There are five vulnerabilities in Java SE 7 Update 15 which, when combined, can achieve a complete sandbox bypass.
The new flaws, identified as “issue 56” through “issue 60,” ended up found by researchers at Security Explorations while they were trying to collect new evidence to prove to Oracle “issue 54” is a security hole.
“Two of the issues found (59 and 60) could be potentially affecting Java SE 6 (we haven’t checked this due to Java SE 6 EOL status), but since all of the issues need to be combined together to gain a successful Java SE security compromise, we treat it as affecting Java SE 7 only,” said Adam Gowdiak, chief executive of Security Explorations.
“The attack breaks a couple of security checks introduced to Java SE by Oracle over the recent months (Issues 57 and 58). It also exploits code fragments that were missing proper security checks corresponding to the very mirror code (Issue 59 and 60). Finally, it demonstrates a difference between the JVM specification and its implementation (Issue 56).”
Gowdiak said similar to other vulnerabilities they’ve found, the Reflection API is the component that undergoes exploitation in the attack.
Oracle has the complete details of the newly-discovered flaws, along with a proof-of-concept.