Cyber Resilience

CVE-2013-0422

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 10 January 2013

Published
10 January 2013
Modified
21 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9361 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-0422 is a critical-severity Improper Access Control (CWE-284) vulnerability in Oracle Jdk. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Multiple vulnerabilities in Oracle Java 7 before Update 11 affect the JMX MBeanServer and the Reflection API. The first issue allows code to call the public getMBeanInstantiator method of JmxMBeanServer to obtain a reference to a private MBeanInstantiator object and then invoke its findClass method to retrieve arbitrary Class references. The second issue permits recursive use of the Reflection API to bypass a security manager check inside java.lang.invoke.MethodHandles.Lookup.checkSecurityManager because sun.reflect.Reflection.getCallerClass does not skip frames belonging to the new reflection implementation.

Remote attackers can deliver malicious Java content through web pages or documents to exploit either vector and execute arbitrary code with the privileges of the Java process. Both issues were observed being exploited in the wild in January 2013 by the Blackhole and Nuclear Pack exploit kits.

Public advisories and vendor updates, including IcedTea releases 2.1.4/2.2.4/2.3.4, recommend upgrading to Java 7 Update 11 or later; however, at least one analysis indicated that the findClass/MBeanInstantiator path may have remained exploitable after that update. The vulnerabilities were actively used in crimeware campaigns shortly after disclosure and were distinct from the earlier issues tracked as CVE-2012-4681 and CVE-2012-3174.

EU & UK References

Vulnerability details

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class…

more

references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
jdk
1.7.0
oracle
jre
1.7.0
canonical
ubuntu linux
12.10
opensuse
opensuse
12.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches (Java 7u11+) that close the JMX findClass and Reflection API bypasses before remote exploitation can succeed.

prevent

Mandates control of mobile code such as Java applets and their execution environment, blocking the web-delivery vector used by Blackhole/Nuclear to invoke the vulnerable Reflection and MBeanInstantiator paths.

prevent

Enforces least functionality by disabling or removing the Java browser plugin or runtime when not required, eliminating the attack surface exploited by this CVE.

References