Red Hat Bugzilla – Bug 1031471
CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars
Last modified: 2016-09-09 16:30:36 EDT
It has been identified that it is possible to inject malicious unsigned bytecode into a signed JAR without failing jarsigner verification. This flaw could be exploited in environments where contents of a verified JAR is considered trusted and unpacked for use.
Note that if the signed JAR is used at runtime, with signature intact, a fatal runtime exception is thrown.
This issue was discovered by Arun Babu Neelicattu of the Red Hat Security Response Team.
This was fixed publicly by upstream
(In reply to Kurt Seifried from comment #3)
> This was fixed publicly by upstream
The fix was included in OpenJDK, Oracle JDK and IBM JDK updates released to address January 2014 CPU security issues. Upstream considered it security hardening rather than vulnerability fix.