VulDB: Oracle Java SE/JRE AtomicReferenceArray Sandbox buffer overflow
General
scipID: 5000
Affected: Oracle Java SE/JRE
Published: 02/14/2012
Risk: 
very critical
Entry: 100% complete
Created: 04/03/2012
Updated: 09/03/2012
Summary
A vulnerability, which was classified as very critical, has been found in Oracle Java SE and JRE. Affected by this issue is an unknown function of the component AtomicReferenceArray Sandbox. The manipulation with an unknown input leads to a buffer overflow vulnerability. Impacted is confidentiality, integrity, and availability.
The weakness was published 02/14/2012. The advisory is shared for download at blogs.technet.com. This vulnerability is handled as CVE-2012-0507 since 01/11/2012. The attack may be launched remotely. The successful exploitation requires a single authentication. Technical details are unknown but a public exploit is available. This vulnerability has a historic impact due to its background and reception.
An exploit has been developed in Java and been published 2 months after the advisory. It is declared as stable. A worm is spreading, which is automatically exploiting this vulnerability. The vulnerability scanner Nessus provides a plugin with the ID 58130 (USN-1373-1 : openjdk-6 vulnerabilities), which helps to determine the existence of the flaw in a target environment.
The best possible mitigation is suggested to be patching the affected component. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability is also documented in the databases at OSVDB (80724), Secunia (SA48692), SecurityFocus (BID 52161), SecurityTracker (ID 1026724) and X-Force (72513). news.drweb.com is providing further details.CVSS
Base Score: 8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C) [?]
| Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Local | High | Multiple | None | None | None |
| Adjacent | Medium | Single | Partial | Partial | Partial |
| Network | Low | None | Complete | Complete | Complete |
Exploiting
Class: Buffer overflow
Local: No
Remote: Yes
Availability: Yes
Access: Public
Status: Stable
Wormified: Yes
Reliability: 98%
Programming Language: Java
Nessus ID: 58130
Nessus Name: USN-1373-1 : openjdk-6 vulnerabilities
Nessus Risk: –
Exploit-DB: 18679
Countermeasures
Recommended: Patch
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known
Exploit Delay Time: 43 days since known
Timeline
01/11/2012 | CVE assigned
02/14/2012 | Advisory disclosed
02/14/2012 | Countermeasure disclosed
03/28/2012 | Exploit disclosed
03/31/2012 | OSVDB entry created
04/03/2012 | VulDB entry created
09/03/2012 | VulDB entry updated
Sources
Advisory: blogs.technet.com
OSVDB: 80724
CVE: CVE-2012-0507 (mitre.org) (nist.org) (cvedetails.com)
Secunia: 48692
SecurityFocus: 52161
SecurityTracker: 1026724
X-Force: 72513
Misc.: news.drweb.com
