Oracle confirms Java 7 flaw, says another is 'allowed behavior'

A security researcher gives Oracle two weeks to change its mind that an issue he reported is not a security flaw, or else he'll let the public be the judge.

Oracle has disputed a claim that Java SE 7 contains a security flaw, but the researcher that found it disagrees and says he may release details next week unless Oracle changes its assessment.

Adam Gowdiak, CEO of Polish security firm Security Explorations, reported two new security "issues" to Oracle on Monday, noting that they were specific to Java SE 7 below Update 15, the latest Java 7 update which Oracle released on February 19.

Oracle is not scheduled to release the next Java update until April 16, but if an exploit for the flaws reach the wrong hands, it may be forced to. Oracle notably released an out-of-band update for Java on February 1 to fix 50 Java 7 flaws, including one affecting the Java browser plugin that attackers were exploiting. The update preceded  admissions by Facebook, Apple and Microsoft that some of their developers had been hacked using an exploit for the plugin.

Days prior to Oracle's update, Gowdiak also warned that Java SE 7 Update 11 was vulnerable to a remote attack.

Gowdiak says both new issues could allow an attacker to "abuse the Reflection API in a particularly interesting way."

"We gained a complete Java security sandbox bypass under Java SE 7 Update 15 and below," he told by email.

Oracle yesterday confirmed one of the issues, which the researcher labels "issue 55," was a flaw, but disputed the other, "issue 54", as "allowed behavior".

Gowdiak disagrees with Oracle's assessment of issue 54 and says he will be forced to "leave it to the public" to decide if it does not change its position within one or two weeks.

While the specific behavior in issue 54 might be permitted, Gowdiak says that individual security bypasses in a Java virtual machine (VM) environment should not be assessed in isolation.

"In many cases, it is difficult to judge Java security flaws separately as this can lead to misleading conclusions. In Java VM environment, usually more than one, partial security bypass issue needs to be combined together to achieve a complete security compromise. As for the attack itself, it is quite easy to setup," he said.

Posting to today, he said there is "a mirror case corresponding to Issue 54 that leads to access denied condition and a security exception". 

"It's a public API case versus private code path case. Public API denies access and throws a security exception, while private code path does not signal any problems (access is allowed)," he explained.

ZDNet asked Oracle to confirm its assessment of the reported flaws but had not received a response at the time of writing.

"We might start considering the release of Issue 54 details if [Oracle] still treats it as the "allowed behavior" and not a vulnerability. In such a case, the public opinion will have the opportunity to make a judgment on its own," said Gowdiak, adding that "one or two weeks" should be enough.