Emergency Fix

CVE-2013-2465

Remote Code Execution in Oracle Java SE

Summary

Oracle Java SE's JRE 2D graphics and image-processing code contains an unspecified memory-corruption flaw affecting Java applets and Java Web Start applications. A remote attacker can lure a victim into loading a malicious Java applet or JAR, trigger the vulnerable 2D path, and escape the Java sandbox. Successful exploitation can lead to arbitrary code execution on the host, and the issue was widely exploited in the wild.

Why Emergency Fix?

6/6

No authentication required

Mixed internet / internal deployment

No user interaction needed

Exploitable in default configuration

Active exploitation in the wild

High impact vulnerability

Exploitation Details

Type

RCE (Remote Code Execution)

Is exploitable with default configuration?

Yes

Is authentication needed?

PoC / Exploit

Yes

cocalc.com

Impact

Execute arbitrary code on the victim host.

RCE (Remote Code Execution)

Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker hosts a malicious webpage or compromised landing page that fingerprints the victim's Java version and delivers a crafted Java applet or Web Start payload. The payload feeds specially crafted image data into the vulnerable 2D processing path, causing memory corruption and sandbox escape. After the sandbox is bypassed, the embedded payload can download and run additional code on the victim machine.

Detection Resources

Manual Detection

Script Detection

Scanner Detection

Tenable Nessus

Affected Software

Vendor:Oracle

Product	Affected Versions
Java SE	7 Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and earlier
OpenJDK 7	all versions

Description

Oracle Java SE is the Java platform and runtime used to run Java applications, applets, and Java Web Start applications.

Deployment:Mixed (internet/internal)

Protocol:HTTP/HTTPS

Ports:80, 443

Affected ComponentJava Runtime Environment 2D image handling and graphics processing code used by sandboxed applets and Java Web Start applications.

Java Runtime Environment 2D image handling and graphics processing code used by sandboxed applets and Java Web Start applications.

Enterprise Usage

Very Low

Low

Medium

High

Very High

Vendor Size:Big

Vendor Notifications

https://www.oracle.com/security-alerts/javacpujun2013.html https://www.oracle.com/security-alerts/javacpujun2013verbose.html

Remediation

Workaround

Disable Java in web browsers if it is not required, and keep the browser plug-in disabled on endpoints that do not need applets or Web Start applications.

www.sei.cmu.edu

Patch

Not available

Update

Upgrade to Java SE JDK/JRE 7u25 or later, 6u51 or later, or 5.0u51 or later; these baselines include the fix.

www.oracle.com

Threat Intelligence

EPSS Score93.2%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...

CISA KEV

Listed

Active Exploitation

Active

mandiant.com

Threat Actors

No known threat actors

Detection Rules1

Other

Alert on a browser session that loads Java plugin-detection code and then downloads a JAR disguised as an image file, especially when java.exe/javaw.exe spawns a child process afterward.

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.

CVSS Base Score

9.8

Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)

Physical

Local

Adjacent

Network

Attack Complexity (AC)

High

Low

Privileges Required (PR)

High

Low

None

User Interaction (UI)

Required

None

Scope (S)

Unchanged

Changed

Confidentiality (C)

None

Low

High

Integrity (I)

None

Low

High

Availability (A)

None

Low

High

CWE:CWE-693 Protection Mechanism Failure

NVD:CVE-2013-2465

Version From:—

Version Upto:—

Affected Software (CPE) (104)

•cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update21:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:-:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update22:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update23:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update24:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update25:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update26:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update27:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update29:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update30:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update31:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update32:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update33:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update34:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update35:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update37:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update38:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update39:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update41:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update43:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.6.0:update45:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_17:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_18:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_19:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_20:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_21:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.5.0:-:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.5.0:update36:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.5.0:update38:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.5.0:update39:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.5.0:update40:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.5.0:update41:*:*:*:*:*:*
•cpe:2.3:a:oracle:jre:1.5.0:update45:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update1:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update10:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update11:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update12:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update13:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update14:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update15:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update16:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update17:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update18:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update19:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update2:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update20:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update21:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update22:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update23:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update24:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update25:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update26:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update27:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update28:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update29:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update3:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update31:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update33:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update4:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update5:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update6:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update7:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update8:*:*:*:*:*:*
•cpe:2.3:a:sun:jre:1.5.0:update9:*:*:*:*:*:*
•cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:*:*:-:*:*:*
•cpe:2.3:o:suse:linux_enterprise_java:10:sp4:*:*:*:*:*:*
•cpe:2.3:o:suse:linux_enterprise_java:11:sp2:*:*:*:*:*:*
•cpe:2.3:o:suse:linux_enterprise_java:11:sp3:*:*:*:*:*:*
•cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:ltss:*:*:*
•cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:-:*:*:*
•cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:-:*:*
•cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:*:vmware:*:*
•cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:-:*:*
•cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:vmware:*:*
•cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp2:*:*:*:*:*:*
•cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3:*:*:*:*:*:*

Sources

Source	Article
www.oracle.com	Oracle Java SE Critical Patch Update Advisory - June 2013
www.oracle.com	Java SE Critical Patch Update - June 2013 Risk Matrices
nvd.nist.gov	CVE-2013-2465 Detail
www.mandiant.com	Brewing Up Trouble: Analyzing Four Widely Exploited Java Vulnerabilities
www.tenable.com	CVE-2013-2465
www.zscaler.com	Exploring The Java Vulnerability (CVE-2013-2465) Used In The Fiesta EK
cocalc.com	Metasploit Exploit.java for CVE-2013-2465

Priority History

Emergency FixLoading...

Initial analysis