Security Experts:

Connect with us

Hi, what are you looking for?



Another IBM Java Patch Bypassed by Researchers

Researchers have identified another IBM Java patch that can be easily bypassed and claim the vendor failed to properly analyze the vulnerability they reported back in 2013.

Researchers have identified another IBM Java patch that can be easily bypassed and claim the vendor failed to properly analyze the vulnerability they reported back in 2013.

In 2012 and 2013, as part of its Java SE research project, Security Explorations discovered more than 70 vulnerabilities in the Java implementations of Oracle and IBM. Patches have been released for most of the issues, but an analysis conducted by the research firm has revealed that some of the fixes don’t address the root cause of the flaws.

In a post published on Monday on the Full Disclosure mailing list, Security Explorations founder and CEO Adam Gowdiak reported that IBM’s fix for CVE-2013-5456, dubbed “issue 70,” is not efficient.

The flaw, which can be exploited for a complete sandbox escape against the most recent versions of Java 7 and 8, was first reported to IBM in October 2013 and a patch was released the next month.

“The actual root cause of the issue hasn’t been addressed at all. There were no security checks introduced anywhere in the code. The patch primarily addressed the scenario illustrated by a Proof of Concept code. It didn’t take into account all code paths that could be used to reach the vulnerable code sequence,” Gowdiak said.

Two days after the vulnerability was reported to IBM, the vendor informed Security Explorations that the PoC it submitted did not work against the upcoming release. This led Security Explorations to believe that the issue had been independently found by IBM and patched.

“Now, we think this was not the case. The company likely concluded that there was no reason to investigate the issue further upon finding out that package access restrictions introduced in their internal build of Java blocked our POC code for Issue 70,” Gowdiak said.

Security Explorations has published an updated advisory detailing how IBM’s patch can be bypassed and released a PoC that has been successfully tested on IBM SDK, Java Technology Edition, versions 7.1 and 8.0 for Linux — both released on January 26. The company has recently updated its disclosure policy and no longer notifies vendors before disclosing broken patches.

“IBM is aware of the vulnerability and is working to address the issue,” IBM told SecurityWeek via email.

This is the 7th flawed patch released by IBM for a Java vulnerability discovered by Security Explorations. Earlier this month, the vulnerability research company reported that the fix for CVE-2013-3009 was also broken. IBM told SecurityWeek on April 5 that it was working to address the issue.

Oracle has also been called out for a broken Java SE patch. The company released another fix in March for a vulnerability it initially attempted to address in October 2013.

*Updated with statement from IBM

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet