Java JAX-WS statistics.impl package sandbox breach

Added: 02/07/2013
CVE: CVE-2012-5076
BID: 56054
OSVDB: 86350

Background

Java API for XML Web Services (JAX-WS) is a technology for developing web services in Java. It is included in the Java EE 5 platform.

Problem

A vulnerability in JAX-WS when handling the com.sun.org.glassfish.external.statistics.impl package allows code execution outside the sandbox, allowing arbitrary code execution when a user loads a malicious applet.

Resolution

Upgrade to JDK or JRE 7 Update 8 or higher.

References

http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

Limitations

Exploit works on Oracle JRE 7 Update 7 on Windows XP SP3 (DEP OptIn), Windows 7 SP1 (DEP OptIn), and Ubuntu 12.04.1 LTS, and requires a user to open the exploit page in a web browser.

Platforms

Windows
Linux

Back to exploit index