-
Sub-task
-
Resolution: Delivered
-
P4
-
15
-
Verified
The default of the flag ShowCodeDetailsInExceptionMessages was changed to 'true'. The helpful NullPointerException messages of [JEP 358](http://openjdk.java.net/jeps/358) are now printed by default. The messages contain snippets of the code where the NullPointerException was raised.
App deployers should double check the output of their web applications and similar usage scenarios.
The NullPointerException message could be included in application error messages or be displayed by other means in the app. This could give remote attackers valuable hints about a potential vulnerable state of the software components being used.
An example message is 'Cannot read field "c" because "a.b" is null'. The attacker knows that field b of a contains null which might be unintended and offer an opportunity for an attack. For more details of what the message can contain see the above mentioned [JEP 358](http://openjdk.java.net/jeps/358).
App deployers should double check the output of their web applications and similar usage scenarios.
The NullPointerException message could be included in application error messages or be displayed by other means in the app. This could give remote attackers valuable hints about a potential vulnerable state of the software components being used.
An example message is 'Cannot read field "c" because "a.b" is null'. The attacker knows that field b of a contains null which might be unintended and offer an opportunity for an attack. For more details of what the message can contain see the above mentioned [JEP 358](http://openjdk.java.net/jeps/358).
- relates to
-
JDK-8244639 Enable ShowCodeDetailsInExceptionMessages by default
-
- Closed
-