CVE-2012-4681

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2012-4681
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html Third Party Advisory
http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html Exploit Third Party Advisory
http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/ Broken Link Exploit
http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html Mailing List
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html Mailing List
http://marc.info/?l=bugtraq&m=135109152819176&w=2 Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=135109152819176&w=2 Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=135109152819176&w=2 Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=135109152819176&w=2 Issue Tracking Mailing List Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-1225.html Third Party Advisory
http://secunia.com/advisories/51044 Not Applicable
http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html Third Party Advisory Broken Link
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html Vendor Advisory
http://www.securityfocus.com/bid/55213 Third Party Advisory VDB Entry Broken Link
http://www.us-cert.gov/cas/techalerts/TA12-240A.html Third Party Advisory US Government Resource
https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day Third Party Advisory Broken Link
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html Third Party Advisory
http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html Exploit Third Party Advisory
http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/ Broken Link Exploit
http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html Mailing List
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html Mailing List
http://marc.info/?l=bugtraq&m=135109152819176&w=2 Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=135109152819176&w=2 Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=135109152819176&w=2 Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=135109152819176&w=2 Issue Tracking Mailing List Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-1225.html Third Party Advisory
http://secunia.com/advisories/51044 Not Applicable
http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html Third Party Advisory Broken Link
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html Vendor Advisory
http://www.securityfocus.com/bid/55213 Third Party Advisory VDB Entry Broken Link
http://www.us-cert.gov/cas/techalerts/TA12-240A.html Third Party Advisory US Government Resource
https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day Third Party Advisory Broken Link
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:oracle:jdk:1.6.0:-:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update1:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update10:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update11:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update12:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update13:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update14:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update15:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update16:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update17:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update18:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update19:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update2:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update20:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update21:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update23:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update24:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update25:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update26:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update27:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update29:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update3:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update30:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update31:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update32:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update33:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update34:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update4:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update5:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update6:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update7:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update8:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.6.0:update9:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:-:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:-:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update1:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update10:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update11:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update12:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update13:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update14:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update15:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update16:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update17:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update18:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update19:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update2:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update20:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update21:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update22:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update23:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update24:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update25:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update26:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update27:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update29:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update3:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update30:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update31:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update32:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update33:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update34:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update4:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update5:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update6:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update7:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.6.0:update9:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:6.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
History

14 Mar 2025, 15:27

Type Values Removed Values Added
References () http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html - Broken Link () http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html - Mailing List
References () http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html - Broken Link () http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html - Mailing List
References () http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html - Third Party Advisory () http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html - Third Party Advisory, Broken Link
References () http://www.securityfocus.com/bid/55213 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/55213 - Third Party Advisory, VDB Entry, Broken Link
References () https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day - Third Party Advisory () https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day - Third Party Advisory, Broken Link

10 Feb 2025, 20:15

Type Values Removed Values Added
CVSS v2 : 10.0
v3 : unknown 		v2 : 10.0
v3 : 9.8
CWE CWE-284

21 Nov 2024, 01:43

Type Values Removed Values Added
References () http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html - Third Party Advisory () http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html - Third Party Advisory
References () http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html - Exploit, Third Party Advisory () http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html - Exploit, Third Party Advisory
References () http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/ - Broken Link, Exploit () http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/ - Broken Link, Exploit
References () http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html - Broken Link () http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html - Broken Link
References () http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html - Broken Link () http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00016.html - Broken Link
References () http://marc.info/?l=bugtraq&m=135109152819176&w=2 - Issue Tracking, Mailing List, Third Party Advisory () http://marc.info/?l=bugtraq&m=135109152819176&w=2 - Issue Tracking, Mailing List, Third Party Advisory
References () http://rhn.redhat.com/errata/RHSA-2012-1225.html - Third Party Advisory () http://rhn.redhat.com/errata/RHSA-2012-1225.html - Third Party Advisory
References () http://secunia.com/advisories/51044 - Not Applicable () http://secunia.com/advisories/51044 - Not Applicable
References () http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html - Third Party Advisory () http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html - Third Party Advisory
References () http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html - Vendor Advisory () http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html - Vendor Advisory
References () http://www.securityfocus.com/bid/55213 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/55213 - Third Party Advisory, VDB Entry
References () http://www.us-cert.gov/cas/techalerts/TA12-240A.html - Third Party Advisory, US Government Resource () http://www.us-cert.gov/cas/techalerts/TA12-240A.html - Third Party Advisory, US Government Resource
References () https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day - Third Party Advisory () https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day - Third Party Advisory
Information

Published : 2012-08-28 00:55

Updated : 2025-04-11 00:51

NVD link : CVE-2012-4681

Mitre link : CVE-2012-4681

CVE.ORG link : CVE-2012-4681

JSON object : View

Products Affected

redhat

  • enterprise_linux_workstation
  • enterprise_linux_server
  • enterprise_linux_desktop
  • enterprise_linux_eus

oracle

  • jre
  • jdk
CWE
NVD-CWE-noinfo CWE-284

Improper Access Control