oss-sec mailing list archives
Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 12 Sep 2012 06:55:12 -0400 (EDT)
Hello Steve, thank you for the clarification.
Jan/Kurt, The bug report appears to be describing a narrow class of vulnerability that could affect multiple codebases that implement Java Virtual Machines, not just Oracle's;
That's true, my yesterday's request was too wide, because in that moment we were not sure yet, which concrete JVM implementations would be affected by this deficiency (and which not).
if so, then a separate CVE would be needed for each REPORTED codebase, and CVE-2012-4416 is ONLY for bug id 7196857 for the Oracle-supported JVM.
Anyway, upon David's review (Cc-ed too) we can announce that this problem would affect / is specific only to Oracle Java SE 7 (java-1.7.0-oracle), and Java SE 7 as provided by OpenJDK 7 (java-1.7.0-openjdk). So after above suggestion we will use CVE-2012-4416 for Oracle's codebase / Oracle supported JVM and the OpenJDK one should obtain another CVE identifier. I will clarify this situation in our bugs too yet. Kurt, could you allocate another CVE id then for the OpenJDK part of the story?
I wonder about the severity of the issue, but given the possibility that applications might access an array before a fill, and applications may depend on there being "empty" elements after initialization, this seems reasonable for a CVE.
Florian clarified on this already (why to assign CVE id for these is appropriate approach). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
- Steve
Current thread:
- CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Jan Lieskovsky (Sep 11)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Kurt Seifried (Sep 11)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Steven M. Christey (Sep 11)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Florian Weimer (Sep 12)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Jan Lieskovsky (Sep 12)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Kurt Seifried (Sep 12)
- Re: CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Tomas Hoger (Sep 20)