Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2016-0363

Disclosure Date: June 03, 2016
CVE-2016-0363
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) uses the invoke method of the java.lang.reflect.Method class in an AccessController doPrivileged block, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to a Proxy object instance implementing the java.lang.reflect.InvocationHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3009.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • ibm,
  • novell,
  • redhat

Products

  • enterprise linux desktop 6.0,
  • enterprise linux desktop 7.0,
  • enterprise linux hpc node supplementary 6.0,
  • enterprise linux hpc node supplementary 7.0,
  • enterprise linux server 6.0,
  • enterprise linux server 7.0,
  • enterprise linux server eus 6.7,
  • enterprise linux server eus 7.2,
  • enterprise linux server eus 7.3,
  • enterprise linux server eus 7.4,
  • enterprise linux server eus 7.5,
  • enterprise linux workstation 6.0,
  • enterprise linux workstation 7.0,
  • java sdk,
  • satellite 5.6,
  • satellite 5.7,
  • suse linux enterprise module for legacy software 12,
  • suse linux enterprise server 11.0,
  • suse linux enterprise server 12.0,
  • suse linux enterprise software development kit 11.0,
  • suse linux enterprise software development kit 12.0,
  • suse manager 2.1,
  • suse manager proxy 2.1,
  • suse openstack cloud 5

References

Canonical
CVE-2016-0363 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0363)
BID-85895 (http://www.securityfocus.com/bid/85895)
Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21980826
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.html
http://rhn.redhat.com/errata/RHSA-2016-1039.html
http://rhn.redhat.com/errata/RHSA-2016-0701.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.html
https://access.redhat.com/errata/RHSA-2016:1430
http://rhn.redhat.com/errata/RHSA-2016-0708.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.html
20160405 Re: [SE-2012-01] Broken security fix in IBM Java 7/8 (http://seclists.org/fulldisclosure/2016/Apr/20)
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00067.html
http://rhn.redhat.com/errata/RHSA-2016-0716.html
SECTRACK-1035953 (http://www.securitytracker.com/id/1035953)
20160404 [SE-2012-01] Broken security fix in IBM Java 7/8 (http://seclists.org/fulldisclosure/2016/Apr/3)
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.html
http://rhn.redhat.com/errata/RHSA-2016-0702.html
https://access.redhat.com/errata/RHSA-2017:1216
IX90172 (http://www-01.ibm.com/support/docview.wss?uid=swg1IX90172)
Miscellaneous
http://www.security-explorations.com/materials/SE-2012-01-IBM-4.pdf

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis