It has been identified that it is possible to inject malicious unsigned bytecode into a signed JAR without failing jarsigner verification. This flaw could be exploited in environments where contents of a verified JAR is considered trusted and unpacked for use. Note that if the signed JAR is used at runtime, with signature intact, a fatal runtime exception is thrown.
Acknowledgements: This issue was discovered by Arun Babu Neelicattu of the Red Hat Security Response Team.
This was fixed publicly by upstream http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e
(In reply to Kurt Seifried from comment #3) > This was fixed publicly by upstream > > http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e The fix was included in OpenJDK, Oracle JDK and IBM JDK updates released to address January 2014 CPU security issues. Upstream considered it security hardening rather than vulnerability fix.