CVE-2013-0422 — Oracle JRE Remote Code Execution Vulnerability
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class
Published
2013-01-10T21:23:00.000Z
Last modified
2025-10-22T00:05:44.798Z
CISA KEV — Actively Exploited
01What is this vulnerability?
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a…
02Affected products
| Vendor | Product | Versions |
|---|
| n | a / n/a | n/a |
03Active exploitation status
Yes — actively exploited. Added to the CISA KEV catalog on 2022-05-25. Ransomware use: Unknown.
04Recommended remediation
- Patch to a fixed version listed in the vendor advisory (see references below).
- Mitigate with WAF rules, network egress filters, or feature flags where the patch is not yet available.
- Hunt historical logs for exploitation indicators — see Detection signatures below.
05Technical details
For the full vendor write-up, exploit chains, and reference implementations, see the references list in section 09.
06Detection signatures
Open the Sigma generator with a pre-filled prompt for this CVE to draft a starting detection in your stack of choice:
Open in Sigma generator →
07Related CVEs
No directly-cited follow-up CVEs in the KB record for this advisory. The references list in section 09 carries the vendor cross-references.
08Timeline
- Published: 2013-01-10T21:23:00.000Z
- Last modified: 2025-10-22T00:05:44.798Z
- Added to CISA KEV: 2022-05-25
- BOD 22-01 due: 2022-06-15
09References
- rhn.redhat.com — http://rhn.redhat.com/errata/RHSA-2013-0156.html
- malware.dontneedcoffee.com — http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.h…
- www.mandriva.com — http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
- blog.fuseyism.com — http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4…
- lists.opensuse.org — http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html
- rhn.redhat.com — http://rhn.redhat.com/errata/RHSA-2013-0165.html
- www.kb.cert.org — http://www.kb.cert.org/vuls/id/625617
- www.us-cert.gov — http://www.us-cert.gov/cas/techalerts/TA13-010A.html
- partners.immunityinc.com — https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day…
- blog.fireeye.com — http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.h…
- www-304.ibm.com — https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_man…
- www.ubuntu.com — http://www.ubuntu.com/usn/USN-1693-1
- wiki.mageia.org — https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
- immunityproducts.blogspot.ca — http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two…
- threatpost.com — https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-al…
- seclists.org — http://seclists.org/bugtraq/2013/Jan/48
- www.oracle.com — http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.ht…
- krebsonsecurity.com — http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
- labs.alienvault.com — http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Want this in your SOAR or SIEM?
SARA's API returns EPSS, CVSS, KEV, and an analyst-grade summary in one call.
Read the API reference →