Oracle JVM Bytecode Verifier Flaw (July 20, 2012)

Java is a programming platform owned by Oracle, which is used for developing cross-platform applications. Java programs run in multiple environments including embedded devices, and smart phones. Java is distributed as the Java Runtime Environment (JRE) and the Java Development Kit (JDK).

The JRE is a software package that allows for running of Java applications. It provides a Java Virtual Machine (JVM) which programs are run on. A browser, such as Internet Explorer or Firefox can download, and locally execute Java applets that are embedded in a Web page. A Java applet is a Java application delivered to users in the form of Java bytecode. Java applets are executed in a sandbox, preventing them from accessing local data on the host filesystem.
Three major components comprise the base Java security sandbox. These are the bytecode verifier, the class loader, and the security manager. Each of these components must work properly in order for Java to perform in a secure fashion. Type safety is the most essential element of Java’s security. Type safety means that a program cannot perform an operation on an object unless that operation is valid for that object. The JVM has to make sure that bytecode doesn’t violate any security restrictions.

A vulnerability exists in Oracle’s JVM implementation, HotSpot. The HotSpot bytecode verifier performs incorrect optimization when processing certain bytecode access instructions. Whenever one of the affected access instructions on a field is verified, the result is cached. Other access instructions on the same field and in the same method are subsequently not verified due to the cached result. This can lead to execution of instructions that otherwise would fail verification. Exploitation of this flaw can be used to achieve a type confusion scenario which may result in bypass of sandbox restrictions.

In order to exploit this vulnerability, an attacker must entice the target user to visit a site which hosts a malicious Java applet. Successful exploitation could result in the execution of arbitrary Java code with full privileges of the currently logged in user.

Dell SonicWALL has released an IPS signature to address a known exploit. The following signature was released:

• 8304 – Oracle JRE Hotspot Remote Code Execution

This vulnerability has been assigned the id CVE-2012-1723 by mitre.
The vendor has released an advisory addressing this issue.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.