Oracle responded to the matter and confirmed that one of the issues (55) is a security flaw while the second one (54) is just “allowed behavior” but it seems that experts over at Security Explorations are not satisfied with this statement.
Adam Gowdiak, CEO of Security Explorations countered the claim by Oracle through a mailer on a seclists.org mailing list. Gowdiak wrote, “We disagree with Oracle’s assessment regarding Issue 54. There is a mirror case corresponding to Issue 54 that leads to access denied condition and a security exception.”
“That alone seems to be enough to contradict the ‘allowed behavior’ claim by the company” he added.
Gowdiak warned that if Oracle doesn’t address this issue he will be forced to publish the technical details of “issue 54,” just as they’ve done with Apple last year.
On February 1 Oracle released an update to fix 50 Java 7 flaws but things are not going their way. With the discovery of two more bugs Oracle may think of releasing an emergency patch before its next update release that is scheduled on April 16.