[SE-2012-01] Yet another broken security fix in IBM Java 7/8 Apr 12 2016 07:45PM
Security Explorations (contact security-explorations com)

Hello All,

We discovered that yet another fix for a security vulnerability in IBM
Java (Issue 70 [1] assigned CVE-2013-5456) we reported to the company
in 2013 hasn't been fixed properly.

Again, the actual root cause of the issue hasn't been addressed at all.
There were no security checks introduced anywhere in the code. The patch
primarily addressed the scenario illustrated by a Proof of Concept code.
It didn't take into account all code paths that could be used to reach
the vulnerable code sequence.

Full technical details of IBM fix bypass can be found in our technical


Along with the report, we have also published a Proof of Concept code
to illustrate the broken fix:


What's worth to mention is that when we reported Issue 70 to IBM (Oct
16, 2013 [2]), the company responded 2 days later that as a result of
its testing of the received Proof of Concept codes against soon to be
released 4Q service update, Issue 70 has been found to be addressed.

This was the first time a vendor notified us that a reported weakness
didn't affect its internal and not yet available to the public build
of the software. Our understanding was that IBM discovered the issue
on its own and already addressed it.

Now, we think this was not the case. The company likely concluded that
there was no reason to investigate the issue further upon finding out
that package access restrictions introduced in their internal build
of Java blocked our POC code for Issue 70.

Thank you.

Best Regards,
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] SE-2012-01-IBM-3, Issues 70-71
[2] SE-2012-01 Vendors status

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus