JDK-8028627 : Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 7u51,8
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-11-19
  • Updated: 2015-11-24
  • Resolved: 2014-05-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8 JDK 9
6u111Fixed 7u60Fixed 8u20Fixed 9 b15Fixed
Description
There is an unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store class/codebase mappings. The call stack is:

JceSecurity.getCodeBase
JceSecurityManager.getCryptoPermission
Cipher.getConfiguredPermission
(various methods of Cipher) 

Comments
Not verified, no test provided.
26-12-2014

Copying from: http://mail.openjdk.java.net/pipermail/security-dev/2014-February/010197.html The problem described in that bug seems that it has been discovered by statically code analysis. However, it seems that we have this problem in production code. A thread dump shows that two threads are "looping": Java HotSpot(TM) Client VM (24.45-b08 mixed mode) "pool-2-thread-2" prio=6 tid=0x40537c00 nid=0xb80 runnable [0x4298e000] java.lang.Thread.State: RUNNABLE at java.util.WeakHashMap.get(WeakHashMap.java:471) at javax.crypto.JceSecurity.getCodeBase(JceSecurity.java:222) at javax.crypto.JceSecurityManager.getCryptoPermission(JceSecurityManager.java:107) at javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2503) at javax.crypto.Cipher.initCryptoPermission(Cipher.java:685) at javax.crypto.Cipher.chooseProvider(Cipher.java:848) - locked <0x16005f98> (a java.lang.Object) at javax.crypto.Cipher.init(Cipher.java:1213) at javax.crypto.Cipher.init(Cipher.java:1153) at org.hsqldb.persist.Crypto.<init>(Unknown Source) at org.hsqldb.persist.Logger.setVariables(Unknown Source) at org.hsqldb.persist.Logger.openPersistence(Unknown Source) at org.hsqldb.Database.reopen(Unknown Source) at org.hsqldb.Database.open(Unknown Source) - locked <0x15e51a60> (a org.hsqldb.Database) at org.hsqldb.DatabaseManager.getDatabase(Unknown Source) - locked <0x15e51a60> (a org.hsqldb.Database) at org.hsqldb.DatabaseManager.newSession(Unknown Source) at org.hsqldb.jdbc.JDBCConnection.<init>(Unknown Source) ... "pool-2-thread-1" prio=6 tid=0x40537400 nid=0x18f4 runnable [0x412fe000] java.lang.Thread.State: RUNNABLE at java.util.WeakHashMap.get(WeakHashMap.java:471) at javax.crypto.JceSecurity.getCodeBase(JceSecurity.java:222) at javax.crypto.JceSecurityManager.getCryptoPermission(JceSecurityManager.java:107) at javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2503) at javax.crypto.Cipher.initCryptoPermission(Cipher.java:685) at javax.crypto.Cipher.chooseProvider(Cipher.java:848) - locked <0x16006128> (a java.lang.Object) at javax.crypto.Cipher.init(Cipher.java:1213) at javax.crypto.Cipher.init(Cipher.java:1153) at org.hsqldb.persist.Crypto.<init>(Unknown Source) at org.hsqldb.persist.Logger.setVariables(Unknown Source) at org.hsqldb.persist.Logger.openPersistence(Unknown Source) at org.hsqldb.Database.reopen(Unknown Source) at org.hsqldb.Database.open(Unknown Source) - locked <0x15e5a718> (a org.hsqldb.Database) at org.hsqldb.DatabaseManager.getDatabase(Unknown Source) - locked <0x15e5a718> (a org.hsqldb.Database) at org.hsqldb.DatabaseManager.newSession(Unknown Source) at org.hsqldb.jdbc.JDBCConnection.<init>(Unknown Source) at org.hsqldb.jdbc.JDBCDriver.getConnection(Unknown Source) at org.hsqldb.jdbc.JDBCDriver.connect(Unknown Source) ... We have two database instances running parallel.
21-02-2014