Researcher from Security Explorations have done it again. They’ve identified 5 vulnerabilities in Java SE 7 Update 15 which, when combined, can be exploited to achieve a complete sandbox bypass.
The new flaws, identified as “issue 56” through “issue 60,” have been identified by the researchers while they were trying to collect new evidence to prove to Oracle that the controversial “issue 54” is a security hole.
“Two of the issues found (59 and 60) could be potentially affecting Java SE 6 (we haven't checked this due to Java SE 6 EOL status), but since all of the issues need to be combined together to gain a successful Java SE security compromise, we treat it as affecting Java SE 7 only,” Adam Gowdiak, CEO of Security Explorations, told us in an email.
“The attack breaks a couple of security checks introduced to Java SE by Oracle over the recent months (Issues 57 and 58). It also exploits code fragments that were missing proper security checks corresponding to the very mirror code (Issue 59 and 60). Finally, it demonstrates a difference between the JVM specification and its implementation (Issue 56).”
Gowdiak explains that, similar to other vulnerabilities they’ve found, the Reflection API is the component that’s being exploited in the attack.
The complete details of the newly-discovered flaws, along with a proof-of-concept, have been sent to Oracle.
The company has confirmed receiving the reports, but it will remain to be seen if they see eye-to-eye with Security Explorations.
Last week, Oracle refused to admit that one of the issues leveraged in a Java exploit was a security hole, arguing that it demonstrates “accepted behavior.” Security Explorations says that the flaw's details will be published in the upcoming period if Oracle doesn’t change its mind.
“We confirmed that company's initial judgment of Issue 54 as the ‘allowed behavior’ contradicts both Java SE documentation as well as existing security checks in code. It looks Oracle needs to either start treating Issue 54 as a vulnerability or change the docs and relax some of the existing security checks,” Gowdiak noted.