Two-year-old Java flaw re-emerges due to broken patch

A patch released by Oracle in 2013 can be easily bypassed to attack the latest Java versions, security researchers said

A patch for a critical Java flaw released by Oracle in 2013 is ineffective and can be easily bypassed, security researchers warn. This makes the vulnerability exploitable again, paving the way for attacks against PCs and servers running the latest versions of Java.

The flaw, tracked as CVE-2013-5838 in the Common Vulnerabilities and Exposures (CVE) database, was rated by Oracle 9.3 out of 10 using the Common Vulnerability Scoring System (CVSS). It can be exploited remotely, without authentication, to completely compromise a system's confidentiality, integrity and availability.

According to researchers from Polish security firm Security Explorations who originally reported the flaw to Oracle, attackers can exploit it to escape from the Java security sandbox. Under normal conditions, the Java Runtime Environment (JRE) executes Java code inside a virtual machine that is subject to security restrictions.

On Thursday, Security Explorations revealed that the Oracle patch for the vulnerability is broken. The fix can be trivially bypassed by making a four-character change to the proof-of-concept exploit code released in 2013, Security Explorations CEO Adam Gowdiak wrote in a message sent to the Full Disclosure security mailing list.

Gowdiak's company published a new technical report that explains how the bypass works in more detail.

The company's researchers claim that their new exploit was successfully tested on the latest available versions of Java: Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108.

In its original advisory in October 2013, Oracle noted that CVE-2013-5838 only affects client deployments of Java and can be exploited through "sandboxed Java Web Start applications and sandboxed Java applets." According to Security Explorations, this is incorrect.

"We verified that it could be successfully exploited in a server environment as well as in Google App Engine for Java," Gowdiak said in the Full Disclosure message.

On the client side, Java's default security level -- which allows only signed Java applets to run -- and its click-to-play behavior can act as mitigating factors. These security restrictions can prevent automated silent attacks.

In order to exploit the vulnerability on an up-to-date Java installation, attackers would need to find a separate flaw that allows them to bypass the security prompts or to convince users to approve the execution of their malicious applet. The latter route is more likely.

Security Explorations has not notified Oracle about the CVE-2013-5838 bypass before disclosing it. According to Gowdiak the company's new policy is to inform the public immediately when broken fixes are found for vulnerabilities that the company has already reported to vendors.

"We do not tolerate broken fixes any more," he said.

It's not clear whether Oracle will push out an emergency Java update just to patch this vulnerability, or if it will wait until the next quarterly Critical Patch Update, which is scheduled for April 19.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place