On 28/10/2021 20:14, Rick Hillegas wrote:
As a canary in the mineshaft, I built and tested Apache Derby with the recent build 18-ea+20-1248 of Open JDK 18. I tripped across the following issue when running Derby's regression tests. The problem is explained in more detail at https://issues.apache.org/jira/browse/DERBY-7126, where a simple repro (DERBY_7126_A) can be found. The problem is almost surely the result of work done on https://bugs.openjdk.java.net/browse/JDK-8269039 (Disable SHA-1 Signed JARs).

Under previous versions of the JDK, the JVM would raise an error if you tried to load a class from a jar file which had been signed with SHA-1 but later hacked by inserting malware via "jar -uf". This was the error:

  SHA1 digest error for $corruptedJarFileName

However, under JDK 18 the hacked class loads, no error is raised, and the malware can now be executed. I was surprised that a previously prevented exploit now works. I think it would be better if the JVM still refused to load the hacked class even though SHA-1 has been deprecated.

As I understand it, if the JAR file was signed with SHA-1 then it is now treated as unsigned. Are you saying that unsigned JARs are trusted in the environment?

-Alan

Reply via email to