to achieve complete system compromise through crafted content. The vulnerability was chained in exploit kits targeting browser-based Java plugin installations.
Technical Context
The Serviceability subsystem of the JRE handles debugging and monitoring interfaces. This vulnerability allows escape from the Java sandbox, enabling arbitrary code execution with the privileges of the JRE process. In browser contexts, this means escaping the applet sandbox to execute native code on the client machine.
Affected Products
['Oracle Java SE 7 Update 21 and earlier', 'OpenJDK 7']
Remediation
Upgrade to a current Java SE LTS release (Java 21+). Remove the Java browser plugin from all endpoints. For server deployments still on Java 7, apply the June 2013 Critical Patch Update and implement network-level controls to limit exposure.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today