-------- Original Message --------
Subject: [oss-security] CVE Request (minor) -- JVM: heap memory disclosure (possibly
various JDKs)
Hello Kurt, Steve, vendors,
an information disclosure flaw was found in the way certain
Java Virtual Machines (JVM) used to initialize integer arrays
(they have had nonzero elements right after the allocation in
certain circumstances). An attacker could use this flaw to
obtain potentially sensitive information.
References (including the reproducer, workaround and further details):
[1]
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857
[2]
https://bugzilla.redhat.com/show_bug.cgi?id=856124
Could you allocate a CVE id for this?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
P.S.: Issue brought to us by Florian Weimer, Red Hat Product Security Team
(for case someone is tracking the initial reporter)
P.S#2: Oracle Security Team Cc-ed on this request too (to clarify
if CVE id has been assigned to this already or not).
--
Michael Pasternak
RedHat, ENG-Virtualization R&D