Re: CVE-2018-2799

Thu, 19 Apr 2018 21:02:25 -0700 

Hi David,
   The "private void readObject(...)" method you've cited is not called
from anywhere. i.e its a unused method/redundant code.

Please correct me if I'm wrong.

On Thu, Apr 19, 2018 at 11:46 PM, David Dillard <david.dill...@veritas.com>
wrote:

> Hi,
>
>
>
> Tuesday, Oracle released its Quarterly Critical Patch Update, which
> included some fixes for Java
> <http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA>.
> I saw that one of those fixes was for JAXP (CVE-2018-2799).  Going to Red
> Hat’s CVE database to get a real description
> <https://bugzilla.redhat.com/show_bug.cgi?id=1567542> of the issue it
> says “It was discovered that the implementation of the NamedNodeMapImpl
> class in the JAXP component of OpenJDK did not limit the amount of memory
> allocated when creating object instance from a serialized form.  A
> specially-crafted input could cause a Java application to use an excessive
> amount of memory when deserialized.”  It also includes the OpenJDK issue
> #.  Looking for that change in the OpenJDK repository
> <http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/5279c6da822e> it shows a
> small change in readObject that is not found in the current Apache Xerces
> code.
>
>
>
> Current Xerces code
> <https://github.com/apache/xerces2-j/blob/trunk/src/org/apache/xerces/dom/NamedNodeMapImpl.java#L604>
> :
>
>
>
>     private void readObject(ObjectInputStream in)
>
>         throws IOException, ClassNotFoundException {
>
>         in.defaultReadObject();
>
>         if (nodes != null) {
>
>             nodes = new ArrayList(nodes);
>
>         }
>
>     }
>
>
>
>
>
> Current OpenJDK code
> <http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/file/5279c6da822e/src/com/sun/org/apache/xerces/internal/dom/NamedNodeMapImpl.java#l606>
> :
>
>
>
>     private void readObject(ObjectInputStream in)
>
>         throws IOException, ClassNotFoundException {
>
>         in.defaultReadObject();
>
>         if (nodes != null) {
>
>             // cast to Vector is required
>
>             nodes = new ArrayList((Vector)nodes);
>
>         }
>
>     }
>
>
>
>
>
> Should this modification be made to Xerces?  Do people agree that it’s a
> vulnerability?
>



-- 
Regards,
Mukul Gandhi

Reply via email to