Community
Participate
Working Groups
OpenSSL natives are public in jdk8 builds of OpenJ9 0.11 release.
The OpenSSL natives take parameters that are used to read and write to native memory. There is no restriction on using the public class jdk.crypto.jniprovider.NativeCrypto, the natives are static public.
Wayne, can we please get a CVE created for this. It affects builds of OpenJ9 0.11, although the vulnerability is not in the OpenJ9 code itself, but in the IBM OpenJDK extensions code, which is required in builds of OpenJ9. Should IBM be creating the CVE? The following and likely more apply. http://cwe.mitre.org/data/definitions/590.html http://cwe.mitre.org/data/definitions/761.html http://cwe.mitre.org/data/definitions/822.html
(Note the problem doesn't affect IBM Java builds, just OpenJ9 builds).
(In reply to Peter Shipton from comment #2) > Wayne, can we please get a CVE created for this. CVE-2018-12548 https://www.eclipse.org/projects/handbook/#vulnerability-cve
project: OpenJ9 version: 0.11.0 cwe: CWE-822: Untrusted Pointer Dereference summary: In Eclipse OpenJ9 version 0.110, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code.
project: OpenJ9 version: 0.11.0 cwe: CWE-822: Untrusted Pointer Dereference summary: In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code.
A pull request sent to the central authority: https://github.com/CVEProject/cvelist/pull/1549