Researchers from Polish firm Security Explorations have identified a number of 17 vulnerabilities in Java. However, this time it isn’t the Java developed by Oracle, but the one made by the IBM Corporation for AIX, Linux, z/OS and IBMi systems.
The affected software is IBM SDK, Java Technology Edition, version 7.0 SR1 for Linux 32-bit x86, build pxi3270sr1-20120330_01(SR1), released on April 30, 2012, and IBM SDK, Java Technology Edition, version 6.0 SR11 for Linux 32-bit x86, build pxi3260sr11-20120806_01(SR11), released on August 10, 2012.
“Among a total of 17 security weaknesses found, there are issues that can lead to the complete compromise of a target IBM Java environment,” Adam Gowdiak, CEO of Security Explorations, told Softpedia via email.
“It should be noted, that none of the identified issues are duplicates of previously reported vulnerabilities in Oracle's Java SE. These are purely IBM Java specific weaknesses and exploitation vectors,” he explained.
The company has developed working proof-of-concept codes for all the identified issues, including 10 exploits that demonstrate a complete IBM J9 Java VM security sandbox bypass.
Today, Security Explorations sent all the information they possess to IBM, including source and binary codes, and proof-of-concept codes.
While IBM works on addressing these issues, customers of IBM developer kits and runtime environments are advised to be cautious.
“At the moment, not much can be done beyond waiting for the patched IBM SDK versions. Users of IBM Java should consider disabling it if used as a plugin in a web browser,” the expert advises.
“Also, what might be important is that IBM Java is to some extent based on Oracle's Java SE. This alert
confirms this. The issues reported today are however completely different from those submitted to Oracle.”
A short while ago, the researchers told us that Oracle confirmed
the second set of vulnerabilities
reported by the company on August 31. The newly identified flaws made Java be insecure once again, just as it was before the out-of-band update was released
by Oracle to stop the ongoing attacks.