A remote code execution vulnerability exists in Oracle Java Web Start. The vulnerability is due to improper parsing of JNLP XML documents. By maliciously crafting XML an attacker can inject unexpected parameters to the java process to achieve remote code execution.

A remote, unauthenticated attacker can exploit this vulnerability by enticing a target user to open a crafted Java Web Start application. Successful exploitation can lead to execution of arbitrary code with the security privileges of the target user.

Oracle has released an advisory and patches regarding this vulnerability:

http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

• Oracle Java Development Kit (JDK) 6 Update 30 and prior
• Oracle Java Development Kit (JDK) 7 Update 2 and prior
• Oracle JavaFX 2.0.2 and prior
• Oracle Java Runtime Environment (JRE) 6 Update 30 and prior
• Oracle Java Runtime Environment (JRE) 7 Update 2 and prior

• Access vector is NETWORK
• Access complexity is MEDIUM
• Level of authentication required is NONE
• Impact of this vulnerability on data confidentiality is PARTIAL
• Impact of this vulnerability on data integrity is PARTIAL
• Impact of this vulnerability on data availability is PARTIAL

• The exploitability level of this vulnerability is FUNCTIONAL
• The remediation level of this vulnerability is OFFICIAL FIX
• The report confidence level of this vulnerability is CONFIRMED