Java bug CVE-2012-4681

There seems to be a nasty bug out there in some implementations of Java 7, including IcedTea7 and OpenJDK7. The bug is very public and being actively abused to circumvent security restrictions. Please upgrade to IcedTea 2.3.1 or build your packages using the patch as discussed on the OpenJDK mailinglists.

Note that if you are using the icedtea-web applet viewer then you are not directly vulnerable to the exploits as currently out there in the wild since those try to disable the SecurityManager completely and icedtea-web doesn’t allow that (some proprietary applet plugins do allow that though). But there are other ways to abuse this bug to circumvent security restrictions in a more subtle way, so patching is still very recommended.


  1. kiakli says:

    SELinux is not a good option in this case? To stop a possible attack…

  2. Thanks Mark for the great summary!

  3. lechu says:

    What about debian squeezy and opendjdk whitout icedtea?