Bugtraq mailing list archives

[SE-2012-01] New security issues affecting Oracle's Java SE 7u15

From: Security Explorations <contact () security-explorations com>
Date: Mon, 25 Feb 2013 09:04:58 +0100


Hello All,

We had yet another look into Oracle's Java SE 7 software that
was released by the company on Feb 19, 2013. As a result, we
have discovered two new security issues (numbered 54 and 55),
which when combined together can be successfully used to gain
a complete Java security sandbox bypass in the environment of
Java SE 7 Update 15 (1.7.0_15-b03).

Following our Disclosure Policy [1], we provided Oracle with
a brief technical description of the issues found along with
a working Proof of Concept code that illustrates their impact.

Both new issues are specific to Java SE 7 only. They allow to
abuse the Reflection API in a particularly interesting way.

Without going into further details, everything indicates that
a ball is in Oracle's court. Again.

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Security Explorations - Disclosure Policy
    http://www.security-explorations.com/en/disclosure-policy.html

Current thread:

[SE-2012-01] New security issues affecting Oracle's Java SE 7u15 Security Explorations (Feb 25)