Security

Two Year Old Java flaw is back due to broken patch

The patch for the critical Java flaw (CVE-2013-5838 vulnerability) released by Oracle in 2013 is ineffective and can be easily bypassed.

Bad news for Java users, a Patch to fix a critical Java flaw(i.e CVE-2013-5838) released by Oracle in 2013 is ineffective and be easily bypassed, security researchers warn. This makes the vulnerability exploitable again, provideing the way for attacks against PCs and server running the latest version of Java.

The vulnerabilities, tracked as CVE-2013-5838 in the Command Vulnerabilities and Exposures(CVE) database, was rated by Oracle 9.3 out of 10 because it could be exploited remotely, without authentication, to completely compormise a vulnerable system.

According to researchers from Polish security firm Security Explorations who originally reported the flaw to Oracle, attackers can exploit it to escape from the Java security sandbox. Under normal conditions, the Java Runtime Environment(JRE) executes Java code inside a virtual machine that is subject to security restrictons.

On Thursday, Security Exploratons revealed that the Oracle patch for the vulnerability is broken. The fix can be trivvially bypass by making a four-character change to the proof-of-concept(PoC) exploit code released in 2013, Security Explorations CEO Adam Gowdiak wrote in a message sent to the Full Disclosure security mailing list.

“We however found out that Oracle Patch could be trivially bypass with the use of the following:

  • four character change to our original POC code published in Oct 2013
  • a custom HTTP server enforcing “404(Not Found)” error when requesting a given class for the first time.”
  • Gowdiak’s company published a new techinical report that explains how the bypass works in more detail.

    The new PoC exploit code works on the latest available versions of Java, including Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108.

    In its original advisory in October 2013, Oracle noted that CVE-2013-5838 only affects client deployments of Java and can be exploited through “sandboxed Jaa Web Start applications and sandboxed Java applets.” According to Security Explorations, this is incorrect.

    “We verified that it could be successfully exploited in a server enviroment as well as in Google App Engine for Java, ” added Gowdiak.

    In a real attack scenario, the attackers would need to find a separate flaw that allows them to run the attack in a stealth mode bypassing the security prompts or to convince users into approving the execution of the exploit code.

    There is no information regarding the way Oracle intends to solve the problem, likely by pushing out an emergency patch, otherwise we need to wait until the next quarterly Critical Patch Update, scheduled for April 19.

    Jay Prakash Kumar

    If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with me directly on Facebook or Twitter. Jay Prakash is a founder of Professional Hacker, Technical Writer, Software Developer, Security Analyst and Technology Enthusiast with a keen eye on the Cyber-world and other technology-related developments.