Java and Speculative Execution Vulnerabilities
andrew.gross at oracle.com
Thu Jul 25 23:55:13 UTC 2019
The position of the OpenJDK Vulnerability Group is that speculative
execution vulnerabilities (e.g., Meltdown, Spectre, and RowHammer)
cannot be addressed in the JDK. These hardware design flaws make
complete intra-process isolation impossible.
We have researched this class of vulnerabilities and the applicable use
cases. The relevant use cases attempt to maintain in-process data
confidentiality when running untrusted code under a security manager.
Such use cases are increasingly rare and we strongly discourage them.
We have also considered countermeasures, including that of implementing
techniques in the HotSpot JVM similar to those now offered by some C
compilers. Such techniques can only mitigate, rather than prevent, this
class of vulnerabilities, and at a significant cost in performance.
On behalf of the OpenJDK Vulnerability Group
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the vuln-announce