I previously sent a similar issue to the Apache security team and they said since the issue had been publicly disclosed that I should just take it directly to the project, that’s why I did so in this case.
From: Michael Glavassevich [mailto:[email protected]] Sent: Thursday, April 19, 2018 4:21 PM To: [email protected] Subject: RE: [EXTERNAL] Re: CVE-2018-2799 This discussion should have probably started on security@ [1]. In future I would suggest reporting there before bringing it to one of the public lists. I can confirm that the patch you've found treats the symptom of another problem but won't disclose details of what that problem is here. It's not specific to Xerces. I do agree that we should patch this. Thanks. [1] https://www.apache.org/security/ Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: [email protected]<mailto:[email protected]> E-mail: [email protected]<mailto:[email protected]> David Dillard <[email protected]<mailto:[email protected]>> wrote on 04/19/2018 02:36:54 PM: > That’s the only change in the changeset and the last time that file > was updated in OpenJDK was 2012, so I think that’s it. I know it’s > very little, that’s why I asked if people agree it’s a vulnerability > – it doesn’t feel like the kind of issue described, but I don’t > think Oracle would have published a CVE for it if they didn’t think it was. > > > From: Gary Gregory [mailto:[email protected]] > Sent: Thursday, April 19, 2018 2:24 PM > To: [email protected]<mailto:[email protected]> > Subject: [EXTERNAL] Re: CVE-2018-2799 > > So the idea is that the code blows up if nodes is _not_ a Vector. > But, a Vector is not bound either. Is there more to the fix than that? > > Gary > > On Thu, Apr 19, 2018 at 12:16 PM, David Dillard <[email protected] <mailto:[email protected]%0b>> > wrote: > Hi, > > Tuesday, Oracle released its Quarterly Critical Patch Update, which included > some fixes for Java. I saw that one of those fixes was for JAXP > (CVE-2018-2799). Going to Red Hat’s CVE database to get a real description > of the issue it says “It was discovered that the implementation of > the NamedNodeMapImpl class in the JAXP component of OpenJDK did not > limit the amount of memory allocated when creating object instance > from a serialized form. A specially-crafted input could cause a > Java application to use an excessive amount of memory when > deserialized.” It also includes the OpenJDK issue #. Looking for > that change in the OpenJDK repository it shows a small change in > readObject that is not found in the current Apache Xerces code. > > Current Xerces code: > > private void readObject(ObjectInputStream in) > throws IOException, ClassNotFoundException { > in.defaultReadObject(); > if (nodes != null) { > nodes = new ArrayList(nodes); > } > } > > > Current OpenJDK code: > > private void readObject(ObjectInputStream in) > throws IOException, ClassNotFoundException { > in.defaultReadObject(); > if (nodes != null) { > // cast to Vector is required > nodes = new ArrayList((Vector)nodes); > } > } > > > Should this modification be made to Xerces? Do people agree that > it’s a vulnerability? > > Thanks, > > David
