lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <516E8878.7090300@security-explorations.com>
Date: Wed, 17 Apr 2013 13:33:12 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [SE-2012-01] Details of issues fixed by Java
	SE 7 Update 21


Hello All,

We wanted to add the following information to our yesterday post.

We've learned that RedHat's Bugzilla associates CVE-2013-1537 [1]
with the RMI issue allowing for a remote loading and execution of
arbitrary Java code on servers [2].

It looks that Oracle has finally patched RMI vulnerability that
was known to the vendor since 2005. What's also interesting is
that a fix for it is now highlighted by Oracle as a new security
feature of Java [3].

We can't decide what is more surprising to us:
1) finding out that Oracle finally admitted that Java security
    issues could affect servers as well (so far the Plugin was
    the source of all evilness),
2) learning that at Oracle, "every developer is a security
    rifleman", "trained on security" [4].

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] CVE-2013-1537 OpenJDK: remote code loading enabled by default
     https://bugzilla.redhat.com/show_bug.cgi?id=952387
[2] "Security Vulnerabilities in Java SE", technical report
     http://www.security-explorations.com/materials/se-2012-01-report.pdf
[3] Java SE 7 Update 21 Release and more
     https://blogs.oracle.com/java/entry/java_se_7_update_21
[4] Oracle Secures Java with 41 Updates, Code Signing
 
http://www.esecurityplanet.com/network-security/oracle-secures-java-with-41-updates-code-signing.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ