Java and the NTFS Path weakness
Alan Bateman
Alan.Bateman at oracle.com
Tue Jan 19 08:26:02 UTC 2021
On 18/01/2021 21:29, Bernd wrote:
> Hello,
>
> bad news everyone. The second Windows Filesystem related security bug
> reported by Jonas Lykkegaard which allows crashing Windows with a
> unpriveledged read access also affects JVM and it is not filtered by
> Path.of. Which means bot new File(bad).exists() and
> Files.readAllLines(Path.of(bad)) will crash Windows immediatelly.
>
> I verified this on the latest Windows Server 2019 January Security Update.
>
> var bad = "\\\\.\\globalroot\\device\\condrv\\kernelconnect"
>
BSOD issues should be reported to Microsoft. If there is any suggestion
of a JDK bug here then it should be reported to
vuln-report at openjdk.java.net. We (at least Oracle engineers) cannot
engage in any discussion of vulnerability issues here.
-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/nio-dev/attachments/20210119/4db57286/attachment.htm>
More information about the nio-dev
mailing list