[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] [SE-2012-01] New security issues affecting Oracle's Java SE 7u15 (updated)
From:       Security Explorations <contact () security-explorations ! com>
Date:       2013-02-28 8:39:03
Message-ID: 512F17A7.2080904 () security-explorations ! com
[Download RAW message or body]


Hello All,

This is an updated re-post of our original message from Feb 25,
2012 (original message didn't hit the list for some technical
reasons).

---

We had yet another look into Oracle's Java SE 7 software that
was released by the company on Feb 19, 2013. As a result, we
have discovered two new security issues (numbered 54 and 55),
which when combined together can be successfully used to gain
a complete Java security sandbox bypass in the environment of
Java SE 7 Update 15 (1.7.0_15-b03).

Following our Disclosure Policy [1], we provided Oracle with
a brief technical description of the issues found along with
a working Proof of Concept code that illustrates their impact.

Both new issues are specific to Java SE 7 only. They allow to
abuse the Reflection API in a particularly interesting way.

Without going into further details, everything indicates that
a ball is in Oracle's court. Again.

[Update from Feb 28, 2012]
Yesterday, Oracle provided us with the results of its analysis
of the received material [2]. The company informed us that:
a) Issue 54 is not treated as a vulnerability as it demonstrates
    the "allowed behavior",
b) Issue 55 was confirmed by the company.

We disagree with Oracle's assessment regarding Issue 54. There
is a mirror case corresponding to Issue 54 that leads to access
denied condition and a security exception. That alone seems to
be enough to contradict the "allowed behavior" claim by the
company (is it possible to claim a non-security vulnerability
when access is denied for a public API, but allowed for some
private code path ?).

If Oracle sticks to their assessment we'll have no choice than
to publish details of Issue 54 (similarly to Apple's case [3]).

The above does not influence the impact of the attack found.
Full sandbox bypass under Java SE 7 Update 15 was officially
confirmed by the vendor (a combination of "allowed behavior"
and a bug according to Oracle).

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Security Explorations - Disclosure Policy
     http://www.security-explorations.com/en/disclosure-policy.html
[2] SE-2012-01 Vendors status
     http://www.security-explorations.com/en/SE-2012-01-status.html
[3] SE-2012-01 Press Info (2)
     http://www.security-explorations.com/en/SE-2012-01-press2.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]