Pierluigi Paganini April 08, 2019

Unofficial security patches have been released for two Oracle Java Runtime Environment (RE) flaws yet to be fixed discovered by Google Project Zero researcher.

Unofficial security patches have been released for two Oracle Java Runtime Environment (RE) vulnerabilities discovered by Google Project Zero researcher Mateusz Jurczyk. The company hasn’t yet released an official update to address the two vulnerabilities.

On February 18, Google Project Zero experts publicly disclosed the details of four Java RE vulnerabilities caused by heap-based out-of-bounds read issues. Project Zero experts internally tracked them as 1779, 1780, 1781 and 1782 and rated them as “medium severity.”

The experts used a fuzzing technique to test TrueType and OpenType fonts.

The security holes were discovered during fuzz testing aimed at the processing of TrueType and OpenType fonts.

Google Project Zero reported the flaws to Oracle on February 12, it decided to publicly disclose technical details of the issues after Oracle said it would only address the issues in a future release of Java. Oracle said that “scenario described does not provide a way for an attacker to exploit the user system directly.” In mid-March Oracle announced that and decided that it will patch them in a future release of Java RE.

ACROS Security’s 0patch announced the availability of its own patches for two of the flaws discovered by Google Project Zero, Java users can obtain for them for free. The company will release the patches for the remaining bugs very soon.

The patches were developed to avoid exploitation of the vulnerabilities by terminating the execution of java.exe when out-of-bounds access is detected.

“Both vulnerabilities are micropatched in a similar way: when out-of-bounds access is detected, execution of java.exe is terminated and “Exploit Blocked” reported. We felt trying to sanitize malicious input was too risky and could just move the vulnerability elsewhere. ” reads a Tweet published by 0patch.

The patches only work on Java 8 update 202.

“Note that these patches only apply to Java 8 update 202, which is a “PSU” (“Patch Set Update”, see (link: https://www.oracle.com/technetwork/java/javase/cpu-psu-explained-2331472.html) oracle.com/technetwork/ja…), since this is the version Project Zero’s @j00ru did his analysis on. Most Java users who update regularly are expected to be on “CPU” update 201.” continues 0patch.

Experts agree that the exploitation of these vulnerabilities doesn’t pose a serious risk to Java RE users.

Oracle plans to release next CPU on April 16, let’s see if it will include patches for these vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – Java RE, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]