CVE-2012-0507 — CRITICAL (9.8)

Vulnerability Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Sun	Jre	1.5.0
Oracle	Jre	1.6.0
Debian	Debian Linux	6.0
Suse	Linux Enterprise Desktop	10
Suse	Linux Enterprise Java	10
Suse	Linux Enterprise Server	10
Suse	Linux Enterprise Software Development Kit	11

Related Weaknesses (CWE)

CWE-843

References

http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-saBroken LinkThird Party Advisory
http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.htmlIssue TrackingThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00010.htmlMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=133364885411663&w=2Third Party Advisory
http://marc.info/?l=bugtraq&m=133365109612558&w=2Third Party Advisory
http://marc.info/?l=bugtraq&m=133847939902305&w=2Third Party Advisory
http://marc.info/?l=bugtraq&m=134254866602253&w=2Third Party Advisory
http://marc.info/?l=bugtraq&m=134254957702612&w=2Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-0508.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-0514.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-1455.htmlThird Party Advisory
http://secunia.com/advisories/48589Broken LinkNot Applicable
http://secunia.com/advisories/48692Broken LinkNot Applicable
http://secunia.com/advisories/48915Broken LinkNot Applicable

FAQ

What is CVE-2012-0507?

CVE-2012-0507 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to af...

How severe is CVE-2012-0507?

CVE-2012-0507 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2012-0507?

Check the references section above for vendor advisories and patch information. Affected products include: Sun Jre, Oracle Jre, Debian Debian Linux, Suse Linux Enterprise Desktop, Suse Linux Enterprise Java.