Fixed IBM Java Patch, Not Fixed

Friday, April 15, 2016 @ 04:04 PM gHale


Attackers can bypass an IBM Java patch that apparently fixed a 2013 vulnerability.

As part of its Java SE research project back in 2012 and 2013, Security Explorations found over 70 vulnerabilities in the Java implementations of Oracle and IBM.

RELATED STORIES
Out-of-Band Java Update
Emergency Java Patch
Oracle Releases 248 Security Fixes
Microsoft Patches Critical Holes in Jan

Patches released for most of the issues, but an analysis conducted by the research firm found some of the fixes don’t address the root cause of the flaws.

IBM’s fix for CVE-2013-5456, dubbed “issue 70,” is not efficient, Security Explorations founder and chief executive Adam Gowdiak said in a blog post.

The flaw, which end up exploited for a complete sandbox escape against the most recent versions of Java 7 and 8, first went to IBM in October 2013 and a patch released the next month.

“The actual root cause of the issue hasn’t been addressed at all. There were no security checks introduced anywhere in the code. The patch primarily addressed the scenario illustrated by a Proof of Concept code. It didn’t take into account all code paths that could be used to reach the vulnerable code sequence,” Gowdiak said.

Two days after the vulnerability went to IBM, the vendor told researchers the PoC it submitted did not work against the upcoming release. This led Security Explorations to believe the issue had been independently found by IBM and patched.

“Now, we think this was not the case,” Gowdiak said.

Security Explorations published an updated advisory detailing how to bypass IBM’s patch and released PoC that has been successfully tested on IBM SDK, Java Technology Edition, versions 7.1 and 8.0 for Linux —released January 26.