Skip to main content
Mallory
Back to vulnerabilities
LowCISA KEVExploited in the wildPublic exploit

Oracle Java HotSpot sandbox bypass / integrity vulnerability

IdentifiersCVE-2013-2423CWE-284· Improper Access Control

CVE-2013-2423 is an unspecified vulnerability in the HotSpot component of Oracle Java Runtime Environment affecting Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7. Oracle’s public advisory described it only as allowing remote attackers to affect integrity via unknown vectors related to HotSpot. The supplied context further notes unconfirmed researcher claims that exploitation involved bypassing permission checks through the MethodHandles method and using reflection and type confusion to modify arbitrary public final fields, including integer and double fields, in order to disable the Java Security Manager. The vulnerability was exploited through malicious Java content delivered via exploit kits, including applet/JNLP-based delivery, and was also associated in observed campaigns with Java warning or security prompt bypass behavior using the __applet_ssv_validated=true parameter.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to compromise the integrity of the Java security model and escape intended sandbox restrictions. Based on the provided context, this can permit bypass of permission checks, modification of otherwise protected public final fields, and disabling of the Security Manager. In real-world exploitation, the flaw was used by exploit kits and targeted campaigns to run malicious Java code with elevated permissions and deliver malware such as 9002 RAT and other secondary payloads. The practical impact is arbitrary malicious code execution in the context of the user running the vulnerable JRE, leading to host compromise, malware installation, and follow-on command-and-control activity.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable or remove the Java browser plugin and prevent execution of untrusted applets/JNLP content. Restrict Java to applications that strictly require it, block or filter delivery of Java applets and JNLP files at web and email gateways, and use browser controls to prevent automatic plugin execution. Enterprise defenders should also monitor for exploit-kit-style Java delivery, suspicious JAR/JNLP launches, and post-exploitation malware retrieval associated with this CVE. Given the age and exploitation history of this flaw, the strongest mitigation is complete removal of legacy browser-integrated Java where feasible.

Remediation

Patch, then assume compromise.

Apply Oracle’s security updates that address CVE-2013-2423, specifically upgrading from Java SE 7 Update 17 and earlier to a fixed release per Oracle guidance. OpenJDK 7 deployments should likewise be updated to a patched build. Because the vulnerability was actively integrated into exploit kits, remediation should prioritize removal of vulnerable Java runtimes from endpoints and browsers, verification that outdated JRE/JDK versions are no longer installed, and confirmation that browser-exposed Java components are updated or removed.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
CanonicalUbuntu Linuxapplication
OpensuseOpensuseoperating_system
OracleJreapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
contagiodump blogNews
May 12, 2015
contagio: An Overview of Exploit Packs (Update 25) May 2015

A Java vulnerability released in April 2013 that was rapidly adopted by multiple exploit kits, underscoring fast criminal operationalization.

Read more
talosintel blogNews
May 2, 2014
Continued analysis of the LightsOut Exploit Kit

A Java security warning bypass vulnerability used by the exploit kit to suppress or bypass Java prompts and facilitate malicious applet execution on vulnerable Java 7 installations.

Read more
malware dontneedcoffeeNews
Jun 11, 2013
"Private Exploit Pack" - new BEP featuring CVE-2013-1347

A Java vulnerability included in the Private Exploit Pack and actively delivered through the pack's exploit chain.

Read more
fireeyeNews
May 20, 2013
Ready for Summer: The Sunshop Campaign

A Java vulnerability exploited via malicious JAR files to deliver the 9002 RAT in targeted attacks.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2013-2423
NVD
nvd.nist.gov/vuln/detail/CVE-2013-2423
MITRE CWE · CWE-284
Improper Access Control
Patch
hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
Vendor Advisory
oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Third Party Advisory
lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
Third Party Advisory
rhn.redhat.com/errata/RHSA-2013-0752.html
Third Party Advisory
rhn.redhat.com/errata/RHSA-2013-0757.html
Third Party Advisory
security.gentoo.org/glsa/glsa-201406-32.xml
Third Party Advisory
exploit-db.com/exploits/24976
Third Party Advisory
mandriva.com/security/advisories?name=MDVSA-2013:161
Third Party Advisory
ubuntu.com/usn/USN-1806-1
+4 more references
view more in app