Should this be written up at https://bugreport.java.com/bugreport/ , or
does it deserve special treatment as a security vulnerability (and if
so, what is that protocol)?
I was unable to review the document without an ibm account, so I can’t
comment further on the problem or any potential resolution(s).
Sruthy: if you are an Oracle customer or partner there may be other
faster channels
<https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html>
to discuss this.
Regards,
- Jeremy
------ Original Message ------
From "Sruthy Jayan" <srutj...@in.ibm.com>
To "client-libs-dev@openjdk.org" <client-libs-dev@openjdk.org>
Cc "Swathi Kalahastri" <swkal...@in.ibm.com>; "Syed Moinudeen"
<smoin...@in.ibm.com>
Date 6/4/2025 1:42:01 AM
Subject Security Concern: JPasswordField Revealing Passwords in Memory
Hi Team ,
We are encountering a potential security issue with JPasswordField in
the latest version of OpenJDK. While the issue is not present in OpenJ9
version 0.40.0, it becomes reproducible in version 0.41.0.
Specifically, after typing or pasting a password into the field, memory
inspection tools can reveal the password in plain text—even before the
password is submitted or any action is triggered.
This behaviour is reproducible and raises concerns about sensitive data
being exposed unintentionally.
We have attached a detailed document ( ClearPasswordInMemoryIssue
1.docx
<https://ibm-my.sharepoint.com/:w:/p/srutjay1_in/ETwf5z9omRlAoetv7snbnFcBrHxJwGXJpeDcvSv7Svp7Rw>)
outlining the issue, steps to reproduce, and our observations.
Could someone from the community assist us in investigating or
addressing this issue? Please let us know if any additional information
is needed.
Thank you for your time and support.
Best Regards,
Sruthy Jayan
