Unofficial security patches have been released for two Oracle Java Runtime Environment (RE) vulnerabilities discovered by Google Project Zero researcher Mateusz Jurczyk. The company hasn’t yet released an official update to address the two vulnerabilities.
On February 18, Google Project Zero experts publicly disclosed the details of four Java RE vulnerabilities caused by heap-based out-of-bounds read issues. Project Zero experts internally tracked them as 1779, 1780, 1781 and 1782 and rated them as “medium severity.”
The experts used a fuzzing technique to test TrueType and OpenType fonts.
The security holes were discovered during fuzz testing aimed at the processing of TrueType and OpenType fonts.
Google Project Zero reported the flaws to Oracle on February 12, it decided to publicly disclose technical details of the issues after Oracle said it would only address the issues in a future release of Java. Oracle said that “scenario described does not provide a way for an attacker to exploit the user system directly.” In mid-March Oracle announced that and decided that it will patch them in a future release of Java RE.
ACROS Security’s 0patch announced the availability of its own patches for two of the flaws discovered by Google Project Zero, Java users can obtain for them for free. The company will release the patches for the remaining bugs very soon.
The patches were developed to avoid exploitation of the
“Both vulnerabilities are
The patches only work on Java 8 update 202.
“Note that these patches only apply to Java 8 update 202, which is a “PSU” (“Patch Set Update”, see (link: https://www.oracle.com/technetwork/java/javase/cpu-psu-explained-2331472.html) oracle.com/
Experts agree that the exploitation of these vulnerabilities doesn’t pose a serious risk to Java RE users.
Oracle plans to release next CPU on April 16, let’s see if it will include patches for these vulnerabilities.
(SecurityAffairs – Java RE, hacking)