Uploaded image for project: 'OpenJPA'
  1. OpenJPA
  2. OPENJPA-2672

ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.3, 2.4.1
    • Fix Version/s: 2.2.3, 2.4.2, 3.0.0
    • Component/s: lib
    • Labels:
      None

      Description

      The following block in the loadGlobals() method:

      // let system properties override other globals
      try {
      fromProperties(new HashMap(
      AccessController.doPrivileged(
      J2DoPrivHelper.getPropertiesAction())));

      retrieves a Properties object from System.getProperties(), which is passed to HashMap's ctor. The ctor interacts with an enumerator associated with the Properties object to populate the new HashMap instance. However, if another thread mutates the JVM's System Properties, it can result in a ConcurrentModificationException as observed below:

      Caused by: java.util.ConcurrentModificationException
      at java.util.Hashtable$Enumerator.next(Hashtable.java:1256)
      at java.util.HashMap.putAllForCreate(HashMap.java:566)
      at java.util.HashMap.<init>(HashMap.java:310)
      at org.apache.openjpa.lib.conf.ConfigurationImpl.loadGlobals(ConfigurationImpl.java:189)

        Attachments

          Activity

            People

            • Assignee:
              fyrewyld Jody Grassel
              Reporter:
              fyrewyld Jody Grassel
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: