Hello Alan, I don’t think this is a Java vulnerability (but something Java application programmers have to deal with), that’s why I sent it to the mailing list (for lack of better channels).
Still there is a lesson to learn, we have two different windows file Name parsing behaviors in the openjdk. Microsoft (and the mass media) seems to be aware of the Windows problems. Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Alan Bateman <[email protected]> Gesendet: Tuesday, January 19, 2021 9:26:02 AM An: Bernd <[email protected]>; OpenJDK Dev list <[email protected]>; nio-dev <[email protected]> Betreff: Re: Java and the NTFS Path weakness On 18/01/2021 21:29, Bernd wrote: Hello, bad news everyone. The second Windows Filesystem related security bug reported by Jonas Lykkegaard which allows crashing Windows with a unpriveledged read access also affects JVM and it is not filtered by Path.of. Which means bot new File(bad).exists() and Files.readAllLines(Path.of(bad)) will crash Windows immediatelly. I verified this on the latest Windows Server 2019 January Security Update. var bad = "\\\\.\\globalroot\\device\\condrv\\kernelconnect" BSOD issues should be reported to Microsoft. If there is any suggestion of a JDK bug here then it should be reported to [email protected]<mailto:[email protected]>. We (at least Oracle engineers) cannot engage in any discussion of vulnerability issues here. -Alan
