On 14/12/2021 12:30 am, Filip Palian wrote:
My intention was to share information about the vulnerabilities affecting
Java language. (Without performing a proper comparison) I'd prefer not to
get into discussion about one language being less secure than another.
"Java is insecure" is an implicit comparison with other languages. If
there isn't another language that is more secure, the statement is as I
said, unfair.
Sure, I'll take the occasion and spell it out ... the first example from
the list which isn't strictly a sandbox bypass -
https://packetstormsecurity.com/files/127117/Oracle-Database-Java-VM-20-Weaknesses.html
:
"Among a total of 20 weaknesses discovered, there are issues that allow to
create a specific Java security bypass condition or that facilitate the
execution of arbitrary Java code on Oracle Database server without proper
privileges".
It does sound like it is effectively a sandbox bypass. Can you run other
languages e.g. C in the same environment securely? If one language has
security but there are occasional vulnerabilities discovered, and
another has no security at all, is it reasonable to call the first insecure?
--
Andrew Rowley
Black Hill Software
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
