CVE-2016-0376

Name of the Vulnerable Software and Affected Versions IBM SDK, Java Technology Edition versions 6.0.0 through 6.0.16.24 IBM SDK, Java Technology Edition 6 R1 versions 6.1.0 through 6.1.8.24 IBM SDK, Java Technology Edition 7 versions 7.0.0 through 7.0.9.39 IBM SDK, Java Technology Edition 7 R1 versions 7.1.0 through 7.1.3.39 IBM SDK, Java Technology Edition 8 versions 8.0.0 through 8.0.2.0

Description The issue allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code. This is due to the improper deserialization of classes in an AccessController doPrivileged block. The readValue method of the com.ibm.rmi.io.ValueHandlerPool.ValueHandlerSingleton class, which implements the javax.rmi.CORBA.ValueHandler interface, demonstrates this vulnerability. It enables code running under a security manager to escalate its privileges by modifying or removing the security manager.

Recommendations For IBM SDK, Java Technology Edition 6, update to version 6.0.16.25 or later. For IBM SDK, Java Technology Edition 6 R1, update to version 6.1.8.25 or later. For IBM SDK, Java Technology Edition 7, update to version 7.0.9.40 or later. For IBM SDK, Java Technology Edition 7 R1, update to version 7.1.3.40 or later. For IBM SDK, Java Technology Edition 8, update to version 8.0.3.0 or later.