The com.ibm.rmi.io.SunSerializableFactory class in IBM Java SDK 7.0.0 before SR6 allows remote malicious users to bypass a sandbox protection mechanism and execute arbitrary code via vectors related to deserialization inside the AccessController doPrivileged block.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
ibm java 7.0.0.0 |
And this time, do it right
A security researcher that pointed out serious Java Runtime Engine vulnerabilities to IBM in 2013 has accused Big Blue of not fixing the bugs properly. The gist of this Full Disclosure post is that back in 2013, IBM closed off the proof-of-concept attack without considering all possible code paths to the vulnerability. The message comes from Adam Gowdiak, who is credited with finding the flaw by IBM in this Security Bulletin. Gowdiak's new work explains that CVE-2013-5456 enabled a Java sandbox ...