Bug 856124 (CVE-2012-4416)

Summary: CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahughes, dbhole, djorm, fweimer, jon.vanalten, jvanek, lkundrak, mark, mmatejov, omajid
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120907,reported=20120911,source=internet,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,rhel-5/java-1.6.0-openjdk=affected,rhel-6/java-1.6.0-openjdk=affected,rhel-5/java-1.7.0-openjdk=affected,rhel-6/java-1.7.0-openjdk=affected,rhel-5/java-1.6.0-sun=affected,rhel-6/java-1.6.0-sun=affected,rhel-5/java-1.7.0-oracle=affected,rhel-6/java-1.7.0-oracle=affected,rhel-5/java-1.4.2-ibm=notaffected,rhel-5/java-1.5.0-ibm=notaffected,rhel-6/java-1.5.0-ibm=notaffected,rhel-5/java-1.6.0-ibm=notaffected,rhel-6/java-1.6.0-ibm=notaffected,rhel-5/java-1.7.0-ibm=notaffected,rhel-6/java-1.7.0-ibm=notaffected
Fixed In Version: icedtea6 1.10.10, icedtea6 1.11.5, icedtea7 2.1.3, icedtea7 2.2.3, icedtea7 2.3.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-26 03:20:46 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 862579    

Description Jan Lieskovsky 2012-09-11 05:08:42 EDT
An information disclosure flaw was found in the way Java Virtual Machine (JVM) implementation of Oracle Java SE 7 used to initialize integer arrays (they have had nonzero elements right after the allocation in certain circumstances). An attacker could use this flaw to obtain potentially sensitive information.

References (including the reproducer):
[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857
Comment 1 Jan Lieskovsky 2012-09-11 05:12:03 EDT
Local copy of the reproducer, workaround and further issue occurrence details 
from [1]):
=============================================================================

This bug can be reproduced always.

---------- BEGIN SOURCE ----------
public class JvmBug {
public static void main(String[] args) {
        int[] a;
        int n = 0;
        for (int i = 0; i < 100000000; ++i) {
            a = new int[10];
            for (int f : a)
                if (f != 0)
                    throw new RuntimeException("Array just after allocation: "+  Arrays.toString(a));
            Arrays.fill(a, 0);
            for (int j = 0; j < a.length; ++j)
                a[j] = (n - j)*i;
            for (int f : a)
                n += f;
        }
        System.out.println(n);
    }
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Add Arrays.fill(a,0) just after array initialization.

The bug reproduces with the fill or with a zeroing for loop, but not without.

So compiler correctly matches a complete array fill, but the check for uses between the allocation and the fill is faulty.
Comment 2 Jan Lieskovsky 2012-09-11 05:24:20 EDT
CVE Request:
http://www.openwall.com/lists/oss-security/2012/09/11/1
Comment 5 Jan Lieskovsky 2012-09-11 13:37:28 EDT
The CVE identifier of CVE-2012-4416 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/09/11/6
Comment 6 David Jorm 2012-09-12 06:30:21 EDT
This flaw only affects the Oracle and OpenJDK implementations of Java 7, older versions and the IBM implementation are not affected.
Comment 7 Jan Lieskovsky 2012-09-12 07:03:10 EDT
After clarification from Mitre:
[2] http://www.openwall.com/lists/oss-security/2012/09/11/9

the CVE identifier of CVE-2012-4416 should be used only for Oracle's codebase / Oracle JVM implementation.

The same problem present in Java SE 7 as provided by OpenJDK 7 should be referred by another / different CVE id, which is currently pending assignment yet:
http://www.openwall.com/lists/oss-security/2012/09/12/4
Comment 8 Jan Lieskovsky 2012-09-12 07:21:38 EDT
(In reply to comment #7)
> The same problem present in Java SE 7 as provided by OpenJDK 7 should be
> referred by another / different CVE id, which is currently pending
> assignment yet:
> http://www.openwall.com/lists/oss-security/2012/09/12/4

This flaw as it affects OpenJDK is now being tracked by a separate CVE ID, CVE-2012-4420 (bug 856588).
Comment 9 Tomas Hoger 2012-10-17 03:40:13 EDT
Fixed now in Oracle JDK 7u9 and 6u37.  It seems Java 6 has this incorrect optimization too, even though the problem was not triggered by the test case.

External Reference:

http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
Comment 10 Tomas Hoger 2012-10-17 03:54:22 EDT
(In reply to comment #8)

> This flaw as it affects OpenJDK is now being tracked by a separate CVE ID,
> CVE-2012-4420 (bug 856588).

As Hotspot is component that is part of both Oracle JDK and OpenJDK, the above assignment is duplicate.
Comment 11 Tomas Hoger 2012-10-17 03:54:50 EDT
*** Bug 856588 has been marked as a duplicate of this bug. ***
Comment 12 Tomas Hoger 2012-10-17 03:58:40 EDT
Fix included in IcedTea6 versions 1.10.10 and 1.11.5:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-October/020556.html
http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/d9564350faa6/patches/security/20121016/7198606.patch

(Patch disables optimization until proper fix is created.)
Comment 13 errata-xmlrpc 2012-10-17 12:10:30 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1386 https://rhn.redhat.com/errata/RHSA-2012-1386.html
Comment 14 errata-xmlrpc 2012-10-17 12:10:45 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1385 https://rhn.redhat.com/errata/RHSA-2012-1385.html
Comment 15 errata-xmlrpc 2012-10-17 12:11:31 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1384 https://rhn.redhat.com/errata/RHSA-2012-1384.html
Comment 17 errata-xmlrpc 2012-10-18 12:45:43 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1391 https://rhn.redhat.com/errata/RHSA-2012-1391.html
Comment 18 errata-xmlrpc 2012-10-18 12:56:38 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1392 https://rhn.redhat.com/errata/RHSA-2012-1392.html