14 DAY TRIAL // Researchers from Security Explorations have identified a couple of new complete Java sandbox escape vulnerabilities that impact Java SDK for Java Technology Edition, version 7.0 SR5.
Security Explorations CEO Adam Gowdiak has told me in an email that information and proof-of-concept codes have been sent out to IBM today.
“Apart from that we also pointed out to IBM that one of the issues originally reported to the company in Sep 2012 has not been fixed properly,” Gowdiak noted.
“The patch for it (the second attempt to address it) can be still successfully bypassed. As a result, complete Java security sandbox escape can be gained in the environment of vulnerable IBM Java SDK.”
Today, the company has also published the technical details and a proof-of-concept for a Java 7 vulnerability (issue 69) patched by Oracle with the release of the October 2013 critical patch update (CPU).
Update. Security Explorations has received confirmation from IBM regarding the existence of the vulnerabilities.