A java security flaw that was supposedly fixed in 2013 is still vulnerable, according to a report by Security Explorations.
Waratek, which provides a Runtime Application Security Protection (RASP) containers said it protects the full application stack using a pioneering virtual container technology that operates in the runtime.
The flaw, known to friends as CVE-2013-5838, can be exploited without authentication, to completely compromise a system’s confidentiality, integrity and availability.
Using Waratek’s RASP containers with a default security policy, CVE-2013-5838 is automatically mitigated and no specific security rule for this CVE is required, Waratek said. “Default security policies work in one of two ways: either reducing the severity of a given vulnerability, or eliminating the vulnerability altogether. In the case of CVE-2013-5838, a default security policy immediately reduces the severity of this vulnerability to partial and eliminates the complete compromise of the host computer system and its data. This benefit is achieved with no foreknowledge of this CVE or the nature of its exploit.”
I have written about it here and here where I wrote that “Waratek, which improves virtualization on servers running Java to permit much higher density (see story), faced a surprising outcome when a major global bank tested its software security. The bank found Waratek software provides a significant leap in security against hackers, including previously unknown threats, called zero day attacks. The global head of application security at the bank told Waratek this was a major breakthrough in cybersecurity that can’t be addressed with existing systems.”