Serious flaw present in latest Java Runtime Environment for desktops and servers, researchers say

Researchers from Security Explorations claim to have found a new sandbox bypass vulnerability in the Java 7 Reflection API component

Java vulnerability hunters from Polish security research firm Security Explorations claim to have found a new vulnerability that affects the latest desktop and server versions of the Java Runtime Environment (JRE).

The vulnerability is located in Java's Reflection API component and can be used to completely bypass the Java security sandbox and execute arbitrary code on computers, Adam Gowdiak, the CEO of Security Explorations, said Monday in an email sent to the Full Disclosure mailing list. The flaw affects all versions of Java 7, including Java 7 Update 21 that was released by Oracle last Tuesday and the new Server JRE package released at the same time, he said.

As the name suggests, the Server JRE is a version of the Java Runtime Environment designed for Java server deployments. According to Oracle, the Server JRE doesn't contain the Java browser plug-in, a frequent target for Web-based exploits, the auto-update component or the installer found in the regular JRE package.

Although Oracle is aware that Java vulnerabilities can also be exploited on server deployments by supplying malicious input to APIs (application programming interfaces) in vulnerable components, its message has generally been that the majority of Java vulnerabilities only affect the Java browser plug-in or that the exploitation scenarios for Java flaws on servers are improbable, Gowdiak said Tuesday via email.

"We tried to make users aware that Oracle's claims were incorrect with respect to the impact of Java SE vulnerabilities," Gowdiak said. "We proved that the bugs evaluated by Oracle as affecting only the Java plug-in could affect servers as well."

In February, Security Explorations published a proof-of-concept exploit for a Java vulnerability classified as plug-in-based that could have been used to attack Java on servers using the RMI (remote method invocation) protocol, Gowdiak said. Oracle addressed the RMI attack vector in the Java update last week, but other methods of attacking Java deployments on servers exist, he said.

Security Explorations researchers haven't verified the successful exploitation of the new vulnerability they found against Server JRE, but they listed known Java APIs and components that could be used to load or execute untrusted Java code on servers.

If an attack vector exists in one of the components mentioned in Guideline 3-8 of Oracle's "Secure Coding Guidelines for a Java Programming Language," Java server deployments can be attacked through a vulnerability like the one reported Monday to Oracle, Gowdiak said.

The researcher took issue with the way Reflection API was implemented and audited for security issues in Java 7, because the component has been the source of multiple vulnerabilities so far. "The Reflection API does not fit the Java security model very well and if used improperly it can easily lead to security problems," he said.

This new flaw is a typical example of a Reflection API weakness, Gowdiak said. This vulnerability shouldn't be present in Java 7 code one year after a generic security problem related to Reflection API was reported to Oracle by Security Explorations, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Security ExplorationssecurityExploits / vulnerabilitiesOracle

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?