Java has been hit by the discovery of two more vulnerabilities. Polish security firm Security Explorations has reported the bugs to Oracle.
The security company said that it had submitted information about the bugs, including proof-of-concept exploits to Oracle.
"We had yet another look into Oracle's Java SE 7 software that was released by the company on Feb. 19," said Adam Gowdiak, in a posting to security forum, Seclists.org. "As a result, we have discovered two new security issues, which when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03)."
Gowdiak said that both new issues are specific to Java SE 7 only. "They allow toabuse the Reflection API in a particularly interesting way," he added.
"Without going into further details, everything indicates that a ball is in Oracle's court. Again."
The flaws do not affect Java 6, which Oracle has officially retired from support.
Gowdiak said in an update to the posting that Oracle has provided his firm results of its analysis and said that while one flaw had been confirmed as an issue, the other, dubbed "Issue 54" was "not treated as a vulnerability as it demonstrates the 'allowed behavior'".
Gowdiak said he disagreed with Oracle's assessment of Issue 54.
"There is a mirror case corresponding to Issue 54 that leads to access denied condition and a security exception," he said. "That alone seems to be enough to contradict the "allowed behavior" claim by the company (is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?)."
He warned Oracle that if it stuck with its original assessment, his company would have "no choice than to publish details of Issue 54".
The vulnerabilities are the latest in a slew of problems affecting the code. Twice this year Oracle has had to rush out emergency out-of-band patches to fix flaws in Java.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Oracle breach claims spark war of words with security researchersNews A war of words has erupted between Oracle and cybersecurity researchers following claims the company suffered a security breach.
-
“By this time next year, Oracle employees won't be using passwords” — Larry Ellison wants a biometric future in cybersecurityNews The Oracle CTO hit out at passwords, calling them insecure and easy to steal
-
NetSuite vulnerability could leave thousands of websites exposedNews The issue stems from a misconfiguration of access controls in NetSuite's SuiteCommerce instances
-
Oracle's massive advertising database operates without user consent, lawsuit claimsNews Rights organisers have accused Oracle of collecting an undue level of sensitive data to identify consumers online
-
Oracle joins Cloudflare's Bandwidth AllianceNews Database giant will adjust cloud transfer fees for Cloudflare customers
-
Oracle won't let you turn off security ever againNews Larry Ellison: It was a mistake to let customers manage security features
-
Microsoft warns users to be wary of fake Java updatesNews Cybercriminals set malware trap for users worried by Java zero-day exploits.
-
Calls for Java overhaul grow as more security flaws emergeNews Security experts suggest problems in the development cycle of Java could be to blame for recent security woes.
