CVE-2013-2423

What is Oracle Java SE?

Oracle Java SE (Standard Edition) includes the Java HotSpot virtual machine, which compiles and executes Java bytecode for desktop and enterprise applications. The JVM enforces the Java security model: untrusted code (such as browser applets or remotely-loaded classes) runs with restricted permissions. A core part of this security model is that write-only properties — class fields intentionally designed to accept values but never expose them — should remain protected from read access by untrusted code.

Overview

CVE-2013-2423 is an unspecified integrity vulnerability in the HotSpot component of Oracle Java SE. The flaw involves improper handling of write-only property setters, allowing untrusted Java code to affect values that should be inaccessible to it. The vulnerability has a low CVSS score (3.7) and affects integrity only — no confidentiality or availability impact — reflecting a limited scope bypass rather than full sandbox escape.

Oracle patched this in the April 2013 Critical Patch Update, delivering the fix in Java SE 7u21, 6u45, and 5u45.

Affected Versions

Technical Details

Java's object model includes write-only properties: fields or properties that expose a setter method but not a getter. This pattern is used to accept sensitive values (such as passwords or keys) without allowing them to be read back by code that shouldn't have access.

CVE-2013-2423 is a flaw in HotSpot's handling of these write-only access patterns. Untrusted code can exploit the vulnerability to affect the integrity of write-only values — the CVSS metrics show Integrity: Low with no confidentiality impact, suggesting the attacker can write to but not read protected values.

Security model context: This class of vulnerability is important in the Java browser applet threat model where untrusted applet code runs in the same JVM process as the security manager. Even a partial security model bypass can be chained with other vulnerabilities to construct a full sandbox escape. The April 2013 CPU that fixed this also patched multiple other Java security manager issues.

Low AC:H score: The High attack complexity rating reflects the difficulty of reliably triggering the specific write-only property bypass — the attacker needs to craft their exploit carefully to hit the vulnerable code path.

Discovery

Discovered and reported through Oracle's security vulnerability program. Included in the April 2013 Critical Patch Update.

Exploitation Context

CISA confirmed exploitation in the wild. While the standalone vulnerability has limited impact (integrity only, low severity), Java security model bypasses of this type were actively sought by exploit kit authors in 2013 as components of chained Java sandbox escapes. The 2013 timeframe coincided with peak Java exploit kit activity — Blackhole, Cool EK, and Magnitude EK all maintained active Java exploit libraries and rapidly incorporated newly patched Java vulnerabilities.

Remediation

1. Update to Java SE 7u21 (or 6u45 / 5u45) — the April 2013 CPU patches this and multiple other Java security issues
2. Oracle Java SE 6 and 5 are end-of-life — migrate to a supported Java release
3. For browser applet use: Java browser plugins are deprecated and removed in modern browsers; disable or uninstall the Java browser plugin
4. For server-side Java: apply Java updates via your OS package manager or directly from Oracle
5. Keep Java updated through automatic update mechanisms — Java's monthly update cadence means unpatched vulnerabilities accumulate quickly