Hi, Tuesday, Oracle released its Quarterly Critical Patch Update, which included some fixes for Java<http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA>. I saw that one of those fixes was for JAXP (CVE-2018-2799). Going to Red Hat's CVE database to get a real description<https://bugzilla.redhat.com/show_bug.cgi?id=1567542> of the issue it says "It was discovered that the implementation of the NamedNodeMapImpl class in the JAXP component of OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized." It also includes the OpenJDK issue #. Looking for that change in the OpenJDK repository<http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/5279c6da822e> it shows a small change in readObject that is not found in the current Apache Xerces code.
Current Xerces code<https://github.com/apache/xerces2-j/blob/trunk/src/org/apache/xerces/dom/NamedNodeMapImpl.java#L604>: private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { in.defaultReadObject(); if (nodes != null) { nodes = new ArrayList(nodes); } } Current OpenJDK code<http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/file/5279c6da822e/src/com/sun/org/apache/xerces/internal/dom/NamedNodeMapImpl.java#l606>: private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { in.defaultReadObject(); if (nodes != null) { // cast to Vector is required nodes = new ArrayList((Vector)nodes); } } Should this modification be made to Xerces? Do people agree that it's a vulnerability? Thanks, David
