Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions or execute arbitrary code.
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector.
In addition, security risks associated with the abuse of Java Reflection Application Programming Interface (API) calls could allow an attacker to load restricted classes; obtain references to constructors, methods, or fields of a restricted class; create new object instances or methods; or obtain setting field values of a restricted class. Using these flaws, an attacker could access sensitive objects and bypass sandbox protections, allowing the attacker to compromise a Java VM.
The security researchers have released 28 examples of proof-of-concept code that could allow a complete compromise of the Java security sandbox. A further 17 examples of proof-of-concept code are related to Oracle Java SE, Apple QuickTime for Java, and IBM Java. The exploit vectors include a call to the getField method and sun.awt.SunToolkit class, also a call to the java.lang.invoke.MethodHandles.Lookup class, remote server-side code execution by the way of Remote Method Invocation (RMI) protocol attack, or the improper implementation of XML Beans decoder.
Some of these vulnerabilities are due to insecure use of the invoke method of java.lang.relect.Method in the specific products-related package. Numerous partial security bypass vulnerabilities due to the insecure or improper use of method objects of restricted classes were also identified.
Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.
Proof-of-concept code that could aid attackers in building functional exploits is publicly available.
Administrators are advised to contact the vendor regarding future updates and releases.
Users are advised to disable Java content in web browsers through the Java control panel applet.
Administrators may consider disabling Java and the Java plug-in in web browsers. Instructions for disabling Java in web browsers is available at the following links:
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.