CINXE.COM

OpenJDK Vulnerability Group

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /><title>OpenJDK Vulnerability Group</title><link rel="shortcut icon" href="../../images/nanoduke.ico" /><link rel="stylesheet" type="text/css" href="../../page.css" /><script type="text/javascript" src="../../page.js"><noscript></noscript></script><script src="https://cdn.usefathom.com/script.js" data-site="KCYJJPZX" defer="yes"></script></head><body><div id="main"> <h1>OpenJDK Vulnerability Group</h1> <p>The Vulnerability Group is a secure, private forum in which trusted members of the OpenJDK Community receive reports of vulnerabilities in OpenJDK code bases, review them, collaborate on fixing them, and coordinate the release of such fixes. The Group also discusses other OpenJDK security-related issues, as needed.</p> <p>The current members of the Vulnerability Group are <a href="/census#vulnerability">listed in the census</a>.</p> <h2>Vulnerability reports and advisories</h2> <p>Please see the <a href="/groups/vulnerability/report">reporting instructions</a> for information about how to report a vulnerability.</p> <p>Current and previous <a href="advisories">vulnerability advisories</a> are available for reference. You can receive notifications of new advisories by subscribing to the <a href="https://mail.openjdk.org/mailman/listinfo/vuln-announce"><em>vuln-announce</em></a> mailing list.</p> <h2 id="Membership">Vulnerability Group membership</h2> <p>Membership in the Vulnerability Group is limited, due to the nature of its work. To become a Member of this Group, an OpenJDK Contributor must:</p> <ul> <li> <p>Have a valid <a href="https://www.oracle.com/technetwork/oca-405177.pdf">OCA</a> on file;</p> </li> <li> <p>Agree to the <a href="#Communication-policy">communication policy</a> (below) and the <a href="/legal/ojvg-ndla-2018-01-30.pdf">Non-Disclosure and License Agreement</a>;</p> </li> <li> <p>Have an established track record of handling security issues in a professional and trustworthy manner; and</p> </li> <li> <p>Be a recognized technical expert, or else a developer who holds an <a href="/groups/conformance/JckAccess/jck-access.html">OCTLA</a> or JCK license or works for a vendor organization that holds such a license.</p> </li> </ul> <p>New members may be voted in after the above criteria are validated by the Group Lead. Voting a new member into the Vulnerability Group requires a <a href="/bylaws#three-vote-consensus">Three-Vote Consensus</a> rather than the weaker <a href="/bylaws#lazy-consensus">Lazy Consensus</a> used for ordinary Groups.</p> <p>The Group Lead of the Vulnerability Group will initially and always be appointed by Oracle.</p> <p>Any decisions about the Group&#8217;s membership may, as usual, be appealed to the <a href="../gb/">Governing Board</a>.</p> <p>The special membership requirements of this Group were <a href="https://mail.openjdk.org/pipermail/announce/2018-March/000246.html"> approved by the Governing Board</a> in March 2018.</p> <h2 id="making-decisions">Making decisions</h2> <p>Decisions within the OpenJDK Vulnerability Group are made by <a href="https://tools.ietf.org/html/rfc7282">rough consensus</a>. If consensus cannot be reached on a particular issue then the Group Lead will make the decision. Any decision of the Group Lead may be appealed to the OpenJDK Lead.</p> <h2 id="communication-channels">Communication channels</h2> <p>The Vulnerability Group will shortly establish three mailing lists, each with a specific purpose:</p> <ul> <li> <p><em><a href="report">vuln-report@openjdk.org</a></em> &#8212; For reports of vulnerabilities in any OpenJDK code base. Anyone may post to this list. Messages sent to this list must be encrypted, and are automatically forwarded to <em>vuln-dev@openjdk.org</em>.</p> </li> <li> <p><em>vuln-dev@openjdk.org</em> &#8212; For review and analysis of incoming vulnerability reports, collaborative development of fixes, and coordination of public announcements. Open only to members of the Vulnerability Group. Messages sent to this list must be encrypted.</p> </li> <li> <p><a href="https://mail.openjdk.org/mailman/listinfo/vuln-announce"><em>vuln-announce@openjdk.org</em></a> &#8212; For announcements of the release of vulnerability fixes and related news. Anyone may subscribe, but only members of the Vulnerability Group may post. Publicly archived; signed, but not encrypted.</p> </li> </ul> <p>The Vulnerability Group will make use of the <a href="https://bugs.openjdk.org/">JDK bug system (JBS)</a> to store vulnerability reports and track the development of fixes. Only members of the Vulnerability Group will have access to such reports. Additional fields will be defined as needed for, <em>e.g.</em>, CVE numbers and CVSS scores.</p> <h2 id="Communication-policy">Communication policy</h2> <p>Members of the Vulnerability Group are expected to treat information about vulnerabilities as highly confidential until publicly disclosed.</p> <p>A Group Member who works for a vendor organization that ships products based upon an OpenJDK code base may share vulnerability information internally within that organization on a need-to-know basis, and may communicate such information back to the Group.</p> <p>It may occasionally be necessary for the Vulnerability Group to contact external security organizations (<em>e.g.</em>, CERT), or vice-versa, or to exchange information with the submitter of a vulnerability report, or to exchange information with the maintainers of implementations of the Java SE Platform that are not based upon an OpenJDK code base. In such situations the Group Lead handles the communication unless the Lead proposes, and there is rough consensus in support of, the delegation of a specific communication activity to another Group Member.</p> <p>Members of the Vulnerability Group speak only for themselves, or as representatives of their respective employers. No Vulnerability Group member, not even the Lead, is authorized to speak on behalf of the Group, of any other OpenJDK Group or Project, or of the OpenJDK Community as a whole. The only exception to this rule is that Vulnerability Group members may post announcements to the <em>vuln-announce</em> list in accordance with the decisions made within the Group.</p> <p>Violation of this policy, as judged by the Group Lead, is cause for immediate removal from the Group.</p> <h2 id="Information-flow">Information flow</h2> <p>There will be a bi-directional flow of information between the OpenJDK Vulnerability Group (hereinafter &#8220;OJVG&#8221;) and Oracle&#8217;s internal security teams. An Oracle engineer who is a member of the Vulnerability Group, though not necessarily the Group Lead, will facilitate this flow as follows:</p> <ul> <li> <p>If a vulnerability is reported to <em>vuln-report@openjdk.org</em>:</p> <ul> <li> <p>If it&#8217;s relevant to both an OpenJDK code base and to Oracle&#8217;s JDK products then the facilitator will communicate it to Oracle&#8217;s internal security teams and thereafter act as a two-way Oracle/OJVG proxy for the issue.</p> </li> <li> <p>If it&#8217;s relevant only to Oracle&#8217;s JDK products then the facilitator will communicate it to Oracle&#8217;s internal security teams and will notify the OJVG that it does not affect any OpenJDK code base.</p> </li> </ul> </li> <li> <p>If a vulnerability is reported via Oracle&#8217;s standard public channel (i.e., <a href="https://www.oracle.com/us/support/assurance/vulnerability-remediation/reporting-security-vulnerabilities/"> <em>secalert_us@oracle.com</em></a>), then:</p> <ul> <li> <p>If it&#8217;s relevant to an OpenJDK code base then the facilitator will communicate it to the private <em>vuln-dev</em> list for review and analysis, and thereafter act as a two-way Oracle/OJVG proxy for the issue.</p> </li> <li> <p>If it&#8217;s not relevant to any OpenJDK code base (<em>e.g.</em>, a Java Plug-In bug) then no action is taken with respect to the OJVG.</p> </li> </ul> </li> </ul> <p>The <a href="/legal/tou/">OpenJDK Web Site Terms of Use</a> will govern the content of incoming vulnerability reports and any subsequent discussion. Reports from submitters who insist on other terms will not be accepted.</p> <h2 id="Work-flow">Work flow</h2> <p>Once a vulnerability is reported, the members of the OJVG work together as follows:</p> <ol style="list-style-type: decimal"> <li> <p><em>Review and validate the vulnerability</em> &#8212; Check that the report is complete, test the proof-of-concept if one was provided, assign it a CVSS score if it does not already have one, request a CVE identifier if needed, and create a JBS issue. If the report was sent to the OpenJDK <em>vuln-report</em> list then send an acknowledgement to the report&#8217;s submitter.</p> </li> <li> <p><em>Develop a fix</em> &#8212; This can be done collaboratively amongst OJVG members. OJVG members can also share proposed fixes developed privately within their respective organizations, which may be further refined in OJVG discussions.</p> </li> <li> <p><em>Schedule a publication date</em> &#8212; Once a fix is settled upon, OJVG members will agree on a publication date. The date should allow vendor organizations who are represented in the OJVG adequate time to make updates to affected products available to their customers and end users. The publication date is confidential until the date itself.</p> </li> <li> <p><em>Publish the vulnerability and its fix</em> &#8212; On the publication date the fix will be integrated into the affected OpenJDK code bases and a high-level description of the vulnerability and its fix will be posted to the OpenJDK <em>vuln-announce</em> list.</p> </li> </ol> <div class="last-update">Last update: 2022/1/31 22:17 UTC</div> </div><div id="sidebar"><div id="openjdk-sidebar-logo"><a href="/"><img alt="OpenJDK logo" src="../../images/openjdk-small.png" /></a></div><div class="links"><div class="link"><a href="/install/">Installing</a></div><div class="link"><a href="/guide/#contributing-to-an-openjdk-project">Contributing</a></div><div class="link"><a href="/guide/#reviewing-and-sponsoring-a-change">Sponsoring</a></div><div class="link"><a href="/guide/">Developers' Guide</a></div><div class="link"><a href="/groups/vulnerability/report">Vulnerabilities</a></div><div class="link"><a href="https://jdk.java.net">JDK GA/EA Builds</a></div></div><div class="links"><div class="links"><a href="https://mail.openjdk.org">Mailing lists</a></div><div class="link"><a href="https://wiki.openjdk.org">Wiki</a> &#183; <a href="/irc">IRC</a></div></div><div class="links"><div class="links"><a href="/bylaws">Bylaws</a> &#183; <a href="/census">Census</a></div><div class="link"><a href="/legal/">Legal</a></div></div><div class="links"><div class="links"><a href="/workshop"><b>Workshop</b></a></div></div><div class="links"><div class="links"><a href="/jeps/0"><b>JEP Process</b></a></div></div><div class="links"><div class="about">Source code</div><div class="link"><a href="https://github.com/openjdk/">GitHub</a></div><div class="link"><a href="https://hg.openjdk.org">Mercurial</a></div></div><div class="links"><div class="about">Tools</div><div class="link"><a href="http://git-scm.org/">Git</a></div><div class="link"><a href="/jtreg/">jtreg harness</a></div></div><div class="links"><div class="about">Groups</div><div class="link"><a href="/groups/">(overview)</a></div><div class="link"><a href="/groups/adoption">Adoption</a></div><div class="link"><a href="/groups/build">Build</a></div><div class="link"><a href="/groups/client-libs">Client Libraries</a></div><div class="link"><a href="/groups/csr">Compatibility &amp; Specification Review</a></div><div class="link"><a href="/groups/compiler">Compiler</a></div><div class="link"><a href="/groups/conformance">Conformance</a></div><div class="link"><a href="/groups/core-libs">Core Libraries</a></div><div class="link"><a href="/groups/gb">Governing Board</a></div><div class="link"><a href="/groups/hotspot">HotSpot</a></div><div class="link"><a href="/groups/ide-support">IDE Tooling &amp; Support</a></div><div class="link"><a href="/groups/i18n">Internationalization</a></div><div class="link"><a href="/groups/jmx">JMX</a></div><div class="link"><a href="/groups/members">Members</a></div><div class="link"><a href="/groups/net">Networking</a></div><div class="link"><a href="/groups/porters">Porters</a></div><div class="link"><a href="/groups/quality">Quality</a></div><div class="link"><a href="/groups/security">Security</a></div><div class="link"><a href="/groups/serviceability">Serviceability</a></div><div class="link"><a href="/groups/vulnerability">Vulnerability</a></div><div class="link"><a href="/groups/web">Web</a></div></div><div class="links"><div class="about">Projects</div><div class="link">(<a href="/projects/">overview</a>, <a href="/projects/archive">archive</a>)</div><div class="link"><a href="/projects/amber">Amber</a></div><div class="link"><a href="/projects/babylon">Babylon</a></div><div class="link"><a href="/projects/crac">CRaC</a></div><div class="link"><a href="/projects/code-tools">Code Tools</a></div><div class="link"><a href="/projects/coin">Coin</a></div><div class="link"><a href="/projects/cvmi">Common VM Interface</a></div><div class="link"><a href="/projects/guide">Developers' Guide</a></div><div class="link"><a href="/projects/dio">Device I/O</a></div><div class="link"><a href="/projects/duke">Duke</a></div><div class="link"><a href="/projects/galahad">Galahad</a></div><div class="link"><a href="/projects/graal">Graal</a></div><div class="link"><a href="/projects/icedtea">IcedTea</a></div><div class="link"><a href="/projects/jdk7">JDK 7</a></div><div class="link"><a href="/projects/jdk8">JDK 8</a></div><div class="link"><a href="/projects/jdk8u">JDK 8 Updates</a></div><div class="link"><a href="/projects/jdk9">JDK 9</a></div><div class="link"><a href="/projects/jdk">JDK</a> (&#8230;, <a href="/projects/jdk/22">22</a>, <a href="/projects/jdk/23">23</a>, <a href="/projects/jdk/24">24</a>)</div><div class="link"><a href="/projects/jdk-updates">JDK Updates</a></div><div class="link"><a href="/projects/jigsaw">Jigsaw</a></div><div class="link"><a href="/projects/kona">Kona</a></div><div class="link"><a href="/projects/kulla">Kulla</a></div><div class="link"><a href="/projects/lanai">Lanai</a></div><div class="link"><a href="/projects/leyden">Leyden</a></div><div class="link"><a href="/projects/lilliput">Lilliput</a></div><div class="link"><a href="/projects/locale-enhancement">Locale Enhancement</a></div><div class="link"><a href="/projects/loom">Loom</a></div><div class="link"><a href="/projects/jmm">Memory Model Update</a></div><div class="link"><a href="/projects/metropolis">Metropolis</a></div><div class="link"><a href="/projects/jmc">Mission Control</a></div><div class="link"><a href="/projects/mlvm">Multi-Language VM</a></div><div class="link"><a href="/projects/nashorn">Nashorn</a></div><div class="link"><a href="/projects/nio">New I/O</a></div><div class="link"><a href="/projects/openjfx">OpenJFX</a></div><div class="link"><a href="/projects/panama">Panama</a></div><div class="link"><a href="/projects/penrose">Penrose</a></div><div class="link"><a href="/projects/aarch32-port">Port: AArch32</a></div><div class="link"><a href="/projects/aarch64-port">Port: AArch64</a></div><div class="link"><a href="/projects/bsd-port">Port: BSD</a></div><div class="link"><a href="/projects/haiku-port">Port: Haiku</a></div><div class="link"><a href="/projects/macosx-port">Port: Mac OS X</a></div><div class="link"><a href="/projects/mips-port">Port: MIPS</a></div><div class="link"><a href="/projects/mobile">Port: Mobile</a></div><div class="link"><a href="/projects/ppc-aix-port">Port: PowerPC/AIX</a></div><div class="link"><a href="/projects/riscv-port">Port: RISC-V</a></div><div class="link"><a href="/projects/s390x-port">Port: s390x</a></div><div class="link"><a href="/projects/sctp">SCTP</a></div><div class="link"><a href="/projects/shenandoah">Shenandoah</a></div><div class="link"><a href="/projects/skara">Skara</a></div><div class="link"><a href="/projects/sumatra">Sumatra</a></div><div class="link"><a href="/projects/tsan">Tsan</a></div><div class="link"><a href="/projects/valhalla">Valhalla</a></div><div class="link"><a href="/projects/verona">Verona</a></div><div class="link"><a href="/projects/visualvm">VisualVM</a></div><div class="link"><a href="/projects/wakefield">Wakefield</a></div><div class="link"><a href="/projects/zero">Zero</a></div><div class="link"><a href="/projects/zgc">ZGC</a></div></div><div class="buttons"><a href="https://oracle.com"><img alt="Oracle logo" src="../../images/oracle.png" /></a></div></div><div id="footer"> &#169; 2024 Oracle Corporation and/or its affiliates <br /><a href="/legal/tou/">Terms of Use</a> &#183; License: <a href="/legal/gplv2+ce.html">GPLv2</a> &#183; <a href="https://www.oracle.com/us/legal/privacy/">Privacy</a> &#183; <a href="https://openjdk.org/legal/openjdk-trademark-notice.html">Trademarks</a></div><script type="text/javascript" src="/351L_8K43f/2bpt5-/I_aG/b3uk2pfmiJzkYf3S/QwpAMw/EFN/7c2xkLVk"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10