Patch for Serious Two-Year-Old Java Flaw Bypassed

Researchers discovered that a patch released more than two years ago by Oracle for a serious Java sandbox escape vulnerability can be easily bypassed.

In 2012, over the course of several months, researchers at Poland-based Security Explorations analyzed Oracle’s Java Standard Edition (SE) and reported discovering a total of 69 issues. Oracle fixed many of the flaws in 2012 and 2013 with its regular Critical Patch Updates (CPUs), including a sandbox escape flaw tracked as CVE-2013-5838.

The vulnerability — the last issue reported by the security firm as part of its research into Java SE — was supposedly patched by Oracle with the October 2013 CPU. However, Security Explorations revealed this week that the patch can be easily bypassed by changing four characters in the proof-of-concept (PoC) code made available in October 2013, or by using a custom HTTP server that enforces a “404 Not Found” error when requesting a class for the first time.

Adam Gowdiak, CEO and founder of Security Explorations, said they successfully leveraged the flaw for a complete Java sandbox escape in the latest version of the software, namely Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108.

Gowdiak pointed out that while the flaw can be exploited to escape the sandbox, it does not allow a bypass of the Click2Play feature or Java security level protections.

When it attempted to patch the security hole in October 2013, Oracle assigned the issue a CVSS score of 9.3, but noted that the weakness could only be exploited through sandboxed Java Web Start applications and sandboxed Java applets.

“This is not true. We verified that it could be successfully exploited in a server environment as well such as Google App Engine for Java,” Gowdiak said in a post on the Full Disclosure mailing list.

Security Explorations has not notified Oracle before disclosing the details of the broken patch. The company modified its disclosure policy earlier this month and decided to publish the details of incomplete fixes without giving prior notice to the affected vendor.

SecurityWeek has reached out to Oracle to find out if the company plans on releasing a new patch for the issue. The next Java SE update is scheduled for April 19, 2016.

In the first CPU released for 2016, Oracle fixed a total of 248 issues across many of its products, including eight Java SE bugs.

Late last year, Oracle agreed to settle with the U.S. Federal Trade Commission over charges that it deceived customers about the security of the Java platform. As part of the settlement, Oracle will have to warn users during the Java update process if older versions of the software are present, notify them about the risks, and give them the option to remove the vulnerable application.

Related Reading: Security Firm Releases Details of Unpatched Google App Engine Flaws