Hello Alan, I don’t think this is a Java vulnerability (but something Java application programmers have to deal with), that’s why I sent it to the mailing list (for lack of better channels).
Still there is a lesson to learn, we have two different windows file Name parsing behaviors in the openjdk. Microsoft (and the mass media) seems to be aware of the Windows problems. Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Alan Bateman <alan.bate...@oracle.com> Gesendet: Tuesday, January 19, 2021 9:26:02 AM An: Bernd <e...@zusammenkunft.net>; OpenJDK Dev list <security-dev@openjdk.java.net>; nio-dev <nio-...@openjdk.java.net> Betreff: Re: Java and the NTFS Path weakness On 18/01/2021 21:29, Bernd wrote: Hello, bad news everyone. The second Windows Filesystem related security bug reported by Jonas Lykkegaard which allows crashing Windows with a unpriveledged read access also affects JVM and it is not filtered by Path.of. Which means bot new File(bad).exists() and Files.readAllLines(Path.of(bad)) will crash Windows immediatelly. I verified this on the latest Windows Server 2019 January Security Update. var bad = "\\\\.\\globalroot\\device\\condrv\\kernelconnect" BSOD issues should be reported to Microsoft. If there is any suggestion of a JDK bug here then it should be reported to vuln-rep...@openjdk.java.net<mailto:vuln-rep...@openjdk.java.net>. We (at least Oracle engineers) cannot engage in any discussion of vulnerability issues here. -Alan
