Florian Weimer discovered that AtomicReferenceFieldUpdater in OpenJDK does not properly check if the field to be updated is of primitive type. An untrusted Java application or applet could use flaw to trigger Java virtual machine memory corruption and possibly bypass Java sandbox restrictions. AtomicReferenceFieldUpdater API documentation: http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/atomic/AtomicReferenceFieldUpdater.html This issue is mitigated by the bug that prevents Atomic*FieldUpdater instances when code runs under security manager restrictions under OpenJDK and Oracle JDK 6 and 7. The bug was fixed in JDK8: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7103570 http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7131655 http://hg.openjdk.java.net/jdk8/tl/jdk/rev/48513d156965 Acknowledgement: This issue was discovered by Florian Weimer of Red Hat Product Security.
Created attachment 873749 [details] Proposed patch from Florian Weimer
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0890 https://rhn.redhat.com/errata/RHSA-2014-0890.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:0889 https://rhn.redhat.com/errata/RHSA-2014-0889.html
Fixed now in Oracle Java SE 5u71, 6.0u81, 7.0u65, and 8.0u11 via Critical Patch Update July 2014. Fixed in IcedTea 1.13.4 for OpenJDK 6: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-July/028550.html Fixed in IcedTea 2.5.1 for OpenJDK 7: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-July/028584.html OpenJDK 6 Patch(es): http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/b298e08560f7 OpenJDK 7 Patch(es): http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/3bb943c6ff7d External reference: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA
This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0902 https://rhn.redhat.com/errata/RHSA-2014-0902.html
This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2014:0908 https://rhn.redhat.com/errata/RHSA-2014-0908.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:0907 https://rhn.redhat.com/errata/RHSA-2014-0907.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:1033 https://rhn.redhat.com/errata/RHSA-2014-1033.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:1036 https://rhn.redhat.com/errata/RHSA-2014-1036.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2014:1042 https://rhn.redhat.com/errata/RHSA-2014-1042.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2014:1041 https://rhn.redhat.com/errata/RHSA-2014-1041.html
This issue has been addressed in the following products: Red Hat Satellite Server v 5.6 Via RHSA-2015:0264 https://rhn.redhat.com/errata/RHSA-2015-0264.html