Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2010-0840

Disclosure Date: April 01, 2010
CVE-2010-0840 CVSS v3 Base Score: 9.8
Exploited in the Wild
Reported by gwillcox-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) “a similar trust issue with interfaces,” aka “Trusted Methods Chaining Remote Code Execution Vulnerability.”

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/multi/browser/java_trusted_chain
Reporter
Unknown

Exploited in the Wild

Reported by:

References

Canonical
CVE-2010-0840 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840)
BID-39065 (http://www.securityfocus.com/bid/39065)
Advisory
APPLE-SA-2010-05-18-1 (http://lists.apple.com/archives/security-announce/2010//May/msg00001.html)
HPSBMU02799 (http://marc.info?l=bugtraq&m=134254866602253&w=2)
20100405 ZDI-10-056: Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability (http://www.securityfocus.com/archive/1/510528/100/0/threaded)
SECUNIA-39317 (http://secunia.com/advisories/39317)
http://www.redhat.com/support/errata/RHSA-2010-0383.html
SECUNIA-40545 (http://secunia.com/advisories/40545)
ADV-2010-1454 (http://www.vupen.com/english/advisories/2010/1454)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13971
SECUNIA-39819 (http://secunia.com/advisories/39819)
ADV-2010-1107 (http://www.vupen.com/english/advisories/2010/1107)
http://www.redhat.com/support/errata/RHSA-2010-0338.html
ADV-2010-1793 (http://www.vupen.com/english/advisories/2010/1793)
APPLE-SA-2010-05-18-2 (http://lists.apple.com/archives/security-announce/2010//May/msg00002.html)
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
SECUNIA-43308 (http://secunia.com/advisories/43308)
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
SSRT100179 (http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751)
SSRT100089 (http://marc.info?l=bugtraq&m=127557596201693&w=2)
http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html
http://www.redhat.com/support/errata/RHSA-2010-0339.html
SECUNIA-39292 (http://secunia.com/advisories/39292)
http://support.apple.com/kb/HT4170
ADV-2010-1523 (http://www.vupen.com/english/advisories/2010/1523)
http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
SECUNIA-39659 (http://secunia.com/advisories/39659)
http://www.redhat.com/support/errata/RHSA-2010-0471.html
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
USN-923-1 (http://ubuntu.com/usn/usn-923-1)
http://www.vmware.com/security/advisories/VMSA-2011-0003.html
http://www.redhat.com/support/errata/RHSA-2010-0337.html
http://www.redhat.com/support/errata/RHSA-2010-0489.html
SECUNIA-40211 (http://secunia.com/advisories/40211)
http://support.apple.com/kb/HT4171
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9974
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084
20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX (http://www.securityfocus.com/archive/1/516397/100/0/threaded)
ADV-2010-1191 (http://www.vupen.com/english/advisories/2010/1191)
Miscellaneous
http://www.zerodayinitiative.com/advisories/ZDI-10-056

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis