Java Bugs, New and Old, Affecting IBM SDK

Security researcher Adam Gowdiak and his team at Security Explorations have discovered another slew of issues that stem from the way Java is implemented in certain versions of software, in this case, IBM’s SDK.

Security researcher Adam Gowdiak and his team at Security Explorations have discovered another batch of issues that stem from the way Java is implemented in certain versions of software, in this case, IBM’s SDK.

Gowdiak wrote Monday on the Full Disclosure mailing list about the issues, seven in total, that affect IBM and how its Java Technology Edition software is implemented. All of the vulnerabilities – codenamed issues 62-68 by Security Explorations – allow a Java VM sandbox bypass and all were tested to work on IBM SDK, Version 7.0 SR4 FP1 for Linux (32-bit x86), build pxi3270sr4fp1-20130325_01(SR4 FP1).

Like many flaws previously discovered by Security Explorations, a bulk of them rely on the insecure implementation of Java Reflection API.

Gowdiak, who also acts as CEO of the Polish company, claims IBM was forwarded information about all the vulnerabilities, including source and binary codes for proof of concept codes, including security bypass issues and broken fixes, on Monday morning.

In addition to the new vulnerabilities, four outstanding issues (33-49) that were initially sent to IBM in September 2012, still remain unfixed according to Gowdiak.

“Upon simple exploit codes modifications they can be still used to achieve a complete compromise of a target IBM Java environment,” he wrote Monday, insisting that the company appears to only fix one specific exploit vector and “miss many other scenarios.”

IBM claimed it was able to replicate the vulnerabilities in September 2012, that it developed solutions for them and pushed fixes in October and in November, readied them for download, according to Security Explorations’ vendor status page.

IBM did not immediately respond to an email request for comment when asked about the status of both new and old vulnerabilities Monday.

Gowdiak has proved quite adept at digging up Java bugs. It wasn’t even two weeks ago that he and his team reported a similar flaw that also involved the Java Reflection API to Oracle. The vulnerability notification, which Oracle says it will patch later this week on May 10, was on the heels of a massive patch update that saw the company patch 42 bugs.

Security Explorations has spent the bulk of this year going back and forth with Oracle about vulnerabilities, patches and the company’s checkered Java security as of late.

Suggested articles