Researchers have identified another IBM Java patch that can be easily bypassed and claim the vendor failed to properly analyze the vulnerability they reported back in 2013.
In 2012 and 2013, as part of its Java SE research project, Security Explorations discovered more than 70 vulnerabilities in the Java implementations of Oracle and IBM. Patches have been released for most of the issues, but an analysis conducted by the research firm has revealed that some of the fixes don’t address the root cause of the flaws.
In a post published on Monday on the Full Disclosure mailing list, Security Explorations founder and CEO Adam Gowdiak reported that IBM’s fix for CVE-2013-5456, dubbed “issue 70,” is not efficient.
The flaw, which can be exploited for a complete sandbox escape against the most recent versions of Java 7 and 8, was first reported to IBM in October 2013 and a patch was released the next month.
“The actual root cause of the issue hasn’t been addressed at all. There were no security checks introduced anywhere in the code. The patch primarily addressed the scenario illustrated by a Proof of Concept code. It didn’t take into account all code paths that could be used to reach the vulnerable code sequence,” Gowdiak said.
Two days after the vulnerability was reported to IBM, the vendor informed Security Explorations that the PoC it submitted did not work against the upcoming release. This led Security Explorations to believe that the issue had been independently found by IBM and patched.
“Now, we think this was not the case. The company likely concluded that there was no reason to investigate the issue further upon finding out that package access restrictions introduced in their internal build of Java blocked our POC code for Issue 70,” Gowdiak said.
Security Explorations has published an updated advisory detailing how IBM’s patch can be bypassed and released a PoC that has been successfully tested on IBM SDK, Java Technology Edition, versions 7.1 and 8.0 for Linux — both released on January 26. The company has recently updated its disclosure policy and no longer notifies vendors before disclosing broken patches.
“IBM is aware of the vulnerability and is working to address the issue,” IBM told SecurityWeek via email.
This is the 7th flawed patch released by IBM for a Java vulnerability discovered by Security Explorations. Earlier this month, the vulnerability research company reported that the fix for CVE-2013-3009 was also broken. IBM told SecurityWeek on April 5 that it was working to address the issue.
Oracle has also been called out for a broken Java SE patch. The company released another fix in March for a vulnerability it initially attempted to address in October 2013.
*Updated with statement from IBM