Hello All, Those concerned about security of IBM Java [1] may find this post interesting. We discovered that a fix for a security vulnerability (Issue 67) [2] we reported to the company in May 2013 didn't address the problem properly. This is the 6th instance of a broken patch we encountered from IBM. Previously, the company failed to address 4 other issues (with one of them improperly patched for two times in a row). Similarly to previous cases, the fix for Issue 67 addressed the scenario illustrated by a Proof of Concept code. The actual root cause of the issue hasn't been addressed at all. There were no security checks introduced anywhere in the code. The patch relied solely on the idea that hiding the vulnerable method deep in the code and behind a Proxy class would be sufficient to address the issue. Breaking IBM patch for Issue 67 requires only several minor changes to our original Proof of Concept code published in Jul 2013. Full technical details of IBM fix bypass can be found in our technical report: http://www.security-explorations.com/materials/SE-2012-01-IBM-4.pdf Along with the report, we have also published a Proof of Concept code to illustrate the broken fix: http://www.security-explorations.com/materials/se-2012-01-67.2.zip The POC was successfully tested in a 32-bit Linux OS environment and with the following versions of IBM Java: - IBM SDK, Java Technology Edition, Version 7.1 for Linux (32-bit x86) released on 2016-01-26 (build pxi3270_27sr3fp30-20160112_01(SR3 FP30)) - IBM SDK, Java Technology Edition, Version 8.0 for Linux (32-bit x86) released on 2016-01-26 (build pxi3280sr2fp10-20160108_01(SR2 FP10)) We verified that, a complete Java security sandbox escape could be achieved with it. Thank you. -- Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] IBM developer kits http://www.ibm.com/developerworks/java/jdk/ [2] SE-2012-01-IBM-2, Issues 62-68 http://www.security-explorations.com/materials/SE-2012-01-IBM-2.pdf