Security Experts:

Connect with us

Hi, what are you looking for?



Another IBM Java Patch Bypassed by Researchers

Researchers have identified another IBM Java patch that can be easily bypassed and claim the vendor failed to properly analyze the vulnerability they reported back in 2013.

Researchers have identified another IBM Java patch that can be easily bypassed and claim the vendor failed to properly analyze the vulnerability they reported back in 2013.

In 2012 and 2013, as part of its Java SE research project, Security Explorations discovered more than 70 vulnerabilities in the Java implementations of Oracle and IBM. Patches have been released for most of the issues, but an analysis conducted by the research firm has revealed that some of the fixes don’t address the root cause of the flaws.

In a post published on Monday on the Full Disclosure mailing list, Security Explorations founder and CEO Adam Gowdiak reported that IBM’s fix for CVE-2013-5456, dubbed “issue 70,” is not efficient.

The flaw, which can be exploited for a complete sandbox escape against the most recent versions of Java 7 and 8, was first reported to IBM in October 2013 and a patch was released the next month.

“The actual root cause of the issue hasn’t been addressed at all. There were no security checks introduced anywhere in the code. The patch primarily addressed the scenario illustrated by a Proof of Concept code. It didn’t take into account all code paths that could be used to reach the vulnerable code sequence,” Gowdiak said.

Two days after the vulnerability was reported to IBM, the vendor informed Security Explorations that the PoC it submitted did not work against the upcoming release. This led Security Explorations to believe that the issue had been independently found by IBM and patched.

“Now, we think this was not the case. The company likely concluded that there was no reason to investigate the issue further upon finding out that package access restrictions introduced in their internal build of Java blocked our POC code for Issue 70,” Gowdiak said.

Security Explorations has published an updated advisory detailing how IBM’s patch can be bypassed and released a PoC that has been successfully tested on IBM SDK, Java Technology Edition, versions 7.1 and 8.0 for Linux — both released on January 26. The company has recently updated its disclosure policy and no longer notifies vendors before disclosing broken patches.

“IBM is aware of the vulnerability and is working to address the issue,” IBM told SecurityWeek via email.

This is the 7th flawed patch released by IBM for a Java vulnerability discovered by Security Explorations. Earlier this month, the vulnerability research company reported that the fix for CVE-2013-3009 was also broken. IBM told SecurityWeek on April 5 that it was working to address the issue.

Oracle has also been called out for a broken Java SE patch. The company released another fix in March for a vulnerability it initially attempted to address in October 2013.

*Updated with statement from IBM

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.