(LiveHacking.Com) – Java was last updated only a few days ago when Oracle released an updated patch for Java SE to included five additional fixes that did not make it into the original patches delivered on February 1st. Now Adam Gowdiak, from Security Explorations, has posted to the full disclosure mailing list revealing details of two more zero-day vulnerabilities in the latest Java version.
According to Gowdiak, his company started to analyze the February 19th update and found two new security issues which when combined together can be successfully used to gain a complete Java security sandbox bypass. The company immediately reported the vulnerabilities to Oracle along with working Proof of Concept code.
Oracle did some investigation and has confirmed that the two issues when combined result in a full sandbox bypass for Java SE 7 Update 15. However, Oracle did note that one of the issues was actually the intended behavior, something that the team at Security Explorations reject. According to Gowdiak, there is a mirror case corresponding to the issue that leads to an access denied condition and a security exception.
“That alone seems to be enough to contradict the ‘allowed behavior’ claim,” said Adam Gowdiak. “Is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?”
It seems that Gowdiak is going to release details of the issue which he claims is a security vulnerability, but Oracle claim is the ‘allowed behavior’, if Oracle doesn’t change its stance.
Both the issues are specific to Java SE 7 only as they abuse the Reflection API in a particularly interesting way.