Oracle Java SE and OpenJDK 7, 6, and 5.0 Runtime Environment 2D Vulnerability Allowing Privilege Escalation

A vulnerability has been identified in the Java Runtime Environment (JRE) component of Oracle Java SE versions 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, as well as in OpenJDK 7. This vulnerability allows remote attackers to manipulate confidentiality, integrity, and availability by exploiting unknown vectors related to 2D image processing. Specifically, it involves incorrect verification of image channels, which can be leveraged to bypass the Java sandbox in certain scenarios.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation by allowing code to modify or remove the security manager, potentially executing arbitrary code with elevated rights.

Remediation

Users can upgrade to the latest version of Oracle Java SE or OpenJDK. The specific patched versions for Oracle Java are included in the Red Hat Security Advisories RHSA-2014:0414 and RHSA-2014:0416. Instructions for upgrading can be found in these advisories.