CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2012-0507

CVSS 9.8v3.1pub. 2012-06-07upd. 2026-04-22

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Debian

    OS
    Debian
    6.07.0
  • Oracle Jre

    APP
    Oracle
    1.6.01.7.0
  • Sun Jre

    APP
    Sun
    1.5.01.6.0
  • SUSE Linux Enterprise Desktop

    OS
    Suse
    10
  • SUSE Linux Enterprise Java

    OS
    Suse
    1011
  • SUSE Linux Enterprise Server

    OS
    Suse
    1011
  • SUSE Linux Enterprise Software Development Kit

    OS
    Suse
    11

CISA KEV — detailsi

Vendori
Oracle
Producti
Java SE
Added to KEVi
March 3, 2022
Remediation deadline (US Federal)i
March 24, 2022(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

An incorrect type vulnerability exists in the Concurrency component of Oracle's Java Runtime Environment allows an attacker to remotely execute arbitrary code.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 24 marca 2022
Tags
DoS
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki