Java has been hit by the discovery of two more vulnerabilities. Polish security firm Security Explorations has reported the bugs to Oracle.
The security company said that it had submitted information about the bugs, including proof-of-concept exploits to Oracle.
"We had yet another look into Oracle's Java SE 7 software that was released by the company on Feb. 19," said Adam Gowdiak, in a posting to security forum, Seclists.org. "As a result, we have discovered two new security issues, which when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03)."
Gowdiak said that both new issues are specific to Java SE 7 only. "They allow toabuse the Reflection API in a particularly interesting way," he added.
"Without going into further details, everything indicates that a ball is in Oracle's court. Again."
The flaws do not affect Java 6, which Oracle has officially retired from support.
Gowdiak said in an update to the posting that Oracle has provided his firm results of its analysis and said that while one flaw had been confirmed as an issue, the other, dubbed "Issue 54" was "not treated as a vulnerability as it demonstrates the 'allowed behavior'".
Gowdiak said he disagreed with Oracle's assessment of Issue 54.
"There is a mirror case corresponding to Issue 54 that leads to access denied condition and a security exception," he said. "That alone seems to be enough to contradict the "allowed behavior" claim by the company (is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?)."
He warned Oracle that if it stuck with its original assessment, his company would have "no choice than to publish details of Issue 54".
The vulnerabilities are the latest in a slew of problems affecting the code. Twice this year Oracle has had to rush out emergency out-of-band patches to fix flaws in Java.
-
What is polymorphic malware?Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the companyOpinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
CISA issues warning in wake of Oracle cloud credentials leakNews The security agency has published guidance for enterprises at risk
-
Oracle breach claims spark war of words with security researchersNews A war of words has erupted between Oracle and cybersecurity researchers following claims the company suffered a security breach.
-
“By this time next year, Oracle employees won't be using passwords” — Larry Ellison wants a biometric future in cybersecurityNews The Oracle CTO hit out at passwords, calling them insecure and easy to steal
-
NetSuite vulnerability could leave thousands of websites exposedNews The issue stems from a misconfiguration of access controls in NetSuite's SuiteCommerce instances
-
Oracle's massive advertising database operates without user consent, lawsuit claimsNews Rights organisers have accused Oracle of collecting an undue level of sensitive data to identify consumers online
-
Oracle joins Cloudflare's Bandwidth AllianceNews Database giant will adjust cloud transfer fees for Cloudflare customers
-
Oracle won't let you turn off security ever againNews Larry Ellison: It was a mistake to let customers manage security features
-
Microsoft warns users to be wary of fake Java updatesNews Cybercriminals set malware trap for users worried by Java zero-day exploits.
