Vulnerability CVE-2013-5456

Vulnerability Name:

CVE-2013-5456 (CCN-88255)

Assigned:

2013-11-05

Published:

2013-11-05

Updated:

2017-08-29

Summary:

The com.ibm.rmi.io.SunSerializableFactory class in IBM Java SDK 7.0.0 before SR6 allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code via vectors related to deserialization inside the AccessController doPrivileged block.

CVSS v3 Severity:

10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
7.3 High (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
7.3 High (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.3 Medium (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2013-5456

Source: SUSE
Type: UNKNOWN
SUSE-SU-2013:1677

Source: CCN
Type: RHSA-2013-1507
Critical: java-1.7.0-ibm security update

Source: REDHAT
Type: UNKNOWN
RHSA-2013:1507

Source: CCN
Type: SA56338
IBM Smart Analytics System Series Java Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
56338

Source: AIXAPAR
Type: UNKNOWN
IV51329

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21655201

Source: CCN
Type: IBM Security Bulletin 1655202
Multiple vulnerabilities in IBM WebSphere Real Time

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21655202

Source: CCN
Type: IBM Security Bulletin 1659530
IBM Smart Analytics System 5600 is affected by multiple vulnerabilities in the IBM Java SDK

Source: CCN
Type: IBM Security Bulletin 1661213
IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE

Source: CCN
Type: IBM developerWorks
IBM Security Update November 2013

Source: CCN
Type: IBM Security Bulletin 1655201
Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition

Source: MISC
Type: UNKNOWN
http://www.security-explorations.com/materials/SE-2012-01-IBM-3.pdf

Source: MISC
Type: UNKNOWN
http://www.security-explorations.com/materials/SE-2012-01-IBM-5.pdf

Source: CCN
Type: BID-63618
IBM Java CVE-2013-5456 Unspecified Arbitrary Code Execution Vulnerability

Source: XF
Type: UNKNOWN
ibm-java-cve20135456-code-exec(88255)

Source: XF
Type: UNKNOWN
ibm-java-cve20135456-code-exec(88255)

Source: CCN
Type: Packet Storm Security [04-12-2016]
IBM Java Issue 70 Bad Patch

Source: CONFIRM
Type: Vendor Advisory
https://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2013

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:java:7.0.0.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:rhel_extras:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:java_sdk:7.0.9.10:*:*:*:technology:*:*:*

AND

cpe:/a:ibm:operational_decision_manager:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:operational_decision_manager:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_ilog_jrules:7.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20135456	V	CVE-2013-5456	2022-05-20
oval:org.opensuse.security:def:33795	P	Security update for apache2 (Important)	2022-01-12
oval:org.opensuse.security:def:29496	P	Security update for libsndfile (Important)	2022-01-05
oval:org.opensuse.security:def:33066	P	Security update for chrony (Moderate)	2021-12-22
oval:org.opensuse.security:def:33067	P	Security update for libqt4 (Important)	2021-12-22
oval:org.opensuse.security:def:33753	P	Security update for MozillaFirefox (Important)	2021-12-12
oval:org.opensuse.security:def:26178	P	Security update for the Linux Kernel (Important)	2021-12-02
oval:org.opensuse.security:def:26179	P	Security update for gmp (Moderate)	2021-12-02
oval:org.opensuse.security:def:26177	P	Security update for webkit2gtk3 (Important)	2021-12-01
oval:org.opensuse.security:def:33746	P	Security update for ruby2.1 (Important)	2021-12-01
oval:org.opensuse.security:def:34587	P	Security update for samba (Important)	2021-11-10
oval:org.opensuse.security:def:34547	P	Security update for the Linux Kernel (Important)	2021-09-23
oval:org.opensuse.security:def:34540	P	Security update for transfig (Moderate)	2021-09-16
oval:org.opensuse.security:def:29418	P	Security update for file (Important)	2021-09-02
oval:org.opensuse.security:def:29411	P	Security update for cpio (Important)	2021-08-23
oval:org.opensuse.security:def:33696	P	Security update for mariadb (Important)	2021-08-06
oval:org.opensuse.security:def:33689	P	Security update for curl (Moderate)	2021-07-21
oval:org.opensuse.security:def:33909	P	Security update for xen (Important)	2021-05-19
oval:org.opensuse.security:def:29361	P	Security update for the Linux Kernel (Important)	2021-05-17
oval:org.opensuse.security:def:33902	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:29354	P	Security update for tomcat (Important)	2021-04-29
oval:org.opensuse.security:def:33085	P	Security update for postgresql-jdbc (Moderate)	2021-02-25
oval:org.opensuse.security:def:33078	P	Security update for krb5-appl (Important)	2021-02-19
oval:org.opensuse.security:def:33074	P	Security update for jasper (Important)	2021-02-16
oval:org.opensuse.security:def:33073	P	Security update for wpa_supplicant (Important)	2021-02-15
oval:org.opensuse.security:def:26189	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:26190	P	Security update for MozillaFirefox (Low)	2021-02-10
oval:org.opensuse.security:def:34580	P	Security update for the Linux Kernel (Important)	2021-02-09
oval:org.opensuse.security:def:26253	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:29649	P	Security update for curl (Important)	2020-12-01
oval:org.opensuse.security:def:26604	P	libsoup-2_4-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29816	P	Security update for jasper (Moderate)	2020-12-01
oval:org.opensuse.security:def:29063	P	Security update for bzip2 (Important)	2020-12-01
oval:org.opensuse.security:def:26519	P	PackageKit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29791	P	Security update for gtk2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:33299	P	xorg-x11-libXt-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26857	P	PolicyKit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30535	P	Security update for IBM Java 7	2020-12-01
oval:org.opensuse.security:def:33157	P	libksba on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26807	P	perl-spamassassin on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30491	P	Security update for fastjar	2020-12-01
oval:org.opensuse.security:def:29075	P	Security update for cups (Important)	2020-12-01
oval:org.opensuse.security:def:33539	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:26954	P	libltdl7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29057	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:33444	P	Security update for pidgin	2020-12-01
oval:org.opensuse.security:def:26909	P	gpg2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33802	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:29268	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:27626	P	Security update for IBM Java 6	2020-12-01
oval:org.opensuse.security:def:26254	P	Security update for dia (Moderate)	2020-12-01
oval:org.opensuse.security:def:29656	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:33858	P	Security update for ipsec-tools (Moderate)	2020-12-01
oval:org.opensuse.security:def:26520	P	PolicyKit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29798	P	Security update for icu	2020-12-01
oval:org.opensuse.security:def:26462	P	Security update for Mozilla Thunderbird (Important)	2020-12-01
oval:org.opensuse.security:def:29752	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:33164	P	libmysqlclient15-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26808	P	postgresql on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30498	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:26754	P	libneon27 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29853	P	Security update for Linux Kernel	2020-12-01
oval:org.opensuse.security:def:29064	P	Security update for bzip2 (Important)	2020-12-01
oval:org.opensuse.security:def:33451	P	Security update for GNOME screensaver	2020-12-01
oval:org.opensuse.security:def:26910	P	gstreamer-0_10-plugins-base on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33387	P	Security update for compat-openssl097g (Moderate)	2020-12-01
oval:org.opensuse.security:def:26895	P	findutils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29275	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:27627	P	Security update for IBM Java 7	2020-12-01
oval:org.opensuse.security:def:29137	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:27591	P	yast2-core-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29503	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:33865	P	Security update for jasper (Moderate)	2020-12-01
oval:org.opensuse.security:def:33834	P	Security update for gnutls (Moderate)	2020-12-01
oval:org.opensuse.security:def:26463	P	Security update for enigmail (Moderate)	2020-12-01
oval:org.opensuse.security:def:29759	P	Security update for ghostscript-library (Important)	2020-12-01
oval:org.opensuse.security:def:26381	P	Security update for ffmpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:29703	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:26755	P	libnetpbm10 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29860	P	Security update for the Linux Kernel	2020-12-01
oval:org.opensuse.security:def:26603	P	libsnmp15-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29809	P	Security update for jakarta-commons-fileupload (Important)	2020-12-01
oval:org.opensuse.security:def:29056	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:33394	P	Security update for SUSE Manager Client Tools (Moderate)	2020-12-01
oval:org.opensuse.security:def:26896	P	foomatic-filters on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33292	P	xorg-x11 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26856	P	PackageKit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30528	P	Security update for IBM Java 6	2020-12-01
oval:org.opensuse.security:def:29144	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:27592	P	yast2-devel-doc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29068	P	Security update for clamav (Moderate)	2020-12-01
oval:org.opensuse.security:def:33532	P	Security update for xpdf	2020-12-01
oval:org.opensuse.security:def:26953	P	libicu-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33841	P	Security update for gtk2	2020-12-01
oval:org.opensuse.security:def:26382	P	Security update for ffmpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:29710	P	Security update for Mozilla Firefox	2020-12-01
oval:org.mitre.oval:def:21151	P	RHSA-2013:1507: java-1.7.0-ibm security update (Critical)	2015-03-09
oval:org.mitre.oval:def:23813	P	ELSA-2013:1507: java-1.7.0-ibm security update (Critical)	2014-05-26
oval:com.redhat.rhsa:def:20131507	P	RHSA-2013:1507: java-1.7.0-ibm security update (Critical)	2013-11-07

BACK