CVE-2010-0840

What is Oracle Java Runtime Environment (JRE)?

The Java Runtime Environment (JRE), developed by Sun Microsystems and later Oracle, provided a cross-platform runtime for Java applications. The Java browser plugin — installed by the JRE on hundreds of millions of computers worldwide — allowed web browsers to run Java "applets" directly within web pages. Java applets ran within the "Java sandbox," a security model designed to restrict what untrusted code downloaded from the web could access. However, the Java sandbox's complexity and the vast attack surface of the Java runtime libraries made sandbox escapes a recurring vulnerability class throughout the 2000s and early 2010s. Java browser exploits were among the most widely used attack vectors in criminal exploit kits from 2008 to 2013.

Overview

CVE-2010-0840 is a critical unspecified vulnerability (CVSS 9.8) in Oracle's Java Runtime Environment. The vulnerability allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors — Oracle's standard language for Java sandbox escape vulnerabilities that enable remote code execution when a user visits a malicious web page with a Java-capable browser. Patched in Oracle's Critical Patch Update (CPU) for April 2010. CISA added to KEV in May 2022.

Affected Versions

Note: Java SE 5 and 6 are long past end-of-life. Java browser plugins are no longer supported in modern browsers.

Technical Details

The vulnerability exists within the Java Runtime Environment's sandbox enforcement or class library code. Java applets run in a sandbox that uses a SecurityManager to restrict access to local files, network connections, system properties, and other sensitive resources. Sandbox escapes typically exploit one of several mechanisms:

• Reflection API abuse: Using Java's reflection API to access otherwise restricted classes or methods by bypassing the SecurityManager checks
• Type confusion: Exploiting inconsistencies in Java's type system to gain access to privileged memory or operations
• Class loader manipulation: Leveraging flaws in the class loading mechanism to load trusted code in an untrusted context

Successful exploitation allows a Java applet running in the browser's Java plugin to escape the sandbox and execute arbitrary code with the privileges of the user running the browser — typically a standard Windows desktop user.

The "Network" CVSS attack vector and absence of User Interaction required reflects that visiting a web page with embedded malicious Java content was sufficient to trigger exploitation — no download or file opening required beyond the browser rendering the page.

Discovery

Discovered through security research into the Java runtime and reported to Oracle. Oracle's quarterly Critical Patch Update cycle addressed Java sandbox vulnerabilities alongside database and middleware security issues. The CVSS 9.8 critical score reflects the straightforward remote exploitation potential of Java applet sandbox escapes.

Exploitation Context

Java browser plugin vulnerabilities were among the most extensively exploited software vulnerabilities from 2008 to 2013:

• Exploit kit dominance: Java sandbox exploits were the most reliably effective modules in criminal exploit kits (Blackhole, Neutrino, Magnitude). A website visit from a browser with an outdated Java plugin was frequently sufficient for automatic malware installation.
• Universal deployment: Java was installed on roughly 850 million computers worldwide during this era. JRE updates were slow to propagate — users rarely updated Java unless prompted, and many enterprise environments locked JRE versions for application compatibility reasons.
• Drive-by malware delivery: Ransomware, banking trojans, and botnet installers were routinely delivered via Java sandbox exploits — the victim needed only to visit a compromised or malicious website.
• Corporate exploitation: Enterprise environments that locked JRE versions for application compatibility maintained outdated, vulnerable Java installations on thousands of workstations — a reliable source of compromised machines for attackers.
• Java plugin retirement: The Java browser plugin was eventually deprecated in JDK 9 (2017) and removed in JDK 11 (2018), following years of sustained exploitation that made it untenable from a security perspective.

Remediation

1. Apply Oracle CPU April 2010: Update JRE to 6 Update 19 or 5.0 Update 24.
2. Upgrade to current Java: Java SE 5 and 6 are end-of-life. Upgrade to current LTS Java releases (Java 17 or Java 21).
3. Remove the Java browser plugin: The Java browser plugin has been removed from modern Java versions and modern browsers no longer support NPAPI plugins. Remove any legacy Java plugin installations.
4. Disable Java in browsers: If the Java browser plugin cannot be removed, disable it in all browser security settings.
5. Java application inventory: Identify any remaining business applications that use the Java browser plugin and plan migration to modern alternatives.