# Wednesday, 16 July 2014
« Blog Update | Main | Java Method Overriding Is FUBAR Part 10 ... »
Java Security Fixes

In Februari I reported two Java vulnerabilities to Oracle. Yesterday they released the update that fixed them, so here are the descriptions of the two issues.


Internally, the JDK uses the LambdaForm.Compiled annotation to mark methods that should be skipped in a security stack walk. In JDK 7 it was possible to apply this annotation to untrusted code. Here's an example:

import java.lang.annotation.*;

@interface java_lang_invoke_LambdaForm$Compiled { }

class test {
  public static void main(String[] args) throws Throwable {

If you compile and run this with JDK 1.7.0_60 with a security manager, you get the appropriate AccessControlException. However, if you edit test.class to replace java_lang_invoke_LambdaForm with java/lang/invoke/LambdaForm and run it again, you see that the main method is now skipped in the security check and hence is allowed to access a privileged class.

The fix can be seen here.


This example demonstrates that the JDK 1.7.0_60 LambdaForm method handle implementation has a type safety bug when dealing with method signatures with the maximum number of parameters.

Wednesday, 16 July 2014 08:53:16 (W. Europe Daylight Time, UTC+02:00)  #    Comments [2]
Wednesday, 16 July 2014 13:36:56 (W. Europe Daylight Time, UTC+02:00)
The Java file does not load. Maybe you need to set up a static file extension mapping in IIS.
Wednesday, 16 July 2014 14:23:42 (W. Europe Daylight Time, UTC+02:00)
Fixed. Thanks!
Jeroen Frijters
Home page

I apologize for the lameness of this, but the comment spam was driving me nuts. In order to be able to post a comment, you need to answer a simple question. Hopefully this question is easy enough not to annoy serious commenters, but hard enough to keep the spammers away.

Anti-Spam Question: What method on java.lang.System returns an object's original hashcode (i.e. the one that would be returned by java.lang.Object.hashCode() if it wasn't overridden)? (case is significant)

Comment (HTML not allowed)  

Live Comment Preview