CVE-2012-4681

Priority
Description
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in
Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute
arbitrary code via a crafted applet that bypasses SecurityManager
restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and
leveraging an exception with the forName method to access restricted
classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using
"reflection with a trusted immediate caller" to leverage the getField
method to access and modify private fields, as exploited in the wild in
August 2012 using Gondzz.class and Gondvv.class.
Notes
mdeslaurin lucid+, NetX and the plugin moved to the icedtea-web package
tyhicksPer oss-security thread, OpenJDK <= 7u4-b31 is also affected
sbeattie verified that the openjdk vulnerability test does not work
on openjdk-6 in precise
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:needs-triage
More Information

Updated: 2020-03-18 22:10:23 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)