Bug 856588 (CVE-2012-4420)

Summary: CVE-2012-4420 java-1.7.0-openjdk: JVM heap memory disclosure
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahughes, dbhole, djorm, fweimer, jon.vanalten, jvanek, lkundrak, mjw, mmatejov, omajid, ray, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-17 07:54:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 862579    

Description Jan Lieskovsky 2012-09-12 11:17:02 UTC 
An information disclosure flaw was found in the way Java Virtual Machine (JVM) implemenation of Java SE 7 as provided by OpenJDK 7, used to initialize integer arrays (they have had nonzero elements right after the allocation in certain circumstances). An attacker could use this flaw to obtain potentially sensitive information. This flaw may also lead to various functionality problems that do not have security impacts.

References (including the reproducer):
[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857
[2] http://www.openwall.com/lists/oss-security/2012/09/12/4
Comment 1 Ray Greenwell 2012-09-19 23:19:31 UTC 
This is a serious bug, not just an "information disclosure flaw".

The JLS says that all variables are initialized to 0/null, and code often relies on this fact.

I arrived here, finding this bug report, after tracking down an extremely serious issue with live production code. This isn't just "information disclosure", it's a problem with math not working in running code.

Thank goodness for the "-XX:-OptimizeFill" argument.
Comment 2 David Jorm 2012-09-20 01:36:41 UTC 
(In reply to comment #1)
> This is a serious bug, not just an "information disclosure flaw".

This is a CVE tracking bug, intended primarily to capture the security impact of this flaw. I have added a note about non-security impacts to the flaw description.
Comment 3 Tomas Hoger 2012-10-17 07:54:50 UTC 

*** This bug has been marked as a duplicate of bug 856124 ***
Comment 4 Doran Moppert 2020-02-10 04:20:55 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2012-4416. Please see https://access.redhat.com/security/cve/CVE-2012-4416 for information about affected products and security errata.