InfoSec Handlers Diary Blog - Java 0-day impact to Java 6 (and beyond?)

SANS ISC: InfoSec Handlers Diary Blog - Java 0-day impact to Java 6 (and beyond?)

SANS Site Network
- Current Site
- Internet Storm Center
- Other SANS Sites Help
- Graduate Degree Programs
- Security Training
- Security Certification
- Security Awareness Training
- Penetration Testing
- Industrial Control Systems
- Cyber Defense Foundations
- Computer Forensics
- Software Security
- Government OnSite Training

InfoSec Handlers Diary Blog

Java 0-day impact to Java 6 (and beyond?)

Published: 2013-01-12
Last Updated: 2013-01-12 14:09:45 UTC
by Stephen Hall (Version: 1)

The ISC has covered Java recently a number of times with Johannes's commentary and the January 2013 OUCH! heads-up by Adam of the issues with Java 7 update 10 and the current 0-day doing the rounds.

However, the guys over at Immunity have released their analysis (PDF) of the MBeanInstantiator.findClass 0-day. Other than the excellent review of the 0-day they comment that:

"This vulnerability affects JDK 6 (at least from update 10 and greater) up to the latest JDK 7 update 10. The comments in the source code state that these classes MBeanInstantiator and JmxMBeanServer are available since JDK 5, but we did not check versions before JDK 6 update 10. "

So, this tells us that if you are using JDK 6 this 0-day likely now includes you as a potential target, and maybe even if you have systems with JDK 5 installed.

Let's hope Oracle patching this one soon, and if the article is correct, completely this time.

Steve

Keywords: 0 Day Java

9 comment(s)

Top of page

Diary Archives