[SE-2012-01] Security vulnerabilities in IBM Java

Type securityvulns
Reporter Securityvulns
Modified 2012-09-19T00:00:00


Hello All,

Security Explorations discovered multiple security vulnerabilities in IBM SDK, Java Technology Edition software [1]. This is IBM [2] implementation of Java SE technology for AIX, Linux, z/OS and IBMi platforms.

Among a total of 17 security weaknesses found, there are issues that can lead to the complete compromise of a target IBM Java environment.

It should be noted, that none of the identified issues are duplicates of previously reported vulnerabilities in Oracle's Java SE [3]. These are purely IBM Java specific weaknesses and exploitation vectors.

Security Explorations developed reliable Proof of Concept codes for all of the issues found. This includes 10 exploit codes that successfully demonstrate a complete IBM J9 Java VM security sandbox bypass.

The following versions of IBM Java SDK were verified to be vulnerable: * IBM SDK, Java Technology Edition, Version 7.0 SR1 for Linux 32-bit x86, build pxi3270sr1-20120330_01(SR1), released on 2012-04-30 * IBM SDK, Java Technology Edition, Version 6.0 SR11 for Linux 32-bit x86, build pxi3260sr11-20120806_01(SR11), released on 2012-08-10

On Sep 11 2012, Security Explorations sent a vulnerability notice to IBM corporation containing detailed information about discovered issues. Along with that, the company was also provided with source and binary codes for our Proof of Concept codes illustrating all security bypass issues and exploitation vectors.

Thank you.

Best Regards Adam Gowdiak

Security Explorations http://www.security-explorations.com "We bring security research to the new level"

References: [1] IBM developer kits http://www.ibm.com/developerworks/java/jdk/ [2] IBM Corporation http://www.ibm.com [3] SE-2012-01 Vendors status http://www.security-explorations.com/en/SE-2012-01-status.html