You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A memory analysis of a jmap memory dump revealed a significant number of java.lang.ref.Finalizer references. The referent is org.bouncycastle.crypto.fips.FipsPBKD$Parameters, created with call stack:
org.bouncycastle.jcajce.provider.ProvBCFKS$BCFIPSKeyStoreSpi.generateKey(Unknown Source)
at org.bouncycastle.jcajce.provider.ProvBCFKS$BCFIPSKeyStoreSpi.decryptData(Unknown Source)
at org.bouncycastle.jcajce.provider.ProvBCFKS$BCFIPSKeyStoreSpi.engineLoad(Unknown Source)
at java.security.KeyStore.load(java.base@11.0.23/KeyStore.java:1479)
We believe this is related to the use of finalizers (finalize methods) in bc-fips code. Finalizers are problematic, in part due to their two-pass nature.
Two possible solutions, in increasing order of difficulty:
Simply remove all finalize methods.
Replace the finalize methods with an alternative strategy, such as try-with-resources.
Regarding solution 1), since the finalize methods are primarily overwriting arrays with zeros, the security risk of removing them should be minimal, as most modern operating systems already ensure that freed memory isn't visible to other processes.
Additionally, issue #1536 refers to java.lang.ref.Finalizer, but it’s unclear if it's the same problem since that issue does not include the path.
The versions of the Bouncy Castle JARs used:
JAR
Version
bc-fips
1.0.2.4
bctls-fips
1.0.18
The JRE is OpenJDK 11 on Red Hat Enterprise Linux 8.10.
The text was updated successfully, but these errors were encountered:
A memory analysis of a jmap memory dump revealed a significant number of
java.lang.ref.Finalizerreferences. The referent isorg.bouncycastle.crypto.fips.FipsPBKD$Parameters, created with call stack:We believe this is related to the use of finalizers (finalize methods) in bc-fips code. Finalizers are problematic, in part due to their two-pass nature.
Two possible solutions, in increasing order of difficulty:
Regarding solution 1), since the finalize methods are primarily overwriting arrays with zeros, the security risk of removing them should be minimal, as most modern operating systems already ensure that freed memory isn't visible to other processes.
Additionally, issue #1536 refers to
java.lang.ref.Finalizer, but it’s unclear if it's the same problem since that issue does not include the path.The versions of the Bouncy Castle JARs used:
The JRE is OpenJDK 11 on Red Hat Enterprise Linux 8.10.
The text was updated successfully, but these errors were encountered: