APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: Java callstack: at com/ibm/security/krb5/Credentials.acquireDefaultNativeCreds(Nati ve Method) at com/ibm/security/krb5/Credentials.getDefaultNativeCreds(Bytecode PC:96) at com/ibm/security/krb5/Credentials.acquireDefaultCreds(Bytecode PC:82) at com/ibm/security/jgss/mech/krb5/Krb5Credential.getClientCreds(By tecode PC:19) at com/ibm/security/jgss/mech/krb5/Krb5Credential.getCredentials(By tecode PC:326) at com/ibm/security/jgss/mech/krb5/Krb5Credential.init(Bytecode PC:60) at com/ibm/security/jgss/mech/krb5/Krb5Credential.<init>(Bytecode PC:81) at com/ibm/security/jgss/mech/krb5/Krb5MechFactory.getCredentialEle ment(Bytecode PC:96) at com/ibm/security/jgss/GSSManagerImpl.createMechCredential(Byteco de PC:41) at com/ibm/security/jgss/mech/spnego/SPNEGOContext.createCredSpi(By tecode PC:27) at com/ibm/security/jgss/mech/spnego/SPNEGOContext.createCredSpi(By tecode PC:101) at com/ibm/security/jgss/mech/spnego/SPNEGOContext.createContext(By tecode PC:383) at com/ibm/security/jgss/mech/spnego/SPNEGOContext.getPreferredMech (Bytecode PC:20) at com/ibm/security/jgss/mech/spnego/SPNEGOContext.createInitToken( Bytecode PC:61) at com/ibm/security/jgss/mech/spnego/SPNEGOContext.initSecContext(B ytecode PC:24) at com/ibm/security/jgss/GSSContextImpl.initSecContext(Bytecode PC:136) at com/ibm/security/jgss/GSSContextImpl.initSecContext(Bytecode PC:139) .
Local fix
N/A
Problem summary
There is the possibility of a wide character swprintf() buffer overflow condition in NativeCreds.DLL in BuildKerberosTime() when processing the MS TGT msticket->StartTime returned from the second call to LsaCallAuthenticationPackage().
Problem conclusion
Modified the wide character calls to swprintf() to add a size limiter parameter which prevents character buffer overflow conditions. The files affected by this APAR are: ibmjgssprovider.jar (build_20210201--36), NativeCreds.dll 32/64 bit (20210201). The associated Hursley RTC Problem Report is PR144716. The associated Austin Git issue is Issue# 6 for IBMJGSS. The associated Austin APAR issue is IJ29940. JVMs affected include: Java 7.0. The fix was delivered for Java 7.0 SR10 FP85 and Java 7.1 SR4 FP85. . This APAR will be fixed in the following Java Releases: 7 SR10 FP85 (7.0.10.85) 7 R1 SR4 FP85 (7.1.4.85) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ30648
Reported component name
SECURITY
Reported component ID
620700125
Reported release
260
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-02-01
Closed date
2021-02-12
Last modified date
2021-02-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260"}]
Document Information
Modified date:
14 February 2021