Polski

SE-2012-01 Vendors status

This page presents current status of the communication process with vendors of affected technologies.

Summary of the communication process:

  • 02-Apr-2012
- Vulnerability Notice along with Proof of Concept codes are sent to Oracle corporation (Issues 1-19)
  • 03-Apr-2012
- Oracle confirms successfull reception and decryption of a vulnerability report. The company informs that it is investigating the issues.
  • 04-Apr-2012
- Vulnerability Notice along with Proof of Concept codes are sent to Oracle corporation (Issues 20 and 21).
- Oracle confirms successfull reception and decryption of the second vulnerability report.
  • 12-Apr-2012
- Vulnerability Notice and a Proof of Concept code are sent to Apple (Issue 22).
  • 13-Apr-2012
- Request for confirmation of a successful report decryption is sent to Apple.
- Apple confirms successful reception and decryption of the vulnerability report. The company requests additional details regarding reported Issue 22 and impact of Issue 15.
- Security Explorations provides Apple with additional details regarding Issue 22 along with a limited information pertaining to the impact of Oracle's Issue 15.
  • 16-Apr-2012
- Apple informs that Issue 22 is being investigated.
  • 17-Apr-2012
- Vulnerability Notice along with Proof of Concept codes are sent to Oracle corporation (Issues 23-26).
  • 19-Apr-2012
- Request for confirmation of a successful reception and decryption of a 3rd vulnerability report is sent to Oracle.
- Oracle confirms successfull reception and decryption of the third vulnerability report. The company informs that it does not ship JDK on MacOS and recommends contacting Apple for issues related to MacOS.
- Security Explorations asks Oracle whether the issues found in a code implemented by Sun Microsystems and affecting MacOS should be handled and fixed by Apple on its own.
  • 23-Apr-2012
- Oracle provides 11 tracking numbers for some of the reported issues. The company informs that its engineering team is assessing some other issues (including the MacOS ones) and that it will provide a monthly update until the issues are addressed.
  • 25-Apr-2012
- Oracle provides a status report for 12 reported issues. The company informs that they are under investigation / being fixed in main codeline.
  • 27-Apr-2012
- Vulnerability Notice along with Proof of Concept codes are sent to Oracle corporation (Issues 27-31).
- Oracle confirms successfull reception and decryption of the fourth vulnerability report.
  • 24-May-2012
- Oracle provides a monthly status report for the reported issues. The company informs that two issues are fixed in main codeline and are scheduled for a future CPU. The remaining issues are under investigation / being fixed in main codeline.
  • 04-Jun-2012
- Request for status update / results of the analysis is sent to Apple.
  • 08-Jun-2012
- Oracle provides a notification that 2 of the reported issues will be fixed by the Critical Patch Update to be released by the company on Jun 12, 2012.
  • 11-Jun-2012
- Oracle informs that issue 24 specific to MacOS is not in the APIs from Java SE distributed by Oracle, that it is from a project no longer supported and there will be no updates to it. The company provides a detailed mapping between 29 issues reported by Security Explorations and the corresponding 16 Oracle tracking numbers.
  • 15-Jun-2012
- Apple informs that additional security check to disable QuickTime for Java was added in Java for OS X 2012-004 update and in Java for Mac OS X 10.6 Update 9. The company provideds a link to KB publication describing these updates (http://support.apple.com/kb/HT5319).
  • 18-Jun-2012
- Security Explorations aks Apple why there is no information about the fix for QuickTime for Java issue in HT5319 publication describing latest Java security updates for MacOS. Security Explorations also asks whether same "silent fix / no credit" approach will be followed by the company with respect to the release of a security update for Apple Quicktime software for Windows.
- Issue 24 specific to MacOS is reassigned to Apple - Vulnerability Notice and a Proof of Concept code are sent to the company.
- Apple informs that issue 22 was a hardening issue as it depended on another issue already fixed and credited by Oracle. The company also informs that it does not typically credit security researchers when new security hardening enhancements are implemented as in the case of issue 22.
- Apple confirms successful reception and decryption of the vulnerability report.
  • 19-Jun-2012
- Security Explorations provides Apple with its arguments in response to the company's controversial evaluation of Issue 22. Security Explorations asks Apple whether the company considers reported issue 22 as a security vulnerability in Apple's code.
  • 21-Jun-2012
- Oracle provides a monthly status report for the reported issues. The company informs that four issues were fixed by Java CPU from Jun 2012. The remaining issues are under investigation / being fixed in main codeline.
- Security Explorations notifies Oracle of inaccurate information received regarding the number of recently fixed issues. The company is also notified about unassigned tracking number for Issue 25 and a reassignment of Issue 24 to Apple.
  • 22-Jun-2012
- Apple confirms its stance - the company informs that it consider issues that are not sufficient by themselves to lead to a security compromise to be security hardening enhancements.
  • 26-Jun-2012
- Oracle provides a tracking number for Issue 25 and a clarification regarding recently fixed issues.
  • 24-Jul-2012
- Oracle provides a monthly status report for the reported issues. The company informs that remaining unfixed issues are under investigation / being fixed in main codeline.
  • 27-Jul-2012
- Security Explorations asks Oracle whether the remaining 25 issues will be addressed by the company in October 2012 Java SE CPU.
- Oracle informs that it is working to address the remaining issues and that a number of them is targeted for the October 2012 Java SE CPU with the remaining to be addressed in February 2013.
  • 23-Aug-2012
- Oracle provides a monthly status report for the reported issues. The company informs that 19 issues are fixed in main codeline and are scheduled for a future CPU. The remaining 6 issues are under investigation / being fixed in main codeline.
  • 31-Aug-2012
- Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issue 32).
- Oracle confirms successful reception and decryption of the vulnerability report. The company provides a tracking number for the unconfirmed issue. Oracle informs that it will investigate the issue based on the data provided and will get back with the results soon.
  • 10-Sep-2012
- Initial requests for security contacts are sent to IBM.
- Oracle confirms Issue 32. The company informs that it will be addressed in a future Java SE Critical Patch Update.
  • 11-Sep-2012
- Vulnerability Notice along with Proof of Concept codes are sent to IBM corporation (Issues 33-49).
- IBM confirms successful reception and decryption of the vulnerability report. The company informs that the issues were sent to the appropriate product team for investigation.
  • 17-Sep-2012
- Additional Proof of Concept code for Issue 32 is sent to Oracle.
  • 19-Sep-2012
- Oracle confirms successful reception and decryption of the additional Proof of Concept code.
  • 20-Sep-2012
- IBM provides status information for the reported issues. The company informs that relevant development teams are working to address the weaknesses. IBM also provides an initial outlook regarding readiness and release dates of fixed SDK software (Nov 2012).
  • 24-Sep-2012
- Oracle provides a monthly status report for the reported issues. The company informs that 18 issues are fixed in main codeline and are scheduled for a future CPU. The remaining 2 issues are under investigation / being fixed in main codeline.
  • 25-Sep-2012
- Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issue 50).
- Oracle confirms Issue 50. The company provides its tracking number and informs that the issue will be addressed in a future Java SE Critical Patch Update.
  • 26-Sep-2012
- Oracle provides a comprehensive status report regarding upcoming Java CPU. The company informs that fixes for all, except two issues (29 and 50) have been integrated and are undergoing testing for a release in the October 2012 Java SE CPU. The company is evaluating fixes for Issue 50 and will provide further update on whether a fix for it will be also included in the October 2012 Java SE CPU.
  • 27-Sep-2012
- IBM informs that its engineers were able to recreate each of the vulnerabilities (Issues 33-49) and that the company has solutions for the majority working their way through development and test processes.
  • 10-Oct-2012
- Oracle informs that the company is targeting to address Issue 50 in the February 2013 Java SE Critical Patch Update.
  • 12-Oct-2012
- Oracle provides a status report for the reported issues. The company informs that 19 issues will be fixed in the upcoming Java SE Critical Patch Update to be released on October 16, 2012.
  • 15-Oct-2012
- Security Explorations asks Oracle about the reason behind company's decision to wait with a patch for a critical Java security issue (number 50) till Feb 2013.
  • 16-Oct-2012
- Oracle responds that the company was in final stages of extensive testing of October 2012 Java SE Critical Patch Update when it received Issue 50 report. Upon evaluation of Issue 50 and the options to fix it, company's assessment was that it was too late to include fixes in the October Java SE CPU. Oracle confirms that it is on track to deliver fixes for Issue 50 in the next Java SE Critical Patch Update which ships in February 2013.
- Security Explorations explains that it asked about something else, more specifically for the reason of sticking to Oracle's semi-quarter patch release schedule, which means additional four months to wait for a patch for a critical security issue in Java.
  • 18-Oct-2012
- Oracle responds that the company addresses security vulnerabilities through Critical Patch Updates and Security Alerts. The latter may be issued in the case of an urgent issue, such as one that may have been publicly disclosed. Oracle explains that their CPUs go through extensive integration testing with other products and that any delay in October Java SE CPU would result in a delay to deliver 139 fixes for applications integrating Java SE. Oracle asks whether Issue 50 will be disclosed at Devoxx conference.
- Security Explorations informs Oracle that there was no change in plans and that Issue 50 will not be disclosed at Devoxx as long as it remains unpatched by the time of a conference.
  • 19-Oct-2012
- Security Explorations challenges Oracle and provides it with the results of its Vulnerability Fix Experiment. The experiment leads to the conclusion that a fix for Issue 50 can be implemented within half an hour time, that only 25 characters need to be changed in a source code to implement the fix and that no integration tests with other applications are required for it.
- Oracle confirms successful reception and decryption of the fix experiment report. The company informs that someone will respond as soon as possible.
  • 23-Oct-2012
- Oracle provides a monthly status report for the reported issues. The company confirms vulnerabilities fixed by Oct Java SE CPU and informs that the remaining 2 issues are under investigation / being fixed in main codeline.
  • 31-Oct-2012
- IBM provides a status update for the reported issues. The company informs that it has developed and tested solutions for each of the issues and that fixed builds of IBM SDK should be ready for download in Nov.
  • 14-Nov-2012
- IBM provides a link to blog entry describing security fixes released for vulnerable software.
  • 27-Nov-2012
- Oracle provides a status report for Issues 29 and 50. The company informs that they are under investigation / being fixed in main codeline.
  • 17-Dec-2012
- Oracle provides a status report for Issues 29 and 50. The company informs that they are fixed in main codeline and scheduled for a future CPU.
  • 18-Jan-2013
- Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 51 and 52).
- Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
- Oracle provides tracking numbers for Issues 51 and 52.
  • 25-Jan-2013
- Oracle provides a monthly status report for the reported issues. The company informs that Issues 29, 50 and 52 are fixed in main codeline and are scheduled for a future CPU. The remaining Issue 51 is under investigation / being fixed in main codeline.
  • 27-Jan-2013
- Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issue 53).
  • 28-Jan-2013
- Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
- Oracle provides a tracking number for Issue 53.
  • 01-Feb-2013
- Oracle provides a status report regarding upcoming Java CPU. The company informs that fixes for Issues 29, 50, 52 and 53 will be incorporated into Critical Patch Update, due to be released on Feb 01, 2013.
  • 25-Feb-2013
- Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 54 and 55).
- Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
- Oracle provides a monthly status report for the reported issues. The company informs that Issue 51 is under investigation / being fixed in main codeline. The report does not mention Issues 54 and 55 yet.
- Oracle provides tracking numbers for Issues 54 and 55, but claims they are still not confirmed.
  • 27-Feb-2013
- Security Explorations asks Oracle whether it needs any assistance in running the received Proof of Concept Code or whether a confirmation of reported vulnerabilities from a 3rd party such as US-CERT would be helpful for the company. Security Explorations informs Oracle that it expects a clear confirmation or denial of Issues 54 and 55 (in the past, reception of tracking numbers from Oracle was equivalent to the confirmation of a given report).
- Oracle provides the results of its assessment and informs that Issue 54 is not a vulnerability (it demonstrates the "allowed behavior"). The company confirms Issue 55.
- Security Explorations disagrees with Oracle's assessment regarding Issue 54 and provides the company with its arguments. Security Explorations demonstrates to Oracle a corresponding sample of "allowed behavior" of Issue 54 that leads to a denied access and a security exception.
  • 28-Feb-2013
- Security Explorations provides Oracle with another example illustrating denied access for a similar condition as Issue 54. The company asks Oracle whether it still considers Issue 54 as a non-vulnerability demonstrating the "allowed behavior".
- Oracle informs that the company is investigating the issue and will get back to us once the investigation is completed.
  • 04-Mar-2013
- Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 56-60).
- Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
- Oracle provides tracking numbers for Issues 56-60, claims they are still not confirmed.
  • 05-Mar-2013
- Oracle informs that it is continuing to evaluate Security Explorations' arguments regarding Issue 54. The company provides a background for that evaluation (references to JVM specs) and suggests a technical discussion with the representatives of its VM and Security Teams.
  • 11-Mar-2013
- Security Eplorations asks Oracle for the final evaluation of Issue 54.
- Oracle informs that it is continuing to evaluate Issue 54 and will provide with its final evaluation once it is completed.
  • 26-Mar-2013
- Oracle provides a monthly status report for the reported issues. The company informs that Issues 55, 57, 59 are fixed in main codeline and are scheduled for a future CPU. The remaining Issues 51, 54, 56, 58 and 60 are under investigation / being fixed in main codeline.
  • 05-Apr-2013
- Oracle confirms Issues 57-60. The company informs that they will be addressed in a future Java SE Critical Patch Update.
  • 09-Apr-2013
- Security Explorations asks Oracle whether confirmation of only 4 out of 5 issues reported on 04-Mar-2013 means that Issue 56 is not considered as a security vulnerability by the company ("allowed behavior", etc.).
  • 10-Apr-2013
- Oracle informs that it is still in the process of evaluating Issue 56 and will provide with its final evaluation once it is completed.
  • 12-Apr-2013
- Oracle provides a status report regarding upcoming Java CPU. The company informs that fixes for Issues 51, 55, 57, 58, 59 and 60 will be incorporated into Critical Patch Update, due to be released on Apr 16, 2013.
  • 16-Apr-2013
- Oracle provides its evaluation of Issue 56. The company's analysis backs the claim that Issue 56 demonstrates the behavior not forbidden by the JVM specification.
  • 22-Apr-2013
- Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issue 61).
- Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
- Oracle provides a tracking number for Issue 61.
  • 23-Apr-2013
- Oracle provides a monthly status report for the reported issues. The company informs that five issues were fixed by Java CPU from Apr 2013. The remaining issues (54, 56 and 61) are under investigation / being fixed in main codeline.
  • 24-Apr-2013
- Oracle confirms Issue 61. The company informs that it will be addressed in a future Java SE Critical Patch Update.
  • 26-Apr-2013
- Oracle informs that it plans to close Issue 56 by May 10, 2013.
  • 06-May-2013
- Vulnerability Notice along with Proof of Concept codes are sent to IBM corporation (Issues 62-68).
- IBM confirms successful reception of the vulnerability report. The company informs that it will be looking into it. IBM also informs that "by submitting the material to the company, Security Explorations have granted to IBM Corporation, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights related to the use of this material."
  • 07-May-2013
- Security Explorations informs IBM that the material was provided to IBM free of any charge, but it cannot be shared with any 3rd party beyond IBM. Security Explorations asks IBM whether it lacks properly skilled engineers among 400+ thousands employees to successfully resolve the reported issues.
- IBM informs that its people are working through the reported issues. The company will provide update accordingly to the progress.
  • 21-May-2013
- Oracle provides a monthly status report for the reported issues. The company informs that Issue 61 is fixed in main codeline and is scheduled for a future CPU. The remaining Issue 54 is under investigation / being fixed in main codeline. Issue 56 was closed by the company ("not a bug").
  • 24-May-2013
- IBM provides a status report for the reported issues. The company confirms Issues 62-68 and incomplete patches for Issues 35, 36, 37 and 49. The company informs that fixes for each of the issues have been developed and are currently undergoing quality assurance.
  • 12-Jun-2013
- A request for CVE numbers corresponding to vulnerabilities reported by Security Explorations as part of SE-2012-01 project is sent to Oracle.
  • 17-Jun-2013
- Oracle provides an evaluation of Issue 54 by its engineering team. The company informs that the issue will be closed as not a vulnerability.
  • 19-Jun-2013
- Oracle provides CVE numbers corresponding to vulnerabilities reported by Security Explorations as part of SE-2012-01 project.
  • 24-Jun-2013
- Oracle provides a monthly status report for the reported issues. The company informs that Issue 54 was closed (not treated as a security bug) and that Issue 61 was fixed in Java SE CPU from Jun 2013.
  • 03-Jul-2013
- IBM provides a status report for the reported issues. The company informs that the latest release of IBM Java for Linux addresses Issues 62-68 and incomplete patches for Issues 35, 36, 37 and 49.
  • 18-Jul-2013
- Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issue 69).
- Oracle confirms successful reception and decryption of the vulnerability report. The company provides a tracking number for Issue 69 and informs that it will investigate based on the data provided and get back to us soon.
  • 24-Jul-2013
- Oracle provides a monthly status report for the reported issues. The company informs that Issue 69 is fixed in main codeline and is scheduled for a future CPU.
  • 26-Jul-2013
- Oracle confirms Issue 69. The company informs that it will be addressed by a backported (from JDK 8) implementation of the affected component in JDK 7 Update 40 that is to be released in September 2013.
  • 29-Jul-2013
- Security Explorations inquiries IBM for links / references to security bulletins released by the company in a response to the fixing of Issues 62-68 and incomplete patches for Issues 35, 36, 37 and 49.
  • 31-Jul-2013
- IBM provides a link to the security bulletin describing fixes released for vulnerable Java software.
  • 23-Aug-2013
- Oracle provides a monthly status report for the reported issues. The company informs that Issue 69 is fixed in main codeline and is scheduled for a future CPU.
  • 24-Sep-2013
- Oracle provides a monthly status report for the reported issues. The company informs that Issue 69 is fixed in main codeline and is scheduled for a future CPU.
  • 11-Oct-2013
- Oracle provides a status report regarding upcoming Java CPU. The company informs that a fix for Issue 69 will be incorporated into Critical Patch Update, due to be released on Oct 15, 2013.
  • 16-Oct-2013
- Vulnerability Notice along with Proof of Concept codes are sent to IBM corporation (Issues 70-71).
- IBM confirms successful reception and decryption of the vulnerability report. The company informs that it will be looking into the report and provides PSIRT Advisory number for it.
  • 18-Oct-2013
- IBM informs that as a result of its testing of received Proof of Concept codes against soon to be released 4Q service update, the company have found that Issues 49, 70 and 71 have all been addressed.
- Security Explorations asks IBM for confirmation of whether the most recent version of IBM SDK available to general public (Version 7 SR5) is affected to the reported issues.
  • 21-Oct-2013
- IBM confirms that Issues 49, 70 and 71 are reproducible in the latest current release of IBM SDK (Version 7 SR5).
  • 24-Oct-2013
- Oracle provides a monthly status report for the reported issues. The company informs that Issue 69 was fixed in Java SE CPU from Oct 2013.
  • 07-Nov-2013
- IBM informs about a new release of its Java software (IBM SDK Version 7 SR6). The company provides a link to the security bulletin describing corresponding security fixes.

Copyright 2008-2014 Security Explorations. All Rights Reserved.