CVE-2016-0363

Name of the Vulnerable Software and Affected Versions IBM SDK, Java Technology Edition versions 6.0.0 through 6.0.16.24 IBM SDK, Java Technology Edition 6 R1 versions 6.1.0 through 6.1.8.24 IBM SDK, Java Technology Edition 7 versions 7.0.0 through 7.0.9.39 IBM SDK, Java Technology Edition 7 R1 versions 7.1.0 through 7.1.3.39 IBM SDK, Java Technology Edition 8 versions 8.0.0 through 8.0.2.0

Description The issue allows remote attackers to bypass a sandbox protection mechanism, enabling them to execute arbitrary code on the system. This is achieved by calling setSecurityManager via vectors related to a Proxy object instance implementing the java.lang.reflect.InvocationHandler interface. The com.ibm.CORBA.iiop.ClientDelegate class uses the invoke method of the java.lang.reflect.Method class in an AccessController doPrivileged block, which contributes to the vulnerability.

Recommendations For IBM SDK, Java Technology Edition 6, update to version 6.0.16.25 or later. For IBM SDK, Java Technology Edition 6 R1, update to version 6.1.8.25 or later. For IBM SDK, Java Technology Edition 7, update to version 7.0.9.40 or later. For IBM SDK, Java Technology Edition 7 R1, update to version 7.1.3.40 or later. For IBM SDK, Java Technology Edition 8, update to version 8.0.3.0 or later.