lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <504EE67D.9090405@security-explorations.com>
Date: Tue, 11 Sep 2012 09:21:33 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [SE-2012-01] Security vulnerabilities in IBM Java


Hello All,

Security Explorations discovered multiple security vulnerabilities
in IBM SDK, Java Technology Edition software [1]. This is IBM [2]
implementation of Java SE technology for AIX, Linux, z/OS and IBMi
platforms.

Among a total of 17 security weaknesses found, there are issues that
can lead to the complete compromise of a target IBM Java environment.

It should be noted, that none of the identified issues are duplicates
of previously reported vulnerabilities in Oracle's Java SE [3]. These
are purely IBM Java specific weaknesses and exploitation vectors.

Security Explorations developed reliable Proof of Concept codes for all
of the issues found. This includes 10 exploit codes that successfully
demonstrate a complete IBM J9 Java VM security sandbox bypass.

The following versions of IBM Java SDK were verified to be vulnerable:
* IBM SDK, Java Technology Edition, Version 7.0 SR1 for Linux 32-bit
   x86, build pxi3270sr1-20120330_01(SR1), released on 2012-04-30
* IBM SDK, Java Technology Edition, Version 6.0 SR11 for Linux 32-bit
   x86, build pxi3260sr11-20120806_01(SR11), released on 2012-08-10

On Sep 11 2012, Security Explorations sent a vulnerability notice to
IBM corporation containing detailed information about discovered issues.
Along with that, the company was also provided with source and binary
codes for our Proof of Concept codes illustrating all security bypass
issues and exploitation vectors.

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] IBM developer kits
     http://www.ibm.com/developerworks/java/jdk/
[2] IBM Corporation
     http://www.ibm.com
[3] SE-2012-01 Vendors status
     http://www.security-explorations.com/en/SE-2012-01-status.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ