Oracle Java Reflection API Vulnerability

Impact

• Remote Code Execution

System / Technologies affected

• Version 7 Update 21 and before

Solutions

[1]  Note: Vendor patch is currently unavailable.

[2]  Please use workarounds:

• Java 7 update 10 or later:
  
  Disable Java in web browsers.
  http://www.java.com/en/download/help/disable_browser.xml
  

   

  It is recommended to have the latest version of Java installed. 
  http://java.com/en/download/faq/remove_olderversions.xml
  
  
• Prior to Java 7 update 10:
  
  If you are using Internet Explorer with older versions of Java, you can disable Java by following steps
  1. In the Windows Control panel, change the View setting to "Classic View" in (Windows XP and Windows Vista) Or "Large icons" in (Windows 7) . 
  2. Open the Java item, select the "Advanced" tab. On "Default Java for Browser", click "+" to expand the options。
  3. Select "Microsoft Internet Explorer", and then press the "Space" in keyboard to uncheck the selection.
  
  For other browsers and OS, please refer to the following URL:
  /my_url/en/blog/12082902#howtoprotect
  
   
• Verify Java disabled:
  Once you have Java disabled, you may restart the browsers and verify if Java is not detected via the following link.
  http://java.com/en/download/installed.jsp
  

  
   

• Only enable Java temporarily in trusted sites (e.g. government and banks) when necessary. Do not browse any other websites when Java is enabled, disable it immediately after use.

[4]  Best practice of security

• As a best practice of security, you should not install any software that you do not require. If you are not sure if you need Java, you can follow the steps in the workaround section to disable Java for some time to verify before you uninstall Java.

Vulnerability Identifier

• No CVE information is available

Source

• SecurityTracker

Related Link

• http://securitytracker.com/id/1028466