Back to KEVs

CVE-2012-0507

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and...

Basic Information

CVE State
PUBLISHED
Reserved Date
January 11, 2012
Published Date
June 07, 2012
Last Updated
February 10, 2025
Vendor
Oracle
Product
Java SE
Description
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.
Tags
cisa malware ransomware metasploit_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

10.0

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2022-03-03 00:00:00 UTC) Source
Used in Malware
Yes (added 2022-03-03 00:00:00 UTC) Source

References

http://marc.info/?l=bugtraq&m=133847939902305&w=2 http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html http://secunia.com/advisories/48692 http://marc.info/?l=bugtraq&m=134254866602253&w=2 http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/ http://secunia.com/advisories/48589 http://marc.info/?l=bugtraq&m=133365109612558&w=2 http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3 http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html http://rhn.redhat.com/errata/RHSA-2013-1455.html http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00010.html http://secunia.com/advisories/48950 http://secunia.com/advisories/48948 http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx http://marc.info/?l=bugtraq&m=133847939902305&w=2 http://secunia.com/advisories/48915 http://marc.info/?l=bugtraq&m=133364885411663&w=2 http://www.debian.org/security/2012/dsa-2420 http://rhn.redhat.com/errata/RHSA-2012-0508.html https://bugzilla.redhat.com/show_bug.cgi?id=788994 http://marc.info/?l=bugtraq&m=134254957702612&w=2 http://rhn.redhat.com/errata/RHSA-2012-0514.html http://www.securityfocus.com/bid/52161 http://marc.info/?l=bugtraq&m=133365109612558&w=2 http://marc.info/?l=bugtraq&m=133364885411663&w=2 http://marc.info/?l=bugtraq&m=134254957702612&w=2

Known Exploited Vulnerability Information

Source Added Date
CISA 2022-03-03 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_atomicreferencearray.rb 2025-04-29 11:01:19 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

java_atomicreferencearray

Type: metasploit • Created: Unknown

Metasploit module for CVE-2012-0507

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel

  • Detected by Metasploit