Bug 856588 (CVE-2012-4420) - CVE-2012-4420 java-1.7.0-openjdk: JVM heap memory disclosure
Summary: CVE-2012-4420 java-1.7.0-openjdk: JVM heap memory disclosure
Status: CLOSED DUPLICATE of bug 856124
Alias: CVE-2012-4420
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 862579
TreeView+ depends on / blocked
Reported: 2012-09-12 11:17 UTC by Jan Lieskovsky
Modified: 2021-02-23 13:54 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-10-17 07:54:50 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2012-09-12 11:17:02 UTC
An information disclosure flaw was found in the way Java Virtual Machine (JVM) implemenation of Java SE 7 as provided by OpenJDK 7, used to initialize integer arrays (they have had nonzero elements right after the allocation in certain circumstances). An attacker could use this flaw to obtain potentially sensitive information. This flaw may also lead to various functionality problems that do not have security impacts.

References (including the reproducer):
[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857
[2] http://www.openwall.com/lists/oss-security/2012/09/12/4

Comment 1 Ray Greenwell 2012-09-19 23:19:31 UTC
This is a serious bug, not just an "information disclosure flaw".

The JLS says that all variables are initialized to 0/null, and code often relies on this fact.

I arrived here, finding this bug report, after tracking down an extremely serious issue with live production code. This isn't just "information disclosure", it's a problem with math not working in running code.

Thank goodness for the "-XX:-OptimizeFill" argument.

Comment 2 David Jorm 2012-09-20 01:36:41 UTC
(In reply to comment #1)
> This is a serious bug, not just an "information disclosure flaw".

This is a CVE tracking bug, intended primarily to capture the security impact of this flaw. I have added a note about non-security impacts to the flaw description.

Comment 3 Tomas Hoger 2012-10-17 07:54:50 UTC

*** This bug has been marked as a duplicate of bug 856124 ***

Comment 4 Doran Moppert 2020-02-10 04:20:55 UTC

This flaw was found to be a duplicate of CVE-2012-4416. Please see https://access.redhat.com/security/cve/CVE-2012-4416 for information about affected products and security errata.

Note You need to log in before you can comment on or make changes to this bug.