Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Java 0-day impact to Java 6 (and beyond?)

Published: 2013-01-12
Last Updated: 2013-01-12 14:09:45 UTC
by Stephen Hall (Version: 1)
9 comment(s)

The ISC has covered Java recently a number of times with Johannes's commentary and the January 2013 OUCH! heads-up by Adam of the issues with Java 7 update 10 and the current 0-day doing the rounds.

However, the guys over at Immunity have released their analysis (PDF) of the MBeanInstantiator.findClass 0-day. Other than the excellent review of the 0-day they comment that:

"This vulnerability affects JDK 6 (at least from update 10 and greater) up to the latest JDK 7 update 10. The comments in the source code state that these classes MBeanInstantiator and JmxMBeanServer are available since JDK 5, but we did not check versions before JDK 6 update 10. "

So, this tells us that if you are using JDK 6 this 0-day likely now includes you as a potential target, and maybe even if you have systems with JDK 5 installed.

Let's hope Oracle patching this one soon, and if the article is correct, completely this time.

Steve

Keywords: 0 Day Java
9 comment(s)
Diary Archives