lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Apr 2016 21:45:30 +0200
From: Security Explorations <>
Subject: [SE-2012-01] Yet another broken security fix in IBM Java 7/8

Hello All,

We discovered that yet another fix for a security vulnerability in IBM
Java (Issue 70 [1] assigned CVE-2013-5456) we reported to the company
in 2013 hasn't been fixed properly.

Again, the actual root cause of the issue hasn't been addressed at all.
There were no security checks introduced anywhere in the code. The patch
primarily addressed the scenario illustrated by a Proof of Concept code.
It didn't take into account all code paths that could be used to reach
the vulnerable code sequence.

Full technical details of IBM fix bypass can be found in our technical

Along with the report, we have also published a Proof of Concept code
to illustrate the broken fix:

What's worth to mention is that when we reported Issue 70 to IBM (Oct
16, 2013 [2]), the company responded 2 days later that as a result of
its testing of the received Proof of Concept codes against soon to be
released 4Q service update, Issue 70 has been found to be addressed.

This was the first time a vendor notified us that a reported weakness
didn't affect its internal and not yet available to the public build
of the software. Our understanding was that IBM discovered the issue
on its own and already addressed it.

Now, we think this was not the case. The company likely concluded that
there was no reason to investigate the issue further upon finding out
that package access restrictions introduced in their internal build
of Java blocked our POC code for Issue 70.

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] SE-2012-01-IBM-3, Issues 70-71
[2] SE-2012-01 Vendors status

Powered by blists - more mailing lists