Polski

SE-2012-01 Press Info

02 April 2012, Poznan, Poland

Security Explorations, a security and vulnerability research company from Poland, discovered multiple security issues in the latest version of Java Platform Standard Edition (Java SE) [1] software coming from Oracle Corporation [2].

Discovered security issues violate many "Secure Coding Guidelines for the Java Programming Language" [3]. Most of them demonstrate a specific problem related to Java SE security. Among a total of 19 weaknesses discovered, there are issues that allow to either create a specific Java security bypass condition or that facilitate the exploitation process of a certain type of vulnerabilities.

Security Explorations developed reliable Proof of Concept codes for all of the issues found. This includes 12 exploit codes that demonstrate a complete JVM security sandbox bypass.

Malicious Java applet or application exploiting one of the most serious issues found could run unrestricted in the context of a target Java process such as a web browser application. Security Explorations verified that in a result of a successful attack, arbitrary files could be created or programs executed in the environment of the affected Java SE software.

The following versions of Java SE were verified to be vulnerable to all 19 identified weaknesses:

  • JRE/JDK 7 (version 1.7.0-b147)
  • JRE/JDK 7u1 (version 1.7.0_01-b08)
  • JRE/JDK 7u2 (version 1.7.0_02-b13)
  • JRE/JDK 7u3 (version 1.7.0_03-b05)
  • JRE/JDK 7u4 (version 1.7.0_04-ea-b18, early access release from 29 Mar 2012)

On Apr 02 2012, Security Explorations sent a vulnerability notice to Oracle corporation containing detailed information about discovered vulnerabilities. Along with that, the company was also provided with source and binary codes for 14 Proof of Concept codes illustrating all security bypass issues and exploitation vectors.

References:

  1. [1] Java Platform, Standard Edition (http://www.oracle.com/us/technologies/java/standard-edition/overview/index.html)
  2. [2] Oracle Corporation (http://www.oracle.com)
  3. [3] Secure Coding Guidelines for the Java Programming Language, Version 4.0 (http://www.oracle.com/technetwork/java/seccodeguide-139067.html)


Copyright 2008-2014 Security Explorations. All Rights Reserved.