Vulnerability CVE-2013-4578

Vulnerability Name:

CVE-2013-4578 (CCN-101011)

Assigned:

2013-06-12

Published:

2014-01-14

Updated:

2018-01-17

Summary:

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.0 Medium (REDHAT CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-74

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2013-4578

Source: CCN
Type: OpenJDK Web site
Enhance jar file validation

Source: CONFIRM
Type: Patch, Vendor Advisory
http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e

Source: CCN
Type: oss-security Mailing List, Sun, 08 Feb 2015 15:37:42 -0700
CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20150208 CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20150209 Re: CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars

Source: REDHAT
Type: Patch, Third Party Advisory, VDB Entry
RHSA-2014:0414

Source: CCN
Type: Red Hat Bugzilla Bug 1031471
(CVE-2013-4578) CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory, VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1031471

Source: XF
Type: UNKNOWN
openjdk-jarsigner-cve20134578-sec-bypass(101011)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-4578

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update10_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update11_b32:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update17_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update17_b32:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update21:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update21_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update25:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update25_b33:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update25_b34:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update25_b35:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update40:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update45:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update45_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update45_b32:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update45_b33:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update45_b34:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update51:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update7_b32:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update9_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jdk:1.7.0:update9_b32:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update1:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update10:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update10_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update11:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update11_b32:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update13:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update15:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update17:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update17_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update17_b32:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update2:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update21:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update21_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update25:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update25_b33:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update25_b34:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update25_b35:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update3:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update4:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update40:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update45:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update45_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update45_b32:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update45_b33:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update45_b34:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update5:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update51:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update6:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update7:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update7_b32:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update9:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update9_b31:*:*:*:*:*:*

OR cpe:/a:oracle:jre:1.7.0:update9_b32:*:*:*:*:*:*

Configuration 2:

cpe:/a:oracle:jdk:*:*:*:*:*:*:*:* (Version <= 1.7.0)

OR cpe:/a:oracle:jre:*:*:*:*:*:*:*:* (Version <= 1.7.0)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration RedHat 9:

cpe:/a:redhat:rhel_extras_oracle_java:5:*:*:*:*:*:*:*

Configuration RedHat 10:

cpe:/a:redhat:rhel_extras_oracle_java:6:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:sun:openjdk:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.trusty:def:20134578000	V	CVE-2013-4578 on Ubuntu 14.04 LTS (trusty) - medium.	2017-12-29
oval:com.redhat.rhsa:def:20140414	P	RHSA-2014:0414: java-1.6.0-sun security update (Important)	2017-12-15
oval:com.ubuntu.precise:def:20134578000	V	CVE-2013-4578 on Ubuntu 12.04 LTS (precise) - medium.	2015-02-09
oval:com.redhat.rhsa:def:20140134	P	RHSA-2014:0134: java-1.7.0-ibm security update (Critical)	2014-02-04
oval:com.redhat.rhsa:def:20140135	P	RHSA-2014:0135: java-1.6.0-ibm security update (Critical)	2014-02-04
oval:com.redhat.rhsa:def:20140136	P	RHSA-2014:0136: java-1.5.0-ibm security update (Important)	2014-02-04
oval:com.redhat.rhsa:def:20140097	P	RHSA-2014:0097: java-1.6.0-openjdk security update (Important)	2014-01-27
oval:com.redhat.rhsa:def:20140026	P	RHSA-2014:0026: java-1.7.0-openjdk security update (Critical)	2014-01-15
oval:com.redhat.rhsa:def:20140027	P	RHSA-2014:0027: java-1.7.0-openjdk security update (Important)	2014-01-15
oval:com.redhat.rhsa:def:20140030	P	RHSA-2014:0030: java-1.7.0-oracle security update (Critical)	2014-01-15

BACK