Hello All, We discovered that yet another fix for a security vulnerability in IBM Java (Issue 70 [1] assigned CVE-2013-5456) we reported to the company in 2013 hasn't been fixed properly. Again, the actual root cause of the issue hasn't been addressed at all. There were no security checks introduced anywhere in the code. The patch primarily addressed the scenario illustrated by a Proof of Concept code. It didn't take into account all code paths that could be used to reach the vulnerable code sequence. Full technical details of IBM fix bypass can be found in our technical report: http://www.security-explorations.com/materials/SE-2012-01-IBM-5.pdf Along with the report, we have also published a Proof of Concept code to illustrate the broken fix: http://www.security-explorations.com/materials/se-2012-01-70.2.zip What's worth to mention is that when we reported Issue 70 to IBM (Oct 16, 2013 [2]), the company responded 2 days later that as a result of its testing of the received Proof of Concept codes against soon to be released 4Q service update, Issue 70 has been found to be addressed. This was the first time a vendor notified us that a reported weakness didn't affect its internal and not yet available to the public build of the software. Our understanding was that IBM discovered the issue on its own and already addressed it. Now, we think this was not the case. The company likely concluded that there was no reason to investigate the issue further upon finding out that package access restrictions introduced in their internal build of Java blocked our POC code for Issue 70. Thank you. -- Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] SE-2012-01-IBM-3, Issues 70-71 http://www.security-explorations.com/materials/SE-2012-01-IBM-3.pdf [2] SE-2012-01 Vendors status http://www.security-explorations.com/en/SE-2012-01-status.html
