Current versions of IBM SDK 7 and SDK 8 remain vulnerable to a 2013 Java vulnerability. The flaw allows for an attacker to execute code outside the Java sandbox. IBM announced a change in internal policy whereby the company will disclose bugs if the vendor s patch is broken or incomplete. IBM said in a statement: IBM is aware of the vulnerability and is working to address the issue The vulnerability could be exploited via a browser if IBM Java is configured as a plugin, CEO Adam Gowdiak said.
Source: https://threatpost.com/broken-ibm-java-patch-prompts-another-disclosure/117369/