According to SECLISTS, they found that the new Reflection API did not undergo a very safe review when introducing Java SE 7, and there was a very large vulnerability.
This vulnerability allows hackers to use a widely known method 10 years ago to attack Java virtual machines. The Reflection API in Java SE 7 does not adopt the appropriate protection mechanism to prevent this attack.
SECLISTS's conceptual verification code for this vulnerability was successfully exploited in Java SE 7 Update 25 (1.7.0 _ 25-f8. This code can intrude into JVM security features: type system security. In this way, a complete and reliable Java Security Sandbox branch can obtain a vulnerability instance of the Java SE software.
Oracle published a blog post in May 2013 saying that Java security should be maintained first. Today, Java frequently exposes vulnerabilities, which also seems to indicate that the development and implementation of Oracle security policies are not sound and imperfect.
For more information about the vulnerability, visit the official website.
From: SECLISTS. ORG
Java 7 Update 21 fix vulnerabilities and change applet warning information