Security researcher to IBM: 'Fix that 2013 Java bug'
And this time, do it right
A security researcher that pointed out serious Java Runtime Engine vulnerabilities to IBM in 2013 has accused Big Blue of not fixing the bugs properly.
The gist of this Full Disclosure post is that back in 2013, IBM closed off the proof-of-concept attack without considering all possible code paths to the vulnerability.
The message comes from Adam Gowdiak, who is credited with finding the flaw by IBM in this Security Bulletin.
Gowdiak's new work explains that CVE-2013-5456 enabled a Java sandbox bypass.
IBM's response at the time as to restrict access to classes from the com.ib.rmi.io package, which closed the scenario disclosed in November 2013.
What didn't happen, he claims, is a thorough fix: “There were no security checks introduced anywhere in the code. The patch primarily addressed the scenario illustrated by the Proof of Concept code. It didn't take into account all code paths that could be used to reach the vulnerable code sequence”, Gowdiak writes.
The new PoC has been tested in 32-bit Linux, on IBM's SDK, Java Technology Edition, Version 7.1 for Linux, build pxi3270_27sr3fp30-20160112_01(SR3 FP30); and IBM JSD JTE Version 8.0 for Linux, build pxi3280sr2fp10-20160108_01(SR2 FP10).
Over to you, Big Blue. ®