Oracle JVM Bytecode Verifier Flaw

July 20, 2012

Java is a programming platform owned by Oracle, which is used for developing cross-platform applications. Java programs run in multiple environments including embedded devices, and smart phones. Java is distributed as the Java Runtime Environment (JRE) and the Java Development Kit (JDK).

The JRE is a software package that allows for running of Java applications. It provides a Java Virtual Machine (JVM) which programs are run on. A browser, such as Internet Explorer or Firefox can download, and locally execute Java applets that are embedded in a Web page. A Java applet is a Java application delivered to users in the form of Java bytecode. Java applets are executed in a sandbox, preventing them from accessing local data on the host filesystem.
Three major components comprise the base Java security sandbox. These are the bytecode verifier, the class loader, and the security manager. Each of these components must work properly in order for Java to perform in a secure fashion. Type safety is the most essential element of Java's security. Type safety means that a program cannot perform an operation on an object unless that operation is valid for that object. The JVM has to make sure that bytecode doesn't violate any security restrictions.

A vulnerability exists in Oracle's JVM implementation, HotSpot. The HotSpot bytecode verifier performs incorrect optimization when processing certain bytecode access instructions. Whenever one of the affected access instructions on a field is verified, the result is cached. Other access instructions on the same field and in the same method are subsequently not verified due to the cached result. This can lead to execution of instructions that otherwise would fail verification. Exploitation of this flaw can be used to achieve a type confusion scenario which may result in bypass of sandbox restrictions.

In order to exploit this vulnerability, an attacker must entice the target user to visit a site which hosts a malicious Java applet. Successful exploitation could result in the execution of arbitrary Java code with full privileges of the currently logged in user.

Dell SonicWALL has released an IPS signature to address a known exploit. The following signature was released:

  • 8304 - Oracle JRE Hotspot Remote Code Execution

This vulnerability has been assigned the id CVE-2012-1723 by mitre.
The vendor has released an advisory addressing this issue.