Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs)

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Steve,

  thank you for the clarification.

> Jan/Kurt,
>
> The bug report appears to be describing a narrow class of vulnerability 
> that could affect multiple codebases that implement Java Virtual Machines, 
> not just Oracle's;

That's true, my yesterday's request was too wide, because in that moment we were
not sure yet, which concrete JVM implementations would be affected by this
deficiency (and which not).

> if so, then a separate CVE would be needed for each 
> REPORTED codebase, and CVE-2012-4416 is ONLY for bug id 7196857 for the 
> Oracle-supported JVM.

Anyway, upon David's review (Cc-ed too) we can announce that this problem would
affect / is specific only to Oracle Java SE 7 (java-1.7.0-oracle), and
Java SE 7 as provided by OpenJDK 7 (java-1.7.0-openjdk).

So after above suggestion we will use CVE-2012-4416 for Oracle's codebase /
Oracle supported JVM and the OpenJDK one should obtain another CVE identifier.

I will clarify this situation in our bugs too yet.

Kurt, could you allocate another CVE id then for the OpenJDK part of the
story?

> I wonder about the severity of the issue, but given the possibility that 
> applications might access an array before a fill, and applications may 
> depend on there being "empty" elements after initialization, this seems 
> reasonable for a CVE.

Florian clarified on this already (why to assign CVE id for these is appropriate
approach).

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> - Steve