Founder and CEO of Security Explorations of Poland, Adam Gowdiak has reported a new unpatched security vulnerability in JAVA that affects all Java versions, including 7u21 released last Tuesday.
Gowdiak claims to have sent to Oracle a report about a reflection API vulnerability in the newly shipped Server Java Runtime Environment (JRE), notifying them of the new security weakness. "It can be used to achieve a complete Java security sandbox bypass on a target system,"
Vulnerability allows attackers to completely bypass the language's sandbox to access the underlying system. Gowdiak has not published any further details about the vulnerability in order to give Oracle time to patch the problem.
Last week's Oracle patch update repaired many issues plaguing the platform. Java 7 Update 21 contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities.
According to Oracle, "39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password"
He first reported vulnerabilities in the Reflection API a year ago, and he said that this vulnerability is present in the server versions of the Java Runtime Environment, as well as in the JRE Plugin and JDK software.