Vulnerabilities / Threats
4/22/2013
11:08 AM
50%
50%

Oracle Bug Hunter Spots Java 7 Server Flaw

Server Java Runtime Environment vulnerability can be used to escape sandbox and execute code, says Polish security expert.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Another week, another warning that a new vulnerability has been discovered in Java.

Last week, Oracle released Java 7 update 21, which patched 42 new vulnerabilities. Come Monday, however, a security researcher warned that he'd discovered a reflection API vulnerability in the newly shipped Server Java Runtime Environment (JRE).

"The new flaw was verified to affect all versions of Java SE 7 (including the recently released 1.7.0_21-b11)," said veteran Java bug hunter Adam Gowdiak, CEO and founder of Poland-based Security Explorations, in a Monday post to the Full Disclosure mailing list. "It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a Web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed)." Gowdiak said he filed a bug report -- including proof-of-concept exploit code -- with Oracle Monday, according to a Security Explorations vulnerability log.

[ Are you a WordPress user? Read WordPress Hackers Exploit Username 'Admin'. ]

The vulnerability could be used to escape the Java sandbox and execute arbitrary code on a client or server, although for a client-side attack, a user would have to allow a malicious application that exploits the vulnerability to run.

Java reflection API vulnerabilities have been an ongoing challenge for Oracle. The vulnerabilities involve tricking a challenge-response security system into revealing the answer to its own challenge. But this bug is a little different. "What's interesting is that the new issue is present not only in JRE Plugin / JDK software, but also the recently announced Server JRE as well," Gowdiak said.

First released last week with Java 7 update 21, Oracle describes Server JRE -- available for 64-bit Linux, Solaris and Windows systems -- as "a runtime environment specifically targeted for deploying Java in server environments ... [that] includes tools for JVM monitoring and tools commonly required for server applications, but does not include browser integration (the Java plug-in)."

That's notable, because the chief Java security worry centers on vulnerabilities in the Java browser plug-in -- because the plug-in can be directly targeted via malicious websites or phishing attacks -- rather than JavaScript, Enterprise JavaBeans, embedded Java, or Java running on Android.

But could attackers easily compromise vulnerabilities in Server JRE? Although Gowdiak hasn't publicly revealed any further details of the vulnerability he discovered, he did note that anyone questioning how a server-side flaw might be exploited should refer to Oracle's "Secure Coding Guidelines for a Java Programming Language" (section 3-8), which warns: "Take care interpreting untrusted code." The guidelines also say that "code can be hidden in a number of places," and that unless code has been validated, it should be restricted to a sandbox. Finally, it warns that Java components -- or APIs -- that might be used to introduce untrusted code include SQL. "Many SQL implementations allow execution of code with effects outside of the database itself," said Oracle.

Other potential untrusted code introduction -- or attack -- vectors include remote method invocation (RMI) and LDAP code loading, JavaBeans components, and the Sun implementation of the XSLT interpreter, which "enables extensions to call Java code," according to Oracle, although this feature can be disabled.

Despite the new Java bug warning, Oracle has been stepping up the pace of its Java patching efforts, releasing five Java 7 updates since the start of 2013, as well as a new malicious application warning system for suspicious Java applications. That security work, however, last week led the company's lead Java architect to call for the release of Java 8 to be delayed, so sufficient resources could continue to be devoted to better securing Java 7.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.