Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector.
In addition, security risks associated with the abuse of Java Reflection Application Programming Interface (API) calls could allow an attacker to load restricted classes; obtain references to constructors, methods, or fields of a restricted class; create new object instances or methods; or obtain setting field values of a restricted class. Using these flaws, an attacker could access sensitive objects and bypass sandbox protections, allowing the attacker to compromise a Java VM.
The security researchers have released 28 examples of proof-of-concept code that could allow a complete compromise of the Java security sandbox. A further 17 examples of proof-of-concept code are related to Oracle Java SE, Apple QuickTime for Java, and IBM Java. The exploit vectors include a call to the getField method and sun.awt.SunToolkit class, also a call to the java.lang.invoke.MethodHandles.Lookup class, remote server-side code execution by the way of Remote Method Invocation (RMI) protocol attack, or the improper implementation of XML Beans decoder.
Some of these vulnerabilities are due to insecure use of the invoke method of java.lang.relect.Method in the specific products-related package. Numerous partial security bypass vulnerabilities due to the insecure or improper use of method objects of restricted classes were also identified.
Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.
Proof-of-concept code that could aid attackers in building functional exploits is publicly available.
Administrators are advised to contact the vendor regarding future updates and releases.
Users are advised to disable Java content in web browsers through the Java control panel applet.
Administrators may consider disabling Java and the Java plug-in in web browsers. Instructions for disabling Java in web browsers is available at the following links:
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.