Oracle patches 0-day in Java

Oracle published a new version of Java today. The new version Java v8 update 77 addresses a single critical vulnerability with CVE code CVE-2016-0636. This vulnerability had been disclosed publically 2 weeks ago on the fulldisclosure list. Security researcher Adam Gowdiak, CEO of Security Explorations classified it as a variant of an older issue (CVE-2013-5838) that he reported to Oracle in 2013 and that was not fully fixed in Oracle’s subsequent patch.

Since Oracle chose to fix this vulnerability out of band, we can assume that a workable exploit of the vulnerability based on the published information  is relatively easy to come up with. You should give this fix high priority and address as soon as possible

Security Explorations has a technical document describing the issue and POC code for an exploit published on their website. They affirm that Java v7 and Java v9 are also affected by the vulnerability. Our RTI for Id: 124828 continues on level ‘POC’, we will update it as soon as we get more information on potential exploits as they appear in in the wild.

Leave a Reply

Your email address will not be published. Required fields are marked *