Uploaded image for project: 'OpenJPA'
  1. OpenJPA
  2. OPENJPA-2672

ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.3, 2.4.1
    • Fix Version/s: 2.2.3, 2.4.2, 3.0.0
    • Component/s: lib
    • Labels:
      None

      Description

      The following block in the loadGlobals() method:

      // let system properties override other globals
      try {
      fromProperties(new HashMap(
      AccessController.doPrivileged(
      J2DoPrivHelper.getPropertiesAction())));

      retrieves a Properties object from System.getProperties(), which is passed to HashMap's ctor. The ctor interacts with an enumerator associated with the Properties object to populate the new HashMap instance. However, if another thread mutates the JVM's System Properties, it can result in a ConcurrentModificationException as observed below:

      Caused by: java.util.ConcurrentModificationException
      at java.util.Hashtable$Enumerator.next(Hashtable.java:1256)
      at java.util.HashMap.putAllForCreate(HashMap.java:566)
      at java.util.HashMap.<init>(HashMap.java:310)
      at org.apache.openjpa.lib.conf.ConfigurationImpl.loadGlobals(ConfigurationImpl.java:189)

        Activity

        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 1764159 from Jody Grassel in branch 'openjpa/branches/2.2.x'
        [ https://svn.apache.org/r1764159 ]

        OPENJPA-2672: ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability

        Show
        jira-bot ASF subversion and git services added a comment - Commit 1764159 from Jody Grassel in branch 'openjpa/branches/2.2.x' [ https://svn.apache.org/r1764159 ] OPENJPA-2672 : ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 1764177 from Jody Grassel in branch 'openjpa/branches/2.2.x'
        [ https://svn.apache.org/r1764177 ]

        OPENJPA-2672: ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability

        Show
        jira-bot ASF subversion and git services added a comment - Commit 1764177 from Jody Grassel in branch 'openjpa/branches/2.2.x' [ https://svn.apache.org/r1764177 ] OPENJPA-2672 : ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability
        Hide
        ilgrosso Francesco Chicchiriccò added a comment -

        It seems to me that the same issue affects both 2.4.x and trunk, and that the changes above are relevant there as well: am I correct?

        Show
        ilgrosso Francesco Chicchiriccò added a comment - It seems to me that the same issue affects both 2.4.x and trunk, and that the changes above are relevant there as well: am I correct?
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 1764316 from Jody Grassel in branch 'openjpa/trunk'
        [ https://svn.apache.org/r1764316 ]

        OPENJPA-2672: ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability

        Show
        jira-bot ASF subversion and git services added a comment - Commit 1764316 from Jody Grassel in branch 'openjpa/trunk' [ https://svn.apache.org/r1764316 ] OPENJPA-2672 : ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 1764389 from Francesco Chicchiriccò in branch 'openjpa/branches/2.4.x'
        [ https://svn.apache.org/r1764389 ]

        OPENJPA-2672: ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability

        Show
        jira-bot ASF subversion and git services added a comment - Commit 1764389 from Francesco Chicchiriccò in branch 'openjpa/branches/2.4.x' [ https://svn.apache.org/r1764389 ] OPENJPA-2672 : ConfigurationImpl.loadGlobals() has java.util.ConcurrentModificationException vulnerability
        Hide
        ilgrosso Francesco Chicchiriccò added a comment -

        Re-opening to add 2.4.x

        Show
        ilgrosso Francesco Chicchiriccò added a comment - Re-opening to add 2.4.x
        Hide
        struberg Mark Struberg added a comment -

        Not quite sure if it really has to do with this change, but since then our build is broken on Linux.
        https://builds.apache.org/job/OpenJPA-2.4.x/8/
        It builds fine on OSX though. Will try to reproduce on my local Fedora workstation.

        Show
        struberg Mark Struberg added a comment - Not quite sure if it really has to do with this change, but since then our build is broken on Linux. https://builds.apache.org/job/OpenJPA-2.4.x/8/ It builds fine on OSX though. Will try to reproduce on my local Fedora workstation.
        Hide
        struberg Mark Struberg added a comment -

        seems to have nothing to do with that. It seems to be the old story with the multiple 'Entity1' tables which results in timing issues on fast computers. Will merge over the changes I did on trunk to fix this problem.

        Show
        struberg Mark Struberg added a comment - seems to have nothing to do with that. It seems to be the old story with the multiple 'Entity1' tables which results in timing issues on fast computers. Will merge over the changes I did on trunk to fix this problem.
        Hide
        ilgrosso Francesco Chicchiriccò added a comment -

        Bulk close for 2.4.2

        Show
        ilgrosso Francesco Chicchiriccò added a comment - Bulk close for 2.4.2

          People

          • Assignee:
            fyrewyld Jody Grassel
            Reporter:
            fyrewyld Jody Grassel
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development