Menu
Three-year-old IBM patch for critical Java flaw is broken

Three-year-old IBM patch for critical Java flaw is broken

Attackers can easily bypass the patch to exploit a vulnerability that allows them to escape from the Java security sandbox

Security researchers have found that a patch released by IBM three years ago for a critical vulnerability in its own Java implementation is ineffective and can be easily bypassed to exploit the flaw again.

The broken patch was discovered by researchers from Polish firm Security Explorations who found the vulnerability and reported it to IBM in May 2013. IBM issued a fix in a July 2013 update for its Java development kit.

IBM maintains its own implementation of the Java virtual machine and runtime. This version of Java is included in some of the company's enterprise software products, as well as in the IBM Software Developer Kit, which is available for platforms like AIX, Linux, z/OS and IBM i.

"The actual root cause of the issue hasn't been addressed at all," Adam Gowdiak, CEO of Security Explorations, said in a message sent Monday to the Full Disclosure mailing list. "There were no security checks introduced anywhere in the code. The patch relied solely on the idea that hiding the vulnerable method deep in the code and behind a Proxy class would be sufficient to address the issue."

This is the sixth time the company has discovered an ineffective patch from IBM for some of the Java issues that Security Explorations discovered, Gowdiak said. For one vulnerability, IBM released two broken patches in a row, he said.

IBM, in a statement, said it is aware of the vulnerability and is working to address it.

Security Explorations recently changed its vulnerability disclosure policy, saying that it will no longer tolerate broken patches for vulnerabilities that it has responsibly reported to vendors. The company will now publicly disclose how to bypass those fixes without notifying the vendors beforehand.

This is what the company did last month when it found that a patch released by Oracle in 2013 for a critical vulnerability in its own Java runtime was also ineffective. Security Explorations' recent public disclosure, which included proof-of-concept code to bypass the patch, made the vulnerability exploitable again in the latest versions of Java and forced Oracle to release an emergency update on March 23.

The same thing is happening now with the IBM patch. Security Explorations published a detailed technical report explaining how to bypass the company's 3-year-old fix and even released proof-of-concept code to show that the vulnerability can still be exploited in the latest versions of IBM SDK Java Technology Edition.

Breaking the IBM patch requires only "several minor changes to our original proof-of-concept code published in [July] 2013," Gowdiak said. "We verified that a complete Java security sandbox escape could be achieved with it."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Brand Post

What to expect from your IT Distributor

Whether you’re just starting out or you’ve been around since before the dot com rollercoaster, choosing the right distribution partner can be a pivotal factor in your success. This definitive guide outlines the traits that every IT partner needs to look for in their IT Distributor.

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments