Tuesday, January 15, 2013

Update on CVE-2013-0422, The Aftermath

Oracle has officially released Java 7 update 11 which addresses one of two vulnerabilities highlighted in CVE-2013-0422.

The reflective (invoke) API vulnerability (introduced in Java 7) has been patched, and it has come to light from posts to the Full Disclosure mailing list that this particular vulnerability was introduced due to an earlier, incomplete patch.
Full write up here: More details on Issue 32 and Oracle's 'fix' for it

The initial confounding information released by Immunity Inc stating that JRE6 could be effected by the "com.sun.jmx.mbeanserver.MBeanInstantiator.findClass" has been refuted by the very same firm after further analysis. This leads to 3rd party substantiation of Oracle's claim that only JDK and JRE 7 update 10 and earlier are affected.
A summary of Immunity Inc's findings:
After further research we found that although theMBeanInstantiator code is the same in both versions, JDK/JRE 6 cannot be exploited.
Original analysis [Warning, PDF!]: https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
Post Patch Analysis: http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html?m=1

Patching the reflective API vulnerability cuts off the vehicle for exploitation of the MBeanInstantiator.findClass vulnerability. However, Immunity Inc indicates that restricted classes can still be called. This calls into question the overall security of the trusted class model utilized my Java 7. It remains to be seen if another vehicle for exploitation will be found, and if so, how soon it will be utilized.

Oracle's official Security Alert can be found here: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

Two big takeaways here:
1) JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected.
2) The MBeanInstantiator.findClass vulnerability is still present, but currently there are no known alternative methods to utilize this bug.

1 comment: