Full Disclosure mailing list archives
Re: [SE-2012-01] Details of issues fixed by Java SE 7 Update 21
From: Security Explorations <contact () security-explorations com>
Date: Wed, 17 Apr 2013 13:33:12 +0200
Hello All, We wanted to add the following information to our yesterday post. We've learned that RedHat's Bugzilla associates CVE-2013-1537 [1] with the RMI issue allowing for a remote loading and execution of arbitrary Java code on servers [2]. It looks that Oracle has finally patched RMI vulnerability that was known to the vendor since 2005. What's also interesting is that a fix for it is now highlighted by Oracle as a new security feature of Java [3]. We can't decide what is more surprising to us: 1) finding out that Oracle finally admitted that Java security issues could affect servers as well (so far the Plugin was the source of all evilness), 2) learning that at Oracle, "every developer is a security rifleman", "trained on security" [4]. Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] CVE-2013-1537 OpenJDK: remote code loading enabled by default https://bugzilla.redhat.com/show_bug.cgi?id=952387 [2] "Security Vulnerabilities in Java SE", technical report http://www.security-explorations.com/materials/se-2012-01-report.pdf [3] Java SE 7 Update 21 Release and more https://blogs.oracle.com/java/entry/java_se_7_update_21 [4] Oracle Secures Java with 41 Updates, Code Signing http://www.esecurityplanet.com/network-security/oracle-secures-java-with-41-updates-code-signing.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SE-2012-01] Details of issues fixed by Java SE 7 Update 21 Security Explorations (Apr 16)
- Re: [SE-2012-01] Details of issues fixed by Java SE 7 Update 21 Security Explorations (Apr 17)