779714 – (CVE-2012-4420) VUL-1: CVE-2012-4420: JVM: heap memory disclosure

Bug 779714 (CVE-2012-4420) - VUL-1: CVE-2012-4420: JVM: heap memory disclosure

Summary: VUL-1: CVE-2012-4420: JVM: heap memory disclosure

Status:	RESOLVED FIXED

Alias:	CVE-2012-4420

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2012-09-11 09:39 UTC by Sebastian Krahmer
Modified:	2020-01-13 13:22 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2012-09-11 09:39:47 UTC

Public, via OSS-sec:


Hello Kurt, Steve, vendors,

  an information disclosure flaw was found in the way certain
Java Virtual Machines (JVM) used to initialize integer arrays
(they have had nonzero elements right after the allocation in
certain circumstances). An attacker could use this flaw to
obtain potentially sensitive information.

References (including the reproducer, workaround and further details):
[1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857
[2] https://bugzilla.redhat.com/show_bug.cgi?id=856124

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.:  Issue brought to us by Florian Weimer, Red Hat Product Security Team
       (for case someone is tracking the initial reporter)

P.S#2: Oracle Security Team Cc-ed on this request too (to clarify
       if CVE id has been assigned to this already or not).

Comment 1 Swamp Workflow Management 2012-09-11 22:00:15 UTC

bugbot adjusting priority

Comment 2 Sebastian Krahmer 2012-09-12 06:17:41 UTC

CVE-2012-4416 was assigned for
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857

Comment 3 Matthias Weckbecker 2012-09-13 12:17:05 UTC

(In reply to comment #2)
> CVE-2012-4416 was assigned for
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857

AFAIK, OpenJDK got a different identifier, it's CVE-2012-4420. Just to have
it documented clearly.

Comment 4 Marcus Meissner 2012-11-02 13:53:35 UTC

still in progress at Oracle.

Comment 5 Marcus Meissner 2013-01-22 14:00:35 UTC

was released now in other version upogrades