CVE-2013-0422
Summary
| CVE | CVE-2013-0422 |
|---|---|
| State | PUBLISHED |
| Assigner | oracle |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2013-01-10 21:55:00 UTC |
| Updated | 2026-04-21 19:02:35 UTC |
| Description | Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.936140000 probability, percentile 0.998390000 (date 2026-04-23)
CISA KEV: Listed on 2022-05-25; due 2022-06-15; ransomware use Unknown
Problem Types: NVD-CWE-Other | CWE-284 | n/a | CWE-284 CWE-284 Improper Access Control
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
CompleteIntegrity
CompleteAvailability
CompleteAV:N/AC:L/Au:N/C:C/I:C/A:C
CISA Known Exploited Vulnerability
| Vendor | Oracle |
|---|---|
| Product | Java Runtime Environment (JRE) |
| Name | Oracle JRE Remote Code Execution Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2013-0422 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 12.10 | All | All | All |
| Operating System | Opensuse | Opensuse | 12.2 | All | All | All |
| Application | Oracle | Jdk | 1.7.0 | - | All | All |
| Application | Oracle | Jdk | 1.7.0 | update1 | All | All |
| Application | Oracle | Jdk | 1.7.0 | update10 | All | All |
| Application | Oracle | Jdk | 1.7.0 | update2 | All | All |
| Application | Oracle | Jdk | 1.7.0 | update3 | All | All |
| Application | Oracle | Jdk | 1.7.0 | update4 | All | All |
| Application | Oracle | Jdk | 1.7.0 | update5 | All | All |
| Application | Oracle | Jdk | 1.7.0 | update6 | All | All |
| Application | Oracle | Jdk | 1.7.0 | update7 | All | All |
| Application | Oracle | Jdk | 1.7.0 | update9 | All | All |
| Application | Oracle | Jre | 1.7.0 | - | All | All |
| Application | Oracle | Jre | 1.7.0 | update1 | All | All |
| Application | Oracle | Jre | 1.7.0 | update10 | All | All |
| Application | Oracle | Jre | 1.7.0 | update2 | All | All |
| Application | Oracle | Jre | 1.7.0 | update3 | All | All |
| Application | Oracle | Jre | 1.7.0 | update4 | All | All |
| Application | Oracle | Jre | 1.7.0 | update5 | All | All |
| Application | Oracle | Jre | 1.7.0 | update6 | All | All |
| Application | Oracle | Jre | 1.7.0 | update7 | All | All |
| Application | Oracle | Jre | 1.7.0 | update9 | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| USN-1693-1: OpenJDK 7 vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | Third Party Advisory |
| Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code | af854a3a-2127-422b-91ae-364da2661108 | www.kb.cert.org | Third Party Advisory, US Government Resource |
| Support/Advisories/MGASA-2013-0018 - Mageia wiki | af854a3a-2127-422b-91ae-364da2661108 | wiki.mageia.org | Third Party Advisory |
| Support / Security / Advisories / / MDVSA-2013:095 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | Not Applicable |
| GNU/Andrew’s Blog » [SECURITY] IcedTea 2.1.4, 2.2.4 & 2.3.4 Released! | af854a3a-2127-422b-91ae-364da2661108 | blog.fuseyism.com | Broken Link |
| Threatpost | The first stop for security news | af854a3a-2127-422b-91ae-364da2661108 | threatpost.com | Not Applicable |
| Immunity Products: Confirmed: Java only fixed one of the two bugs. | af854a3a-2127-422b-91ae-364da2661108 | immunityproducts.blogspot.ca | Third Party Advisory |
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | US Government Resource |
| Oracle Security Alert CVE-2013-0422 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Vendor Advisory |
| IBM Product Security Incident Response Team | af854a3a-2127-422b-91ae-364da2661108 | www-304.ibm.com | Not Applicable |
| Oracle Java 7 Security Manager Bypass Vulnerability | US-CERT | af854a3a-2127-422b-91ae-364da2661108 | www.us-cert.gov | Third Party Advisory, US Government Resource |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | Third Party Advisory |
| Zero-Day Java Exploit Debuts in Crimeware — Krebs on Security | af854a3a-2127-422b-91ae-364da2661108 | krebsonsecurity.com | Third Party Advisory |
| [security-announce] openSUSE-SU-2013:0199-1: critical: java-1_7_0-openjd | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| Bugtraq: [SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | Mailing List, Third Party Advisory |
| New year, new Java zeroday! | AlienVault | af854a3a-2127-422b-91ae-364da2661108 | labs.alienvault.com | Broken Link, Third Party Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | Third Party Advisory |
| Malware don't need Coffee: 0 day 1.7u10 (CVE-2013-0422) spotted in the Wild - Disable Java Plugin NOW ! | af854a3a-2127-422b-91ae-364da2661108 | malware.dontneedcoffee.com | Third Party Advisory |
| FireEye Blog | Threat Research, Analysis, and Mitigation | af854a3a-2127-422b-91ae-364da2661108 | blog.fireeye.com | Not Applicable |
| partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf | af854a3a-2127-422b-91ae-364da2661108 | partners.immunityinc.com | Broken Link |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2022-05-25T00:00:00.000Z | CVE-2013-0422 added to CISA KEV |
There are currently no legacy QID mappings associated with this CVE.