Home page logo
/

bugtraq logo Bugtraq mailing list archives

[SE-2012-01] Security vulnerabilities in IBM Java
From: Security Explorations <contact () security-explorations com>
Date: Tue, 11 Sep 2012 09:21:33 +0200


Hello All,

Security Explorations discovered multiple security vulnerabilities
in IBM SDK, Java Technology Edition software [1]. This is IBM [2]
implementation of Java SE technology for AIX, Linux, z/OS and IBMi
platforms.

Among a total of 17 security weaknesses found, there are issues that
can lead to the complete compromise of a target IBM Java environment.

It should be noted, that none of the identified issues are duplicates
of previously reported vulnerabilities in Oracle's Java SE [3]. These
are purely IBM Java specific weaknesses and exploitation vectors.

Security Explorations developed reliable Proof of Concept codes for all
of the issues found. This includes 10 exploit codes that successfully
demonstrate a complete IBM J9 Java VM security sandbox bypass.

The following versions of IBM Java SDK were verified to be vulnerable:
* IBM SDK, Java Technology Edition, Version 7.0 SR1 for Linux 32-bit
  x86, build pxi3270sr1-20120330_01(SR1), released on 2012-04-30
* IBM SDK, Java Technology Edition, Version 6.0 SR11 for Linux 32-bit
  x86, build pxi3260sr11-20120806_01(SR11), released on 2012-08-10

On Sep 11 2012, Security Explorations sent a vulnerability notice to
IBM corporation containing detailed information about discovered issues.
Along with that, the company was also provided with source and binary
codes for our Proof of Concept codes illustrating all security bypass
issues and exploitation vectors.

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] IBM developer kits
    http://www.ibm.com/developerworks/java/jdk/
[2] IBM Corporation
    http://www.ibm.com
[3] SE-2012-01 Vendors status
    http://www.security-explorations.com/en/SE-2012-01-status.html


  By Date           By Thread  

Current thread:
  • [SE-2012-01] Security vulnerabilities in IBM Java Security Explorations (Sep 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault