CVE-2012-0507
Last modified
CVE-2012-0507 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. CISA has confirmed active exploitation in the wild. EPSS estimates a 98.24% chance of exploitation in the next 30 days.
Description
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Sun | Jre | 1.5.0 | — |
| Oracle | Jre | 1.6.0 | Update22 |
| Sun | Jre | 1.6.0 | — |
| Oracle | Jre | 1.7.0 | — |
| Debian | Debian Linux | 6.0 | — |
| Debian | Debian Linux | 7.0 | — |
| Suse | Linux Enterprise Desktop | 10 | Sp4 |
| Suse | Linux Enterprise Java | 10 | Sp4 |
| Suse | Linux Enterprise Java | 11 | Sp1 |
| Suse | Linux Enterprise Server | 10 | Sp4 |
| Suse | Linux Enterprise Server | 11 | Sp1 |
| Suse | Linux Enterprise Software Development Kit | 11 | Sp1 |
References
- http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspxBroken Link, Third Party Advisory
- http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.htmlIssue Tracking, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00010.htmlMailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=133364885411663&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=133365109612558&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=133847939902305&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=134254866602253&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=134254957702612&w=2Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2012-0508.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2012-0514.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1455.htmlThird Party Advisory
- http://secunia.com/advisories/48589Broken Link, Not Applicable
- http://secunia.com/advisories/48692Broken Link, Not Applicable
- http://secunia.com/advisories/48915Broken Link, Not Applicable
- http://secunia.com/advisories/48948Broken Link, Not Applicable
- http://secunia.com/advisories/48950Broken Link, Not Applicable
- http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3Broken Link, Exploit
- http://www.debian.org/security/2012/dsa-2420Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/52161Broken Link, Exploit, Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=788994Issue Tracking
- http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspxBroken Link, Third Party Advisory
- http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.htmlIssue Tracking, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00010.htmlMailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=133364885411663&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=133365109612558&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=133847939902305&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=134254866602253&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=134254957702612&w=2Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2012-0508.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2012-0514.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1455.htmlThird Party Advisory
- http://secunia.com/advisories/48589Broken Link, Not Applicable
- http://secunia.com/advisories/48692Broken Link, Not Applicable
- http://secunia.com/advisories/48915Broken Link, Not Applicable
- http://secunia.com/advisories/48948Broken Link, Not Applicable
- http://secunia.com/advisories/48950Broken Link, Not Applicable
- http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3Broken Link, Exploit
- http://www.debian.org/security/2012/dsa-2420Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/52161Broken Link, Exploit, Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=788994Issue Tracking
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0507US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2012-0507?
How severe is CVE-2012-0507?
How do I fix CVE-2012-0507?
Are you affected by CVE-2012-0507?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST