CVE-2016-0363

Impact:
Critical
Public Date:
2016-04-04
Bugzilla:
1324044: CVE-2016-0363 IBM JDK: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix

The MITRE CVE dictionary describes this issue as:

The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) uses the invoke method of the java.lang.reflect.Method class in an AccessController doPrivileged block, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to a Proxy object instance implementing the java.lang.reflect.InvocationHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3009.

Find out more about CVE-2016-0363 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 6.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.8.0-ibm) RHSA-2016:0716 2016-05-03
Red Hat Satellite 5.6 (RHEL v.6) (java-1.7.1-ibm) RHSA-2017:1216 2017-05-09
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.7.1-ibm) RHSA-2016:0701 2016-04-29
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.8.0-ibm) RHSA-2016:1039 2016-05-11
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.1-ibm) RHSA-2016:0701 2016-04-29
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-ibm) RHSA-2016:0702 2016-04-29
Red Hat Satellite 5.6 (RHEL v.6) (java-1.7.1-ibm) RHSA-2016:1430 2016-07-18
Red Hat Satellite 5.7 (RHEL v.6) (java-1.7.1-ibm) RHSA-2016:1430 2016-07-18
Red Hat Satellite 5.7 (RHEL v.6) (java-1.7.1-ibm) RHSA-2017:1216 2017-05-09
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) RHSA-2016:0708 2016-05-02
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2016:0708 2016-05-02
Red Hat Satellite 5.6 (RHEL v.5) (java-1.7.0-ibm) RHSA-2016:1430 2016-07-18

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation