[<prev] [next>] [day] [month] [year] [list]
Message-ID: <504EE67D.9090405@security-explorations.com>
Date: Tue, 11 Sep 2012 09:21:33 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [SE-2012-01] Security vulnerabilities in IBM Java
Hello All,
Security Explorations discovered multiple security vulnerabilities
in IBM SDK, Java Technology Edition software [1]. This is IBM [2]
implementation of Java SE technology for AIX, Linux, z/OS and IBMi
platforms.
Among a total of 17 security weaknesses found, there are issues that
can lead to the complete compromise of a target IBM Java environment.
It should be noted, that none of the identified issues are duplicates
of previously reported vulnerabilities in Oracle's Java SE [3]. These
are purely IBM Java specific weaknesses and exploitation vectors.
Security Explorations developed reliable Proof of Concept codes for all
of the issues found. This includes 10 exploit codes that successfully
demonstrate a complete IBM J9 Java VM security sandbox bypass.
The following versions of IBM Java SDK were verified to be vulnerable:
* IBM SDK, Java Technology Edition, Version 7.0 SR1 for Linux 32-bit
x86, build pxi3270sr1-20120330_01(SR1), released on 2012-04-30
* IBM SDK, Java Technology Edition, Version 6.0 SR11 for Linux 32-bit
x86, build pxi3260sr11-20120806_01(SR11), released on 2012-08-10
On Sep 11 2012, Security Explorations sent a vulnerability notice to
IBM corporation containing detailed information about discovered issues.
Along with that, the company was also provided with source and binary
codes for our Proof of Concept codes illustrating all security bypass
issues and exploitation vectors.
Thank you.
Best Regards
Adam Gowdiak
---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------
References:
[1] IBM developer kits
http://www.ibm.com/developerworks/java/jdk/
[2] IBM Corporation
http://www.ibm.com
[3] SE-2012-01 Vendors status
http://www.security-explorations.com/en/SE-2012-01-status.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists