That’s the only change in the changeset and the last time that file was updated in OpenJDK was 2012, so I think that’s it. I know it’s very little, that’s why I asked if people agree it’s a vulnerability – it doesn’t feel like the kind of issue described, but I don’t think Oracle would have published a CVE for it if they didn’t think it was.
From: Gary Gregory [mailto:[email protected]] Sent: Thursday, April 19, 2018 2:24 PM To: [email protected] Subject: [EXTERNAL] Re: CVE-2018-2799 So the idea is that the code blows up if nodes is _not_ a Vector. But, a Vector is not bound either. Is there more to the fix than that? Gary On Thu, Apr 19, 2018 at 12:16 PM, David Dillard <[email protected]<mailto:[email protected]>> wrote: Hi, Tuesday, Oracle released its Quarterly Critical Patch Update, which included some fixes for Java<http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA>. I saw that one of those fixes was for JAXP (CVE-2018-2799). Going to Red Hat’s CVE database to get a real description<https://bugzilla.redhat.com/show_bug.cgi?id=1567542> of the issue it says “It was discovered that the implementation of the NamedNodeMapImpl class in the JAXP component of OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized.” It also includes the OpenJDK issue #. Looking for that change in the OpenJDK repository<http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/5279c6da822e> it shows a small change in readObject that is not found in the current Apache Xerces code. Current Xerces code<https://github.com/apache/xerces2-j/blob/trunk/src/org/apache/xerces/dom/NamedNodeMapImpl.java#L604>: private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { in.defaultReadObject(); if (nodes != null) { nodes = new ArrayList(nodes); } } Current OpenJDK code<http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/file/5279c6da822e/src/com/sun/org/apache/xerces/internal/dom/NamedNodeMapImpl.java#l606>: private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { in.defaultReadObject(); if (nodes != null) { // cast to Vector is required nodes = new ArrayList((Vector)nodes); } } Should this modification be made to Xerces? Do people agree that it’s a vulnerability? Thanks, David
