CVE-2012-5076
Published: 16 October 2012
Summary
CVE-2012-5076 is a critical-severity Improper Access Control (CWE-284) vulnerability in Oracle Jre. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).
Deeper analysis
The unspecified vulnerability CVE-2012-5076 resides in the Java Runtime Environment component of Oracle Java SE 7 Update 7 and earlier releases and is associated with JAX-WS. It carries a CVSS 3.1 base score of 9.8 and is tracked under CWE-284, indicating an improper access-control issue that can be reached over the network without authentication.
Remote attackers can exploit the flaw to impact the confidentiality, integrity, and availability of affected systems. Because the vector requires no user interaction and grants full read-write-execute impact, successful exploitation can lead to complete compromise of the Java process and any data it handles.
Vendor advisories referenced in the CVE entry, including Red Hat errata RHSA-2012-1386, RHSA-2012-1391, and RHSA-2012-1467 as well as the corresponding OpenSUSE and Secunia notices, address the issue through updated Java packages that remediate the JAX-WS exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-4999
Vulnerability details
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the JAX-WS flaw in Java SE 7 Update 7 and earlier.
Enforces access-control decisions that would have blocked the improper access path exploited by the CWE-284 flaw in JAX-WS.
Limits privileges of the Java process so that even successful exploitation of the remote JAX-WS vector cannot achieve full CIA impact.