The vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack).
"This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits," the department's Computer Emergency Readiness Team said in a notice on its website.
"We are currently unaware of a practical solution to this problem."
The recommended solution was to disable Java, which typically runs as a plug-in program in web browsers.
"A fix will be available shortly," Oracle said in a statement released late on Friday.
Oracle added that the recently discovered flaw only affects Java 7, the program's most-recent version, and Java software designed to run on browsers.