CVE-2013-2465
Published: 18 June 2013
Summary
CVE-2013-2465 is a critical-severity Protection Mechanism Failure (CWE-693) vulnerability in Sun Jre. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an unspecified flaw in the Java Runtime Environment component of Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, as well as OpenJDK 7. It resides in the 2D subsystem and is tracked under CWE-693, with a CVSS 3.1 score of 9.8 reflecting network-accessible impact to confidentiality, integrity, and availability. One external claim describes the root cause as incorrect image channel verification that permits sandbox bypass, though Oracle has not confirmed the details.
Remote attackers without authentication or user interaction can exploit the issue through unknown vectors related to 2D processing. Successful exploitation allows them to escape the Java security sandbox and achieve arbitrary effects on the confidentiality, integrity, and availability of the affected system.
Vendor advisories from Mageia, HP, and OpenSUSE, along with an OpenJDK commit, direct administrators to apply the corresponding Java updates that address the 2D code path. These patches are distributed through standard operating-system update channels for affected distributions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-2411
Vulnerability details
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and…
more
availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that close the 2D image-channel verification flaw and restore Java sandbox integrity.
Explicitly governs the use of mobile code such as Java applets, enabling disabling or strict sandboxing that blocks exploitation of this sandbox-bypass vulnerability.
Enforces least functionality by prohibiting or restricting installation and execution of vulnerable Java runtimes on endpoints.