CVE-2013-0422
CVE-2013-0422 is a critical-severity vulnerability in Oracle Jdk with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-25). The underlying weakness is classified as CWE-284.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 98% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-05-25)
- EU (EUVD) id: EUVD-2013-0433
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-05-25)
- Weakness: CWE-284
- Affected product: Oracle Jdk
- Published:
- Last modified:
Description
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.
CVE-2013-0422: Oracle Java 7 Security Manager Bypass via JMX MBeanInstantiator and Reflection API
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2013-0422 |
| Published | 2013-01-10 |
| CVSS v2 | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
| CVSS v3 | 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| EPSS | 0.97612 (99.89th percentile) |
| KEV | Yes (CISA Known Exploited Vulnerabilities catalog) |
| CWE | CWE-284: Improper Access Control |
Summary
CVE-2013-0422 covers two distinct but related vulnerabilities in Oracle Java 7 that enable remote attackers to bypass the Java Security Manager and execute arbitrary code. Both vectors were exploited in the wild beginning January 2013, notably by the Blackhole and Nuclear Pack exploit kits.
Background
The Java Security Manager is a core sandbox mechanism that restricts what Java applets and applications can do. When it is bypassed, untrusted code can execute with the same privileges as the user running the Java process. In early January 2013, security researchers identified active exploitation of zero-day vulnerabilities in Java 7 that completely circumvented this protection.
Root Cause
The vulnerability class is CWE-284: Improper Access Control. Two independent weaknesses contribute to CVE-2013-0422:
-
JMX MBeanInstantiator vector: The public
getMBeanInstantiatormethod in theJmxMBeanServerclass returns a reference to a privateMBeanInstantiatorobject. Attackers can then use thefindClassmethod to obtain arbitraryClassreferences, effectively bypassing class-loading restrictions enforced by the Security Manager. -
Reflection API recursion vector: The
sun.reflect.Reflection.getCallerClassmethod fails to properly skip frames related to the new Reflection API (java.lang.invoke). By using recursive reflection calls, an attacker can bypass the security check performed byjava.lang.invoke.MethodHandles.Lookup.checkSecurityManager.
Impact
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
This is a CRITICAL severity vulnerability (CVSS v3: 9.8). The complete CVSS v2 score of 10.0 reflects that exploitation is trivial from the network, requires no authentication, and grants full confidentiality, integrity, and availability compromise.
Exploitation Walkthrough
Ethics caveat: This section describes the defensive understanding of exploitation mechanics. No weaponized exploit code is provided. These details are intended to aid detection and mitigation only.
Exploitation typically occurs via a malicious web page hosting a Java applet. The attack chain leverages one or both of the following sequences:
-
JMX vector: The applet calls
JmxMBeanServer.getMBeanInstantiator(), which is public and accessible. This returns a reference to the restrictedMBeanInstantiator. The attacker then invokesfindClass()with a malicious class name, loading attacker-controlled bytecode outside the Security Manager's oversight. -
Reflection vector: The applet uses the
MethodHandles.LookupAPI with recursive reflection to triggercheckSecurityManager. Due to the frame-skipping flaw ingetCallerClass, the security check is bypassed, allowing the applet to perform privileged operations.
Both vectors were observed in widespread drive-by-download campaigns in January 2013.
Affected and Patched Versions
Affected:
- Oracle JDK 1.7.0 through Update 10
- Oracle JRE 1.7.0 through Update 10
- Ubuntu Linux 12.10
- openSUSE 12.2
Patched:
- Oracle Java 7 Update 11 (released January 2013)
Note: As of 2013-01-14, third-party reports suggested that the findClass / MBeanInstantiator vector may not have been fully addressed in Update 11. If a residual vulnerable condition remained, it would have been tracked under a separate CVE identifier.
Remediation
-
Upgrade: Remove Oracle Java 7 Update 10 and earlier. If Java 7 is still required, apply the latest available update from Oracle. Note that Java 7 reached End of Public Updates in April 2015; modern environments should migrate to Java 8 or later.
-
Compensating controls:
- Disable the Java browser plugin entirely if not required.
- Use application whitelisting to prevent execution of untrusted Java applets.
- Implement web proxy filters to block known malicious domains serving Java exploit kits.
- Enable click-to-play for Java content in browsers.
Detection
- Monitor for unexpected
java.exeorjavaw.exeprocesses spawned by browsers. - Look for network connections originating from browser Java processes to external hosts.
- EDR rules: detect suspicious use of
JmxMBeanServer.getMBeanInstantiatororMBeanInstantiator.findClassin applet contexts. - Web proxy logs: flag sites hosting
.classfiles alongside obfuscated JavaScript commonly used in exploit kit landing pages.
Assessment
- EPSS: 0.97612 (99.89th percentile) — indicating extremely high probability of active exploitation.
- KEV: Listed in the CISA Known Exploited Vulnerabilities catalog since 2022-05-25.
Lessons:
- Publicly exposed methods returning internal restricted objects (like
getMBeanInstantiator) remain a recurring anti-pattern in Java security history. Design reviews should flag any public API surface that exposes privileged internals. - The Reflection API's interaction with legacy caller-checking mechanisms (
getCallerClass) demonstrates the risk of partial API modernization. Security checks must be revalidated whenever the call-stack inspection model changes.
References
- http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
- http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
- http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
- http://www.us-cert.gov/cas/techalerts/TA13-010A.html
- https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
- https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0422
Frequently asked questions
- What is CVE-2013-0422?
- Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.
- How severe is CVE-2013-0422?
- CVE-2013-0422 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2013-0422 being actively exploited?
- Yes. CVE-2013-0422 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2013-0422?
- CVE-2013-0422 primarily affects Oracle Jdk. In total, 22 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2013-0422?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2013-0422 have an EU (EUVD) identifier?
- Yes. CVE-2013-0422 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2013-0433. It is also flagged as exploited in the EUVD (since 2022-05-25).
- When was CVE-2013-0422 published?
- CVE-2013-0422 was published on 2013-01-10 and last updated on 2026-06-16.
References
- http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
- http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
- http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
- http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
- http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
- http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html
- http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
- http://rhn.redhat.com/errata/RHSA-2013-0156.html
- http://rhn.redhat.com/errata/RHSA-2013-0165.html
- http://seclists.org/bugtraq/2013/Jan/48
- http://www.kb.cert.org/vuls/id/625617
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
- http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
- http://www.ubuntu.com/usn/USN-1693-1
- http://www.us-cert.gov/cas/techalerts/TA13-010A.html
- https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
- https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
- https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0422
Affected products (22)
- cpe:2.3:a:oracle:jdk:1.7.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
More vulnerabilities in Oracle Jdk
- CVE-2016-0494 — Critical (CVSS 10.0): Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and…
- CVE-2016-0483 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows…
- CVE-2015-4883 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4881 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4860 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4844 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
All CVEs affecting Oracle Jdk →
Other CWE-284 (Improper Access Control) vulnerabilities
- CVE-2026-50746 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi…
- CVE-2026-46978 — Critical (CVSS 10.0): Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The…
- CVE-2026-35308 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars).…
- CVE-2026-35307 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that…
- CVE-2026-46695 — Critical (CVSS 10.0): Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers…
- CVE-2026-46840 — Critical (CVSS 10.0): Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are…
Browse all CWE-284 (Improper Access Control) vulnerabilities →