lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 06 May 2013 13:44:50 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [SE-2012-01] New security vulnerabilities and
 broken fixes in IBM Java


Hello All,

Security Explorations discovered 7 additional security issues (#62-68)
in the latest version of IBM SDK, Java Technology Edition software [1].
A majority of the new flaws are due to insecure use or implementation
of Java Reflection API.

Additionally to the above, we found out that four issues reported to
IBM in Sep 2012 [2] had not been fixed correctly by the company. Upon
simple exploit codes modifications they can be still used to achieve
a complete compromise of a target IBM Java environment. The problem
with IBM fixes is that they aim to detect only one specific exploit
vector (PoC instance ?) and miss many other scenarios.

Security Explorations developed reliable Proof of Concept codes for
the above-mentioned issues. Each of them demonstrates a complete IBM J9
Java VM security sandbox bypass. Each of them was verified to work in
the environment of the following version of IBM software:
* IBM SDK, Java Technology Edition, Version 7.0 SR4 FP1 for Linux (32-bit
   x86), build pxi3270sr4fp1-20130325_01(SR4 FP1)

Today, a vulnerability notice was sent to IBM corporation containing
detailed information about identified weaknesses. Along with that, the
company was also provided with source and binary codes for Proof of
Concept codes illustrating all new security bypass issues and broken
fixes.

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] IBM developer kits
     http://www.ibm.com/developerworks/java/jdk/
[2] SE-2012-01 Vendors status
     http://www.security-explorations.com/en/SE-2012-01-status.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ