Java and the NTFS Path weakness

Alan Bateman Alan.Bateman at oracle.com
Tue Jan 19 08:26:02 UTC 2021



On 18/01/2021 21:29, Bernd wrote:
> Hello,
>
> bad news everyone. The second Windows Filesystem related security bug 
> reported by Jonas Lykkegaard which allows crashing Windows with a 
> unpriveledged read access also affects JVM and it is not filtered by 
> Path.of. Which means bot new File(bad).exists() and 
> Files.readAllLines(Path.of(bad)) will crash Windows immediatelly.
>
> I verified this on the latest Windows Server 2019 January Security Update.
>
> var bad = "\\\\.\\globalroot\\device\\condrv\\kernelconnect"
>
BSOD issues should be reported to Microsoft. If there is any suggestion 
of a JDK bug here then it should be reported to 
vuln-report at openjdk.java.net. We (at least Oracle engineers) cannot 
engage in any discussion of vulnerability issues here.

-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20210119/4db57286/attachment.htm>


More information about the security-dev mailing list