An information disclosure flaw was found in the way Java Virtual Machine (JVM) implementation of Oracle Java SE 7 used to initialize integer arrays (they have had nonzero elements right after the allocation in certain circumstances). An attacker could use this flaw to obtain potentially sensitive information. References (including the reproducer): [1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857
Local copy of the reproducer, workaround and further issue occurrence details from [1]): ============================================================================= This bug can be reproduced always. ---------- BEGIN SOURCE ---------- public class JvmBug { public static void main(String[] args) { int[] a; int n = 0; for (int i = 0; i < 100000000; ++i) { a = new int[10]; for (int f : a) if (f != 0) throw new RuntimeException("Array just after allocation: "+ Arrays.toString(a)); Arrays.fill(a, 0); for (int j = 0; j < a.length; ++j) a[j] = (n - j)*i; for (int f : a) n += f; } System.out.println(n); } } ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : Add Arrays.fill(a,0) just after array initialization. The bug reproduces with the fill or with a zeroing for loop, but not without. So compiler correctly matches a complete array fill, but the check for uses between the allocation and the fill is faulty.
CVE Request: http://www.openwall.com/lists/oss-security/2012/09/11/1
The CVE identifier of CVE-2012-4416 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/09/11/6
This flaw only affects the Oracle and OpenJDK implementations of Java 7, older versions and the IBM implementation are not affected.
After clarification from Mitre: [2] http://www.openwall.com/lists/oss-security/2012/09/11/9 the CVE identifier of CVE-2012-4416 should be used only for Oracle's codebase / Oracle JVM implementation. The same problem present in Java SE 7 as provided by OpenJDK 7 should be referred by another / different CVE id, which is currently pending assignment yet: http://www.openwall.com/lists/oss-security/2012/09/12/4
(In reply to comment #7) > The same problem present in Java SE 7 as provided by OpenJDK 7 should be > referred by another / different CVE id, which is currently pending > assignment yet: > http://www.openwall.com/lists/oss-security/2012/09/12/4 This flaw as it affects OpenJDK is now being tracked by a separate CVE ID, CVE-2012-4420 (bug 856588).
Fixed now in Oracle JDK 7u9 and 6u37. It seems Java 6 has this incorrect optimization too, even though the problem was not triggered by the test case. External Reference: http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
(In reply to comment #8) > This flaw as it affects OpenJDK is now being tracked by a separate CVE ID, > CVE-2012-4420 (bug 856588). As Hotspot is component that is part of both Oracle JDK and OpenJDK, the above assignment is duplicate.
*** Bug 856588 has been marked as a duplicate of this bug. ***
Fix included in IcedTea6 versions 1.10.10 and 1.11.5: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-October/020556.html http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/d9564350faa6/patches/security/20121016/7198606.patch (Patch disables optimization until proper fix is created.)
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1386 https://rhn.redhat.com/errata/RHSA-2012-1386.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1385 https://rhn.redhat.com/errata/RHSA-2012-1385.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1384 https://rhn.redhat.com/errata/RHSA-2012-1384.html
Fix included in IcedTea7 versions 2.1.3, 2.2.3 and 2.3.3: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-October/020571.html http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/hotspot/rev/0885feeea95c
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1391 https://rhn.redhat.com/errata/RHSA-2012-1391.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1392 https://rhn.redhat.com/errata/RHSA-2012-1392.html