oss-sec mailing list archives
Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs)
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Tue, 11 Sep 2012 17:37:11 -0400 (EDT)
Jan/Kurt,The bug report appears to be describing a narrow class of vulnerability that could affect multiple codebases that implement Java Virtual Machines, not just Oracle's; if so, then a separate CVE would be needed for each REPORTED codebase, and CVE-2012-4416 is ONLY for bug id 7196857 for the Oracle-supported JVM.
I wonder about the severity of the issue, but given the possibility that applications might access an array before a fill, and applications may depend on there being "empty" elements after initialization, this seems reasonable for a CVE.
- Steve
Current thread:
- CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Jan Lieskovsky (Sep 11)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Kurt Seifried (Sep 11)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Steven M. Christey (Sep 11)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Florian Weimer (Sep 12)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Jan Lieskovsky (Sep 12)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Kurt Seifried (Sep 12)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Tomas Hoger (Sep 20)