Comment 1 Peter Shipton 2019-01-24 11:07:33 EST

The OpenSSL natives take parameters that are used to read and write to native memory. There is no restriction on using the public class jdk.crypto.jniprovider.NativeCrypto, the natives are static public.

Comment 2 Peter Shipton 2019-01-24 11:21:41 EST

Wayne, can we please get a CVE created for this.

It affects builds of OpenJ9 0.11, although the vulnerability is not in the OpenJ9 code itself, but in the IBM OpenJDK extensions code, which is required in builds of OpenJ9. Should IBM be creating the CVE?

The following and likely more apply.
http://cwe.mitre.org/data/definitions/590.html
http://cwe.mitre.org/data/definitions/761.html
http://cwe.mitre.org/data/definitions/822.html

Comment 3 Peter Shipton 2019-01-24 13:21:00 EST

(Note the problem doesn't affect IBM Java builds, just OpenJ9 builds).

Comment 4 Wayne Beaton 2019-01-31 12:07:17 EST

(In reply to Peter Shipton from comment #2)
> Wayne, can we please get a CVE created for this.

CVE-2018-12548

https://www.eclipse.org/projects/handbook/#vulnerability-cve

Comment 5 Peter Shipton 2019-01-31 13:10:39 EST

project: OpenJ9

version: 0.11.0

cwe: CWE-822: Untrusted Pointer Dereference

summary: In Eclipse OpenJ9 version 0.110, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code.

Comment 6 Peter Shipton 2019-01-31 13:12:05 EST

project: OpenJ9

version: 0.11.0

cwe: CWE-822: Untrusted Pointer Dereference

summary: In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code.

Comment 7 Wayne Beaton 2019-01-31 13:40:19 EST

A pull request sent to the central authority:

https://github.com/CVEProject/cvelist/pull/1549