previously prevented exploit now possible with JDK 18
Rick Hillegas
rick.hillegas at gmail.com
Thu Oct 28 19:14:41 UTC 2021
As a canary in the mineshaft, I built and tested Apache Derby with the
recent build 18-ea+20-1248 of Open JDK 18. I tripped across the
following issue when running Derby's regression tests. The problem is
explained in more detail at
https://issues.apache.org/jira/browse/DERBY-7126, where a simple repro
(DERBY_7126_A) can be found. The problem is almost surely the result of
work done on https://bugs.openjdk.java.net/browse/JDK-8269039 (Disable
SHA-1 Signed JARs).
Under previous versions of the JDK, the JVM would raise an error if you
tried to load a class from a jar file which had been signed with SHA-1
but later hacked by inserting malware via "jar -uf". This was the error:
SHA1 digest error for $corruptedJarFileName
However, under JDK 18 the hacked class loads, no error is raised, and
the malware can now be executed. I was surprised that a previously
prevented exploit now works. I think it would be better if the JVM still
refused to load the hacked class even though SHA-1 has been deprecated.
Thanks,
-Rick
More information about the security-dev
mailing list