New Java Vulnerabilities No Threat To IBM i
January 23, 2013 Alex Woodie
The Java vulnerabilities that hackers have been exploiting on computers around the world do not exist on the implementation of Java that IBM runs on its IBM i platform, IBM officials confirmed last week.
“IBM has confirmed that the IBM Java Software Development Kit (SDK) and IBM Java Runtime Environment (JRE) are not vulnerable to this reported exploit,” spokesperson Kristin Bryson, of IBM’s Systems and Technology Group, told IT Jungle via email. “The IBM version of Java (which is used on IBM i) has been tested for this issue and it is not in the IBM version of Java.”
The Java vulnerabilities took the IT security world by storm after hackers began exploiting the flaws before Oracle could issue a patch. The ready availability of exploit kits and the slow response from Oracle led the federal government to recommend that computer users protect themselves by removing Java from their systems. The new security flaws in Java are isolated to the Web browser and don’t impact server implementations of Java, IBM said.
It all started on January 10, when CERT issued a security alert warning about a zero-day vulnerability (CVE-2013-0422) in version 7 update 10 of the Java Development Kit (JDK) that was being actively exploited. The vulnerability, which actually involved multiple vulnerabilities, resulted in hackers being able to run arbitrary code on affected systems.
On January 13, Oracle responded to the so-called “Security Manager Bypass Vulnerability” with JDK version 7 update 11. The software giant encouraged users to apply the update to their JREs “as soon as possible” to avoid falling victim to the flaw, which requires users to visit a maliciously crafted website.
In addition to addressing CVE-2013_0422, Oracle also addressed another critical Java vulnerability called CVE-2012-3174 that allows hackers to take full control of victims’ computers. The details of this second vulnerability have not been disclosed, according to CERT, but it carries the same severity level–10.0 on a scale of 1 to 10. Oracle says in its security alert for CVE-2013-0422 that it also fixes CVE-2012-3174.
Although the underlying flaw exists in the JDK, it appears that Oracle’s Java implementation–its Java Runtime Environment (JRE) version 1.7–is the one mainly affected by these vulnerabilities. Oracle’s JRE has been ported to multiple systems, including Windows, OS/X, and Linux systems. Oracle’s JRE is arguably the world’s most popular Java environment. But dozens of other software vendors, including IBM, Hewlett-Packard, SAP, and Microsoft, also develop JVMs (Microsoft discontinued its JVM in 2011).
IBM stopped using Sun Microsystems’ tools to develop its Java Virtual Machine (JVM) and JREs (a JRE is composed of a JVM and Java class libraries) with the launch of IBM i 7.1 in 2010. That was the year that IBM stopped supporting the “classic” 64-bit JVM for i5/OS that was originally developed with Sun’s tools. Taking place of the classic 64-bit JVM were two other “J9” JVMs (one 32 bit and one 64 bit) that IBM wrote using its own IBM Technology for Java (IT4J) tooling. These JVMs support JDK version 1.7 and earlier, and are used, basically unchanged, across IBM’s complete line of IBM i, AIX, Linux, and Windows servers.
This article was corrected. IBM did not recently issue a patch for a Java vulnerability, CVE-2010-4476. It actually patched that flaw when it was discovered in February 2011. IT Jungle regrets the error.