REDHAT-BUG-1330986

First published: Wed Apr 27 2016(Updated: )

Adam Gowdiak (Security Explorations) reported that the fix for IBM JDK issue <a href="https://access.redhat.com/security/cve/CVE-2013-5456">CVE-2013-5456</a> (<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2013-5456 IBM JDK: unspecified sandbox bypass (ORB)" href="show_bug.cgi?id=1027748">bug 1027748</a>), also known as "Issue 70", did not correctly address the problem. Applied fix only restricted access to the vulnerable package, rather then addressing the underlying problem of running untrusted code inside doPrivileged block. Report: <a href="http://seclists.org/fulldisclosure/2016/Apr/43">http://seclists.org/fulldisclosure/2016/Apr/43</a> Write-up of the issue: <a href="http://www.security-explorations.com/materials/SE-2012-01-IBM-5.pdf">http://www.security-explorations.com/materials/SE-2012-01-IBM-5.pdf</a> Proof-of-concept code: <a href="http://www.security-explorations.com/materials/se-2012-01-70.2.zip">http://www.security-explorations.com/materials/se-2012-01-70.2.zip</a>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/references
• agent/type
• agent/last-modified-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2016-0376
• agent/first-publish-date
• agent/source
• agent/severity
• agent/description
• agent/event
• agent/softwarecombine
• agent/tags
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/ibm
• canonical/ibm jdk 8