Bug 689445 - OpenJDK Trusted Method chaining calling System.exit
Summary: OpenJDK Trusted Method chaining calling System.exit
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-21 14:42 UTC by Marc Schoenefeld
Modified: 2018-04-09 20:29 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-06-10 22:27:24 UTC
Embargoed:

Attachments (Terms of Use)

Description Marc Schoenefeld 2011-03-21 14:42:38 UTC 
The blog post on 
http://slightlyrandombrokenthoughts.blogspot.com/2011/01/trusted-method-chaining-to-systemexit.html describes how to construct a trusted method chain that calls into System.exit . While it could be difficult to workaround the general problem of trusted method chains, an straightforward fix for this would be to 

* replace the System.exit call with throwing an IllegalArgumentException in com.sun.org.apache.bcel.internal.classfile.Utility.codeToString() 

so attackers would not be able anymore to shut down the JVM.

Looks like Oracle hasn't urgent plans to fix this, so this security patch will need propagation upstream into OpenJDK code source.
Comment 1 Andrew John Hughes 2018-04-09 20:29:30 UTC 
FWIW, I can't see the problem code in the version of JAXP imported into OpenJDK 6 on 2013-05-17 or OpenJDK 7 on 2011-12-22

changeset:   73:3cda33454120
user:        andrew
date:        Fri May 17 15:39:15 2013 +0100
summary:     OPENJDK6-6: Include JAXP sources in main repository once again

changeset:   286:d9891683fc16
parent:      280:26f5422f16af
user:        joehw
date:        Thu Dec 22 14:00:00 2011 -0800
summary:     7121110: JAXP 1.4.5 update 1 for 7u4
Note You need to log in before you can comment on or make changes to this bug.