Bug 689445

Summary: OpenJDK Trusted Method chaining calling System.exit
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: ahughes, dbhole, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 22:27:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marc Schoenefeld 2011-03-21 14:42:38 UTC
The blog post on 
http://slightlyrandombrokenthoughts.blogspot.com/2011/01/trusted-method-chaining-to-systemexit.html describes how to construct a trusted method chain that calls into System.exit . While it could be difficult to workaround the general problem of trusted method chains, an straightforward fix for this would be to 

* replace the System.exit call with throwing an IllegalArgumentException in com.sun.org.apache.bcel.internal.classfile.Utility.codeToString() 

so attackers would not be able anymore to shut down the JVM.

Looks like Oracle hasn't urgent plans to fix this, so this security patch will need propagation upstream into OpenJDK code source.

Comment 1 Andrew John Hughes 2018-04-09 20:29:30 UTC
FWIW, I can't see the problem code in the version of JAXP imported into OpenJDK 6 on 2013-05-17 or OpenJDK 7 on 2011-12-22

changeset:   73:3cda33454120
user:        andrew
date:        Fri May 17 15:39:15 2013 +0100
summary:     OPENJDK6-6: Include JAXP sources in main repository once again

changeset:   286:d9891683fc16
parent:      280:26f5422f16af
user:        joehw
date:        Thu Dec 22 14:00:00 2011 -0800
summary:     7121110: JAXP 1.4.5 update 1 for 7u4