Red Hat Bugzilla – Bug 856588
CVE-2012-4420 java-1.7.0-openjdk: JVM heap memory disclosure
Last modified: 2012-10-17 03:55:51 EDT
An information disclosure flaw was found in the way Java Virtual Machine (JVM) implemenation of Java SE 7 as provided by OpenJDK 7, used to initialize integer arrays (they have had nonzero elements right after the allocation in certain circumstances). An attacker could use this flaw to obtain potentially sensitive information. This flaw may also lead to various functionality problems that do not have security impacts.
References (including the reproducer):
This is a serious bug, not just an "information disclosure flaw".
The JLS says that all variables are initialized to 0/null, and code often relies on this fact.
I arrived here, finding this bug report, after tracking down an extremely serious issue with live production code. This isn't just "information disclosure", it's a problem with math not working in running code.
Thank goodness for the "-XX:-OptimizeFill" argument.
(In reply to comment #1)
> This is a serious bug, not just an "information disclosure flaw".
This is a CVE tracking bug, intended primarily to capture the security impact of this flaw. I have added a note about non-security impacts to the flaw description.
*** This bug has been marked as a duplicate of bug 856124 ***