CVE-2012-5076 : Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.

Published 2012-10-16 21:55:02

Updated 2017-09-19 01:35:25

Source Oracle

View at NVD, CVE.org

Threat overview for CVE-2012-5076

Top countries where our scanners detected CVE-2012-5076

Top open port discovered on systems with this issue 80

IPs affected by CVE-2012-5076 78

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2012-5076!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

CVE-2012-5076 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Oracle Java SE Sandbox Bypass Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

The default Java security properties configuration did not restrict access to the com.sun.org.glassfish.external and com.sun.org.glassfish.gmbal packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.

Added on 2022-03-28 Action due date 2022-04-18

Exploit prediction scoring system (EPSS) score for CVE-2012-5076

Probability of exploitation activity in the next 30 days: 97.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2012-5076

Java Applet JAX-WS Remote Code Execution

Disclosure Date: 2012-10-16

First seen: 2020-04-26

exploit/multi/browser/java_jre17_jaxws

This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier. Authors: - Unknown - juan vazquez <juan.vazquez@metas

More information
Java Applet AverageRangeStatisticImpl Remote Code Execution

Disclosure Date: 2012-10-16

First seen: 2020-04-26

exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl

This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

More information

CVSS scores for CVE-2012-5076

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

References for CVE-2012-5076

http://rhn.redhat.com/errata/RHSA-2012-1391.html

RHSA-2012:1391 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16641

Repository / Oval Repository
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html

[security-announce] SUSE-SU-2012:1398-1: important: Security update for

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

Oracle Java Critical Patch Update - October 2012
Patch;Vendor Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2012-1386.html

RHSA-2012:1386 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2012-1467.html

RHSA-2012:1467 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://security.gentoo.org/glsa/glsa-201406-32.xml

IcedTea JDK: Multiple vulnerabilities (GLSA 201406-32) — Gentoo security

CVEs referencing this url

Products affected by CVE-2012-5076

Oracle » JDK » Update Update7
Versions up to, including, (<=) 1.7.0
cpe:2.3:a:oracle:jdk:*:update7:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.7.0 Update Update1
cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.7.0 Update Update2
cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.7.0 Update Update5
cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.7.0 Update Update6
cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.7.0 Update Update3
cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.7.0 Update Update4
cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
Matching versions
Oracle » JRE » Update Update7
Versions up to, including, (<=) 1.7.0
cpe:2.3:a:oracle:jre:*:update7:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.7.0
cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.7.0 Update Update1
cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.7.0 Update Update4
cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.7.0 Update Update5
cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.7.0 Update Update2
cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.7.0 Update Update3
cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.7.0 Update Update6
cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2012-5076