Is ReDos seen as bug/vulnerability?
Alan Bateman
Alan.Bateman at oracle.com
Fri Jan 27 13:03:45 UTC 2023
On 27/01/2023 11:50, David Schumann wrote:
> Hello,
>
> during a PenTest we found a ReDos issue in the JRE which causes
> Matcher.matches() to go into an endless loop. Is such an issue
> considered a bug for the JDK team (aka should I file a bug report)? Or
> is such an issue considered "by design"?
>
> The issue appears in current JRE versions (tested with 17 and 21)
>
We can't discuss such matters here. If you think there is a security
issue then please report it to OpenJDK vulnerability group [1].
-Alan.
[1] https://openjdk.org/groups/vulnerability/report
More information about the core-libs-dev
mailing list