Java and Speculative Execution Vulnerabilities

Andrew Gross andrew.gross at
Thu Jul 25 23:55:13 UTC 2019

The position of the OpenJDK Vulnerability Group is that speculative
execution vulnerabilities (e.g., Meltdown, Spectre, and RowHammer)
cannot be addressed in the JDK. These hardware design flaws make
complete intra-process isolation impossible.

We have researched this class of vulnerabilities and the applicable use
cases. The relevant use cases attempt to maintain in-process data
confidentiality when running untrusted code under a security manager.
Such use cases are increasingly rare and we strongly discourage them.

We have also considered countermeasures, including that of implementing
techniques in the HotSpot JVM similar to those now offered by some C
compilers. Such techniques can only mitigate, rather than prevent, this
class of vulnerabilities, and at a significant cost in performance.

Andrew Gross
On behalf of the OpenJDK Vulnerability Group

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the vuln-announce mailing list