Bug 571856 - Use of ConstantPool may not initialize class
Summary: Use of ConstantPool may not initialize class
Status: RESOLVED FIXED
Alias: None
Product: openj9
Classification: Technology
Component: General (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 normal
Target Milestone: ---   Edit
Assignee: Project Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-03-10 18:53 EST by Peter Shipton CLA
Modified: 2021-04-21 08:54 EDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Shipton CLA 2021-03-10 18:53:44 EST 

    


    


      



        
          Comment 1
        

        
          Peter Shipton CLA

        

        
        

        
          2021-03-10 19:05:08 EST
        

      






project: Eclipse OpenJ9

version: up to 0.25 (inclusive)

cwe: CWE-665: Improper Initialization

summary: In Eclipse Openj9 up to version 0.25, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. This allows a user to call static methods or access static members without running the class initialization method, and may allow a user to observe uninitialized values.

    


    


      



        
          Comment 2
        

        
          Peter Shipton CLA

        

        
        

        
          2021-04-21 08:54:25 EDT
        

      






Replaced by https://gitlab.eclipse.org/eclipsefdn/iplab/emo/-/issues/22