CVE-2010-0840

Summary

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."

Severity
High
Severity Score

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-ID

NVD-CWE-noinfo

Vulnerability ID
CVE-2010-0840
Severity
High
Severity Score
7.5
Summary
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."
References
http://www.redhat.com/support/errata/RHSA-2010-0337.html http://www.redhat.com/support/errata/RHSA-2010-0338.html http://www.redhat.com/support/errata/RHSA-2010-0339.html http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html http://secunia.com/advisories/39317 http://www.zerodayinitiative.com/advisories/ZDI-10-056 http://ubuntu.com/usn/usn-923-1 http://secunia.com/advisories/39292 http://www.mandriva.com/security/advisories?name=MDVSA-2010:084 http://www.redhat.com/support/errata/RHSA-2010-0383.html http://secunia.com/advisories/39659 http://www.vupen.com/english/advisories/2010/1107 http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html http://support.apple.com/kb/HT4170 http://lists.apple.com/archives/security-announce/2010//May/msg00001.html http://lists.apple.com/archives/security-announce/2010//May/msg00002.html http://support.apple.com/kb/HT4171 http://secunia.com/advisories/39819 http://www.vupen.com/english/advisories/2010/1191 http://www.securityfocus.com/bid/39065 http://www.redhat.com/support/errata/RHSA-2010-0471.html http://www.vupen.com/english/advisories/2010/1454 http://secunia.com/advisories/40211 http://www.redhat.com/support/errata/RHSA-2010-0489.html http://www.vupen.com/english/advisories/2010/1523 http://secunia.com/advisories/40545 http://www.vupen.com/english/advisories/2010/1793 http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751 http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html http://secunia.com/advisories/43308 http://www.vmware.com/security/advisories/VMSA-2011-0003.html http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html http://marc.info/?l=bugtraq&m=134254866602253&w=2 http://marc.info/?l=bugtraq&m=127557596201693&w=2 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9974 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13971 http://www.securityfocus.com/archive/1/516397/100/0/threaded http://www.securityfocus.com/archive/1/510528/100/0/threaded
Mitigation and Patches
Exploits
https://www.exploit-db.com/exploits/16297 https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_trusted_chain.rb https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://www.bitdefender.com/blog/hotforsecurity/7-most-used-exploits-in-the-wild-according-to-bitdefender
Metasploit Payload
http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-trusted-method-chaining-cve-2010.html https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_trusted_chain.rb
Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE ID
NVD-CWE-noinfo

See SecOps Solution
in action

Schedule Demo
Agentless security for your infrastructure and applications - to build faster, more securely and in a fraction of the operational cost of other solutions
hello@secopsolution.com
+569-231-213
Compare
Qualys Cloud AgentTenable NessusRapid7 InsightVM
Company
About UsContactCareer
Resources
CVEWindows KBCase StudieseBooksPolicy TemplatesBlogWebinar
Try It
Patch AstraEPSS CalculatorContactFree ScanSchedule DemoLog In
© 2024  SecOps Solution, Inc.| Privacy Policy | Terms and Conditions .
Social Media :