Full Disclosure mailing list archives
[SE-2012-01] New security issues affecting Oracle's Java SE 7u15 (updated)
From: Security Explorations <contact () security-explorations com>
Date: Thu, 28 Feb 2013 09:39:03 +0100
Hello All, This is an updated re-post of our original message from Feb 25, 2012 (original message didn't hit the list for some technical reasons). --- We had yet another look into Oracle's Java SE 7 software that was released by the company on Feb 19, 2013. As a result, we have discovered two new security issues (numbered 54 and 55), which when combined together can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03). Following our Disclosure Policy [1], we provided Oracle with a brief technical description of the issues found along with a working Proof of Concept code that illustrates their impact. Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way. Without going into further details, everything indicates that a ball is in Oracle's court. Again. [Update from Feb 28, 2012] Yesterday, Oracle provided us with the results of its analysis of the received material [2]. The company informed us that: a) Issue 54 is not treated as a vulnerability as it demonstrates the "allowed behavior", b) Issue 55 was confirmed by the company. We disagree with Oracle's assessment regarding Issue 54. There is a mirror case corresponding to Issue 54 that leads to access denied condition and a security exception. That alone seems to be enough to contradict the "allowed behavior" claim by the company (is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path ?). If Oracle sticks to their assessment we'll have no choice than to publish details of Issue 54 (similarly to Apple's case [3]). The above does not influence the impact of the attack found. Full sandbox bypass under Java SE 7 Update 15 was officially confirmed by the vendor (a combination of "allowed behavior" and a bug according to Oracle). Thank you. Best Regards Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] Security Explorations - Disclosure Policy http://www.security-explorations.com/en/disclosure-policy.html [2] SE-2012-01 Vendors status http://www.security-explorations.com/en/SE-2012-01-status.html [3] SE-2012-01 Press Info (2) http://www.security-explorations.com/en/SE-2012-01-press2.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SE-2012-01] New security issues affecting Oracle's Java SE 7u15 (updated) Security Explorations (Feb 28)