Menu
Two-year-old Java flaw re-emerges due to broken patch

Two-year-old Java flaw re-emerges due to broken patch

A patch released by Oracle in 2013 can be easily bypassed to attack the latest Java versions, security researchers said

A patch for a critical Java flaw released by Oracle in 2013 is ineffective and can be easily bypassed, security researchers warn. This makes the vulnerability exploitable again, paving the way for attacks against PCs and servers running the latest versions of Java.

The flaw, tracked as CVE-2013-5838 in the Common Vulnerabilities and Exposures (CVE) database, was rated by Oracle 9.3 out of 10 using the Common Vulnerability Scoring System (CVSS). It can be exploited remotely, without authentication, to completely compromise a system's confidentiality, integrity and availability.

According to researchers from Polish security firm Security Explorations who originally reported the flaw to Oracle, attackers can exploit it to escape from the Java security sandbox. Under normal conditions, the Java Runtime Environment (JRE) executes Java code inside a virtual machine that is subject to security restrictions.

On Thursday, Security Explorations revealed that the Oracle patch for the vulnerability is broken. The fix can be trivially bypassed by making a four-character change to the proof-of-concept exploit code released in 2013, Security Explorations CEO Adam Gowdiak wrote in a message sent to the Full Disclosure security mailing list.

Gowdiak's company published a new technical report that explains how the bypass works in more detail.

The company's researchers claim that their new exploit was successfully tested on the latest available versions of Java: Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108.

In its original advisory in October 2013, Oracle noted that CVE-2013-5838 only affects client deployments of Java and can be exploited through "sandboxed Java Web Start applications and sandboxed Java applets." According to Security Explorations, this is incorrect.

"We verified that it could be successfully exploited in a server environment as well as in Google App Engine for Java," Gowdiak said in the Full Disclosure message.

On the client side, Java's default security level -- which allows only signed Java applets to run -- and its click-to-play behavior can act as mitigating factors. These security restrictions can prevent automated silent attacks.

In order to exploit the vulnerability on an up-to-date Java installation, attackers would need to find a separate flaw that allows them to bypass the security prompts or to convince users to approve the execution of their malicious applet. The latter route is more likely.

Security Explorations has not notified Oracle about the CVE-2013-5838 bypass before disclosing it. According to Gowdiak the company's new policy is to inform the public immediately when broken fixes are found for vulnerabilities that the company has already reported to vendors.

"We do not tolerate broken fixes any more," he said.

It's not clear whether Oracle will push out an emergency Java update just to patch this vulnerability, or if it will wait until the next quarterly Critical Patch Update, which is scheduled for April 19.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments