Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Patch for Serious Two-Year-Old Java Flaw Bypassed

Researchers discovered that a patch released more than two years ago by Oracle for a serious Java sandbox escape vulnerability can be easily bypassed.

Researchers discovered that a patch released more than two years ago by Oracle for a serious Java sandbox escape vulnerability can be easily bypassed.

In 2012, over the course of several months, researchers at Poland-based Security Explorations analyzed Oracle’s Java Standard Edition (SE) and reported discovering a total of 69 issues. Oracle fixed many of the flaws in 2012 and 2013 with its regular Critical Patch Updates (CPUs), including a sandbox escape flaw tracked as CVE-2013-5838.

The vulnerability — the last issue reported by the security firm as part of its research into Java SE — was supposedly patched by Oracle with the October 2013 CPU. However, Security Explorations revealed this week that the patch can be easily bypassed by changing four characters in the proof-of-concept (PoC) code made available in October 2013, or by using a custom HTTP server that enforces a “404 Not Found” error when requesting a class for the first time.

Adam Gowdiak, CEO and founder of Security Explorations, said they successfully leveraged the flaw for a complete Java sandbox escape in the latest version of the software, namely Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108.

Gowdiak pointed out that while the flaw can be exploited to escape the sandbox, it does not allow a bypass of the Click2Play feature or Java security level protections.

When it attempted to patch the security hole in October 2013, Oracle assigned the issue a CVSS score of 9.3, but noted that the weakness could only be exploited through sandboxed Java Web Start applications and sandboxed Java applets.

“This is not true. We verified that it could be successfully exploited in a server environment as well such as Google App Engine for Java,” Gowdiak said in a post on the Full Disclosure mailing list.

Security Explorations has not notified Oracle before disclosing the details of the broken patch. The company modified its disclosure policy earlier this month and decided to publish the details of incomplete fixes without giving prior notice to the affected vendor.

SecurityWeek has reached out to Oracle to find out if the company plans on releasing a new patch for the issue. The next Java SE update is scheduled for April 19, 2016.

In the first CPU released for 2016, Oracle fixed a total of 248 issues across many of its products, including eight Java SE bugs.

Late last year, Oracle agreed to settle with the U.S. Federal Trade Commission over charges that it deceived customers about the security of the Java platform. As part of the settlement, Oracle will have to warn users during the Java update process if older versions of the software are present, notify them about the risks, and give them the option to remove the vulnerable application.

Related Reading: Security Firm Releases Details of Unpatched Google App Engine Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...