-------- Original Message -------- Subject: [oss-security] CVE Request (minor) -- JVM: heap memory disclosure (possibly various JDKs) Hello Kurt, Steve, vendors, an information disclosure flaw was found in the way certain Java Virtual Machines (JVM) used to initialize integer arrays (they have had nonzero elements right after the allocation in certain circumstances). An attacker could use this flaw to obtain potentially sensitive information. References (including the reproducer, workaround and further details): [1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857 [2] https://bugzilla.redhat.com/show_bug.cgi?id=856124 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: Issue brought to us by Florian Weimer, Red Hat Product Security Team (for case someone is tracking the initial reporter) P.S#2: Oracle Security Team Cc-ed on this request too (to clarify if CVE id has been assigned to this already or not). -- Michael Pasternak RedHat, ENG-Virtualization R&D