CVE-2013-0422

CVE-2013-0422 is a critical-severity vulnerability in Oracle Jdk with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-25). The underlying weakness is classified as CWE-284.

Key facts

Description

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

CVE-2013-0422: Oracle Java 7 Security Manager Bypass via JMX MBeanInstantiator and Reflection API

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2013-0422
Published 2013-01-10
CVSS v2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS v3 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
EPSS 0.97612 (99.89th percentile)
KEV Yes (CISA Known Exploited Vulnerabilities catalog)
CWE CWE-284: Improper Access Control

Summary

CVE-2013-0422 covers two distinct but related vulnerabilities in Oracle Java 7 that enable remote attackers to bypass the Java Security Manager and execute arbitrary code. Both vectors were exploited in the wild beginning January 2013, notably by the Blackhole and Nuclear Pack exploit kits.

Background

The Java Security Manager is a core sandbox mechanism that restricts what Java applets and applications can do. When it is bypassed, untrusted code can execute with the same privileges as the user running the Java process. In early January 2013, security researchers identified active exploitation of zero-day vulnerabilities in Java 7 that completely circumvented this protection.

Root Cause

The vulnerability class is CWE-284: Improper Access Control. Two independent weaknesses contribute to CVE-2013-0422:

  1. JMX MBeanInstantiator vector: The public getMBeanInstantiator method in the JmxMBeanServer class returns a reference to a private MBeanInstantiator object. Attackers can then use the findClass method to obtain arbitrary Class references, effectively bypassing class-loading restrictions enforced by the Security Manager.

  2. Reflection API recursion vector: The sun.reflect.Reflection.getCallerClass method fails to properly skip frames related to the new Reflection API (java.lang.invoke). By using recursive reflection calls, an attacker can bypass the security check performed by java.lang.invoke.MethodHandles.Lookup.checkSecurityManager.

Impact

Metric Value
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

This is a CRITICAL severity vulnerability (CVSS v3: 9.8). The complete CVSS v2 score of 10.0 reflects that exploitation is trivial from the network, requires no authentication, and grants full confidentiality, integrity, and availability compromise.

Exploitation Walkthrough

Ethics caveat: This section describes the defensive understanding of exploitation mechanics. No weaponized exploit code is provided. These details are intended to aid detection and mitigation only.

Exploitation typically occurs via a malicious web page hosting a Java applet. The attack chain leverages one or both of the following sequences:

  1. JMX vector: The applet calls JmxMBeanServer.getMBeanInstantiator(), which is public and accessible. This returns a reference to the restricted MBeanInstantiator. The attacker then invokes findClass() with a malicious class name, loading attacker-controlled bytecode outside the Security Manager's oversight.

  2. Reflection vector: The applet uses the MethodHandles.Lookup API with recursive reflection to trigger checkSecurityManager. Due to the frame-skipping flaw in getCallerClass, the security check is bypassed, allowing the applet to perform privileged operations.

Both vectors were observed in widespread drive-by-download campaigns in January 2013.

Affected and Patched Versions

Affected:

  • Oracle JDK 1.7.0 through Update 10
  • Oracle JRE 1.7.0 through Update 10
  • Ubuntu Linux 12.10
  • openSUSE 12.2

Patched:

  • Oracle Java 7 Update 11 (released January 2013)

Note: As of 2013-01-14, third-party reports suggested that the findClass / MBeanInstantiator vector may not have been fully addressed in Update 11. If a residual vulnerable condition remained, it would have been tracked under a separate CVE identifier.

Remediation

  1. Upgrade: Remove Oracle Java 7 Update 10 and earlier. If Java 7 is still required, apply the latest available update from Oracle. Note that Java 7 reached End of Public Updates in April 2015; modern environments should migrate to Java 8 or later.

  2. Compensating controls:

    • Disable the Java browser plugin entirely if not required.
    • Use application whitelisting to prevent execution of untrusted Java applets.
    • Implement web proxy filters to block known malicious domains serving Java exploit kits.
    • Enable click-to-play for Java content in browsers.

Detection

  • Monitor for unexpected java.exe or javaw.exe processes spawned by browsers.
  • Look for network connections originating from browser Java processes to external hosts.
  • EDR rules: detect suspicious use of JmxMBeanServer.getMBeanInstantiator or MBeanInstantiator.findClass in applet contexts.
  • Web proxy logs: flag sites hosting .class files alongside obfuscated JavaScript commonly used in exploit kit landing pages.

Assessment

  • EPSS: 0.97612 (99.89th percentile) — indicating extremely high probability of active exploitation.
  • KEV: Listed in the CISA Known Exploited Vulnerabilities catalog since 2022-05-25.

Lessons:

  1. Publicly exposed methods returning internal restricted objects (like getMBeanInstantiator) remain a recurring anti-pattern in Java security history. Design reviews should flag any public API surface that exposes privileged internals.
  2. The Reflection API's interaction with legacy caller-checking mechanisms (getCallerClass) demonstrates the risk of partial API modernization. Security checks must be revalidated whenever the call-stack inspection model changes.

References

Frequently asked questions

What is CVE-2013-0422?
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.
How severe is CVE-2013-0422?
CVE-2013-0422 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2013-0422 being actively exploited?
Yes. CVE-2013-0422 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2013-0422?
CVE-2013-0422 primarily affects Oracle Jdk. In total, 22 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2013-0422?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2013-0422 have an EU (EUVD) identifier?
Yes. CVE-2013-0422 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2013-0433. It is also flagged as exploited in the EUVD (since 2022-05-25).
When was CVE-2013-0422 published?
CVE-2013-0422 was published on 2013-01-10 and last updated on 2026-06-16.

References

Affected products (22)

More vulnerabilities in Oracle Jdk

All CVEs affecting Oracle Jdk →

Other CWE-284 (Improper Access Control) vulnerabilities

Browse all CWE-284 (Improper Access Control) vulnerabilities →