Security Patch in IBM's Java Is Broken, Researchers Charge
A three-year-old security vulnerability in IBM's implementation of Java, which was thought to be fixed, is actually broken, researchers at Security Explorations disclosed last week.
The researchers originally reported the vulnerability to IBM in May 2013, said Adam Gowdiak, CEO and founder of the Poland-based company, in a post to the Full Disclosure mailing list.
"The actual root cause of the issue hasn't been addressed at all," Gowdiak said. "There were no security checks introduced anywhere in the code. The patch relied solely on the idea that hiding the vulnerable method deep in the code and behind a Proxy class would be sufficient to address the issue."
Identified by the researchers as "Issue 67" and tracked in the National Vulnerability Database as CVE-2013-3009, the vulnerability originated in an insecure use of the invoke method of java.lang.reflect.Method class called inside the AccessController doPrivileged block, the researchers reported, which would allow an attacker to call the setSecurityManager method of the java.lang.System class. This vulnerability could be exploited to allow a complete Java security sandbox escape.
IBM issued a patch for Issue 67, but that patch "requires only several minor changes to our original Proof of Concept code published in July 2013," Gowdiak said. This is the sixth ineffective Java security patch from IBM that Security Explorations has discovered, he said.
The researchers implemented Proof of Concept code that illustrates the vulnerability, and tested it on IBM SDK, Java Technology Edition, versions 7.1 and 8.0 for Linux, both of which were released on Jan. 26. Their tests verified that a complete Java security sandbox escape could be achieved, they said. Details of their findings have been posted in a Security Vulnerability Notice, available online.
Security Explorations originally uncovered the flaw in May 2013 amid a cluster of seven issues (62-68), all of which allowed a sandbox escape. At that time, also Gowdiak reported that four issues reported in September 2012 to IBM had not been fixed correctly by the company. "The problem with IBM fixes is that they aim to detect only one specific exploit vector… and miss many other scenarios," Gowdiak wrote at the time.
IBM responded to our requests for comment with an e-mailed statement: "IBM is aware of the vulnerability and is working to address the issue."
The security research firm recently uncovered a Java SE flaw that Oracle reported as patched, also back in 2013. The vulnerability made it possible to implement a class spoofing attack against the JVM. Although Security Explorations usually notifies vendors about the security issues it discovers before announcing them to the public, the company now makes an exception when it finds broken fixes and reports them without prior notice. Oracle's broken patch was the first to fall under this new policy; IBM's appears to be the second.
David Ramel is the editor of Visual Studio Magazine.