CVE-2016-0363

EPSS 0.64%
Published 03.06.2016 14:59:01
Last modified 12.04.2025 10:46:40
Source psirt@us.ibm.com
Teams watchlist Login
Open Login

The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) uses the invoke method of the java.lang.reflect.Method class in an AccessController doPrivileged block, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to a Proxy object instance implementing the java.lang.reflect.InvocationHandler interface.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3009.

Affected products Warnungen 0 Metrics 3 CWE 1 References 25

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Satellite Version5.6

Redhat ≫ Satellite Version5.7

Redhat ≫ Enterprise Linux Desktop Version6.0

Redhat ≫ Enterprise Linux Desktop Version7.0

Redhat ≫ Enterprise Linux Hpc Node Supplementary Version6.0

Redhat ≫ Enterprise Linux Hpc Node Supplementary Version7.0

Redhat ≫ Enterprise Linux Server Version6.0

Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Enterprise Linux Server Eus Version6.7

Redhat ≫ Enterprise Linux Server Eus Version7.2

Redhat ≫ Enterprise Linux Server Eus Version7.3

Redhat ≫ Enterprise Linux Server Eus Version7.4

Redhat ≫ Enterprise Linux Server Eus Version7.5

Redhat ≫ Enterprise Linux Workstation Version6.0

Redhat ≫ Enterprise Linux Workstation Version7.0

Novell ≫ Suse Linux Enterprise Software Development Kit Version11.0 Updatesp4

Novell ≫ Suse Linux Enterprise Software Development Kit Version12.0

Novell ≫ Suse Linux Enterprise Software Development Kit Version12.0 Updatesp1

Novell ≫ Suse Linux Enterprise Module For Legacy Software Version12

Novell ≫ Suse Linux Enterprise Server Version11.0 Updatesp2 SwEditionltss

Novell ≫ Suse Linux Enterprise Server Version11.0 Updatesp3 SwEditionltss

Novell ≫ Suse Linux Enterprise Server Version11.0 Updatesp4

Novell ≫ Suse Linux Enterprise Server Version12.0

Novell ≫ Suse Linux Enterprise Server Version12.0 Updatesp1

Novell ≫ Suse Manager Version2.1

Novell ≫ Suse Manager Proxy Version2.1

Novell ≫ Suse Openstack Cloud Version5

Ibm ≫ Java Sdk SwEditiontechnology Version >= 6.0.0.0 < 6.0.16.25

Ibm ≫ Java Sdk SwEditiontechnology Version >= 6.1.0.0 < 6.1.8.25

Ibm ≫ Java Sdk SwEditiontechnology Version >= 7.0.0.0 < 7.0.9.40

Ibm ≫ Java Sdk SwEditiontechnology Version >= 7.1.0.0 < 7.1.3.40

Ibm ≫ Java Sdk SwEditiontechnology Version >= 8.0.0.0 < 8.0.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.64%	0.696

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://seclists.org/fulldisclosure/2016/Apr/20

Third Party Advisory

VDB Entry

Mailing List

http://seclists.org/fulldisclosure/2016/Apr/3

Third Party Advisory

VDB Entry

Mailing List

http://www.security-explorations.com/materials/SE-2012-01-IBM-4.pdf

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHSA-2016:1430