Vulnerability Details : CVE-2013-2426
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect invocation of the defaultReadObject method in the ConcurrentHashMap class, which allows remote attackers to bypass the Java sandbox.
Products affected by CVE-2013-2426
- cpe:2.3:a:oracle:jdk:*:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:*:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
Threat overview for CVE-2013-2426
Top countries where our scanners detected CVE-2013-2426
Top open port discovered on systems with this issue
80
IPs affected by CVE-2013-2426 78
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2013-2426!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2013-2426
93.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-2426
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
References for CVE-2013-2426
-
http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
openSUSE-SU-2013:0964-1: moderate: update for java-1_7_0-openjdk
-
http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html
[security-announce] SUSE-SU-2013:0814-1: important: Security update for
-
http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html
openSUSE-SU-2013:0777-1: moderate: java-1_6_0-openjdk to Icedtea6-1.12.5
-
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124
Support/Advisories/MGASA-2013-0124 - Mageia wiki
-
http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16683
Repository / Oval Repository
-
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/98ad2f1e25d1
jdk7u/jdk7u-dev/jdk: 98ad2f1e25d1
-
http://www.us-cert.gov/ncas/alerts/TA13-107A
Oracle Has Released Multiple Updates for Java SE | CISAUS Government Resource
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:145
mandriva.com
-
http://www.ubuntu.com/usn/USN-1806-1
USN-1806-1: OpenJDK 7 vulnerabilities | Ubuntu security notices
-
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
Support/Advisories/MGASA-2013-0130 - Mageia wiki
-
http://rhn.redhat.com/errata/RHSA-2013-0757.html
RHSA-2013:0757 - Security Advisory - Red Hat Customer Portal
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
mandriva.com
-
https://bugzilla.redhat.com/show_bug.cgi?id=952653
952653 – (CVE-2013-2426) CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063)
-
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/
-
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Oracle Java SE Critical Patch Update - April 2013Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0752.html
RHSA-2013:0752 - Security Advisory - Red Hat Customer Portal
-
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html
[SECURITY] IcedTea 1.11.10 for OpenJDK 6 Released!
-
http://security.gentoo.org/glsa/glsa-201406-32.xml
IcedTea JDK: Multiple vulnerabilities (GLSA 201406-32) — Gentoo security
Jump to