lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <512F17A7.2080904@security-explorations.com>
Date: Thu, 28 Feb 2013 09:39:03 +0100
From: Security Explorations <contact@...urity-explorations.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [SE-2012-01] New security issues affecting
 Oracle's Java SE 7u15 (updated)


Hello All,

This is an updated re-post of our original message from Feb 25,
2012 (original message didn't hit the list for some technical
reasons).

---

We had yet another look into Oracle's Java SE 7 software that
was released by the company on Feb 19, 2013. As a result, we
have discovered two new security issues (numbered 54 and 55),
which when combined together can be successfully used to gain
a complete Java security sandbox bypass in the environment of
Java SE 7 Update 15 (1.7.0_15-b03).

Following our Disclosure Policy [1], we provided Oracle with
a brief technical description of the issues found along with
a working Proof of Concept code that illustrates their impact.

Both new issues are specific to Java SE 7 only. They allow to
abuse the Reflection API in a particularly interesting way.

Without going into further details, everything indicates that
a ball is in Oracle's court. Again.

[Update from Feb 28, 2012]
Yesterday, Oracle provided us with the results of its analysis
of the received material [2]. The company informed us that:
a) Issue 54 is not treated as a vulnerability as it demonstrates
    the "allowed behavior",
b) Issue 55 was confirmed by the company.

We disagree with Oracle's assessment regarding Issue 54. There
is a mirror case corresponding to Issue 54 that leads to access
denied condition and a security exception. That alone seems to
be enough to contradict the "allowed behavior" claim by the
company (is it possible to claim a non-security vulnerability
when access is denied for a public API, but allowed for some
private code path ?).

If Oracle sticks to their assessment we'll have no choice than
to publish details of Issue 54 (similarly to Apple's case [3]).

The above does not influence the impact of the attack found.
Full sandbox bypass under Java SE 7 Update 15 was officially
confirmed by the vendor (a combination of "allowed behavior"
and a bug according to Oracle).

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Security Explorations - Disclosure Policy
     http://www.security-explorations.com/en/disclosure-policy.html
[2] SE-2012-01 Vendors status
     http://www.security-explorations.com/en/SE-2012-01-status.html
[3] SE-2012-01 Press Info (2)
     http://www.security-explorations.com/en/SE-2012-01-press2.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ