Hello,
This email is related to
http://security-tracker.debian.org/tracker/CVE-2011-3556
Basically, one of our RMI applications is failing to start after the
security update to java 6b18-1.8.10-0~lenny1*
*I have tried to run the test case specified as part of
http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/7ed2fd310470
http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/d27f0b2f1476
and it fails with an exception trace similar to:
Exceptions
2011-12-13 17:28:18,346 [main] ERROR com.gleim.gacs.Gacs -
java.rmi.ServerException: RemoteException occurred in server thread; nested
exception is:
java.rmi.UnmarshalException: error unmarshalling arguments; nested exception
is:
java.lang.ClassNotFoundException: access to class loader denied
java.rmi.ServerException: RemoteException occurred in server thread; nested
exception is:
java.rmi.UnmarshalException: error unmarshalling arguments; nested exception
is:
java.lang.ClassNotFoundException: access to class loader denied
at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:419)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:267)
at sun.rmi.transport.Transport$1.run(Transport.java:177)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:173)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:553)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:808)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:667)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:636)
at
sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:273)
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:251)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:377)
at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
at java.rmi.Naming.rebind(Naming.java:177)
at com.gleim.gacs.Gacs.startup(Gacs.java:49)
at com.gleim.gacs.Gacs.main(Gacs.java:103)
Caused by: java.rmi.UnmarshalException: error unmarshalling arguments; nested
exception is:
java.lang.ClassNotFoundException: access to class loader denied
at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source)
at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:409)
Caused by: java.lang.ClassNotFoundException: access to class loader denied
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:445)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:182)
at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:637)
at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:264)
at
sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:214)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1592)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1513)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1749)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1346)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:368)
... 12 more
Caused by: java.security.AccessControlException: access denied
(java.io.FilePermission ////usr/local/gcss2/gacs/- read)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
sun.rmi.server.LoaderHandler$Loader.checkPermissions(LoaderHandler.java:1173)
at sun.rmi.server.LoaderHandler$Loader.access$000(LoaderHandler.java:1127)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:409)
The code and the test case both work fine with the the previous security
java version "1.6.0_18"
OpenJDK Runtime Environment (IcedTea6 1.8.7) *(6b18-1.8.7-2*~lenny1)
Is there a way for somebody to re-review
http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/7ed2fd310470 ?
Have a great day.
--
Andrei Sura
Software Developer
IT Department
Gleim Publications, Inc.
4201 NW 95th Blvd
Gainesville, FL. 32606
http://www.gleim.com