oss-sec mailing list archives

Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs)

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 11 Sep 2012 11:11:28 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/11/2012 03:18 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

an information disclosure flaw was found in the way certain Java
Virtual Machines (JVM) used to initialize integer arrays (they have
had nonzero elements right after the allocation in certain
circumstances). An attacker could use this flaw to obtain
potentially sensitive information.

References (including the reproducer, workaround and further
details): [1]
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857 [2]
https://bugzilla.redhat.com/show_bug.cgi?id=856124

Could you allocate a CVE id for this?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team

P.S.:  Issue brought to us by Florian Weimer, Red Hat Product
Security Team (for case someone is tracking the initial reporter)

P.S#2: Oracle Security Team Cc-ed on this request too (to clarify 
if CVE id has been assigned to this already or not).


Please use CVE-2012-4416 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQT3DAAAoJEBYNRVNeJnmT6EoP/iTl5HN/lsfqOi83/7UiYXVA
MJyovSVnwWZ0Aqp0Ezw7AJei+VS0koiZAPy54I0ht4idSW2HDOFxH6mAbwAX2i7E
pr3SZecVLb+V9OQs09hShV8eik4lQ+YuHVo/Ag3Q29QSBbncHH1WxbwQhcdttoW3
W3Flwp7+z3cLhINHV1nMEufjwwgATBkM92h6/rM9wTZBDpW7yfE5mFWMUgL7fhxd
9B4H4NJqiARKJ4Tuk6I9UOTNtQxG4Gvrb/3nWY6vWVJjU7N7ti4pHUa6pEMnM35T
K6SYVQEeBgyLC5qxPQtbvYhjn8iT6NXkdtrDGlYXTeDBTqWJb5Mr6QnM4dbYZFfx
y5dFJWyHhxKuvNMQU3Xi5/ht3ta7gGHtWpAPz6LB0l6MXR35Pdiuhf5ZzEWvLCkl
jmtCK6WRcmcks6Bkseff/XDpdh7Fd9Pcot2XYOBxs4FkjV+Krqrmkf0DFemaxxO+
QEX1tRJlZY+2iwmlhfAoc3Msnid0yS4pMcDOvWwhwjkxeZ0BIkn8Vjvo+BaZt3uG
aQnr8GyveaXaF7xWwMmjUuoyo3WbeOlPo2C+go3MyUZbCLJsuRislJtPF4gDLrcr
NvzlKPZuZ5DBNKUD2eRhPMM4r8tBQ0Dn5jcsR8cFsx0D7h8u19lgUsREJP8sqPxF
aABJ8sMvexuvy7D0rrm9
=NGRD
-----END PGP SIGNATURE-----

Current thread:

CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Jan Lieskovsky (Sep 11)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Kurt Seifried (Sep 11)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Steven M. Christey (Sep 11)
  - Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Florian Weimer (Sep 12)
  - Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Jan Lieskovsky (Sep 12)
    - Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Kurt Seifried (Sep 12)
  - Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Tomas Hoger (Sep 20)