-
Notifications
You must be signed in to change notification settings - Fork 3
/
noteworthy.html
408 lines (230 loc) · 16.6 KB
/
noteworthy.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-us">
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="generator" content="DITA-OT" /><meta name="DC.type" content="reference" />
<meta name="DC.title" content="New and Noteworthy" />
<meta name="abstract" content="Here are descriptions of some of the more interesting or significant changes made to Eclipse Memory Analyzer for the 1.14.0 release." />
<meta name="description" content="Here are descriptions of some of the more interesting or significant changes made to Eclipse Memory Analyzer for the 1.14.0 release." />
<meta name="copyright" content="Copyright (c) 2008, 2023 SAP AG, IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which accompanies this distribution, and is available at https://www.eclipse.org/legal/epl-2.0/ " type="primary" />
<meta name="DC.rights.owner" content="Copyright (c) 2008, 2023 SAP AG, IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which accompanies this distribution, and is available at https://www.eclipse.org/legal/epl-2.0/ " type="primary" />
<meta name="DC.format" content="XHTML" />
<meta name="DC.identifier" content="ref_noteworthy" />
<meta name="DC.language" content="en-us" />
<link rel="stylesheet" type="text/css" href="styles/commonltr.css" />
<title>New and Noteworthy</title>
</head>
<body id="ref_noteworthy">
<h1 class="title topictitle1" id="ariaid-title1">New and Noteworthy</h1>
<div class="body refbody"><p class="shortdesc">Here are descriptions of some of the more interesting or
significant changes made to <span class="keyword">Eclipse Memory Analyzer</span> for the 1.14.0 release.
</p>
<div class="section"><h2 class="title sectiontitle">Enhancements and fixes</h2>
<ul class="ul">
<li class="li">There is now a setting for tables, trees and lists to control the number of entries by which
a table or tree gets expanded.
<a class="xref" href="tasks/configure_mat.html#task_configure_mat__expand">Configuration option</a>
</li>
<li class="li">There is now a feature to allow a user to collect diagnostics
from Eclipse Memory Analyzer itself if there is a problem running the tool.
<a class="xref" href="reference/support.html">Acquire Diagnostics</a>
</li>
<li class="li">Other issues have been fixed. See <a class="xref" href="https://bugs.eclipse.org/bugs/buglist.cgi?amp;bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&classification=Tools&product=MAT&resolution=FIXED&target_milestone=1.14.0" target="_blank">Memory Analyzer 1.14.0 issue list</a>
</li>
</ul>
</div>
<div class="section"><h2 class="title sectiontitle">Security fixes</h2>
Eclipse Memory Analyzer 1.14.0 includes the security fixes first included in Eclipse Memory Analyzer 1.9.2.
We recommend users of stand-alone Eclipse Memory Analyzer version 1.13.0 or earlier and
highly recommend users of Eclipse Memory Analyzer version 1.9.1 or earlier to update to version 1.14.0 or subsequent versions.
<dl class="dl">
<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2019-17634" target="_blank">CVE-2019-17634</a></dt>
<dd class="dd"><dl class="dl">
<dt class="dt dlterm">PROBLEMTYPE CWE-79</dt>
<dd class="dd">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</dd>
<dt class="dt dlterm">DESCRIPTION</dt>
<dd class="dd">Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose to download, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could be specially crafted, or could come from a crafted application or from an application processing malicious data. The vulnerability is present when a report is generated and opened from the Memory Analyzer graphical user interface, or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser. The vulnerability could possibly allow code execution on the local system when the report is opened in Memory Analyzer.</dd>
</dl>
</dd>
<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2019-17635" target="_blank">CVE-2019-17635</a></dt>
<dd class="dd"><dl class="dl">
<dt class="dt dlterm">PROBLEMTYPE CWE-502</dt>
<dd class="dd">Deserialization of Untrusted Data</dd>
<dt class="dt dlterm">DESCRIPTION</dt>
<dd class="dd">Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system.</dd>
</dl>
</dd>
</dl>
The stand-alone Memory Analyzer 1.14.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
<dl class="dl">
<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2022-2048" target="_blank">CVE-2022-2048</a></dt>
<dd class="dd">
<dl class="dl">
<dt class="dt dlterm">PROBLEMTYPE</dt>
<dd class="dd">CWE-400: Uncontrolled Resource Consumption</dd>
<dd class="dd ddexpand">CWE-664: Improper Control of a Resource Through its Lifetime</dd>
<dd class="dd ddexpand">CWE-410: Insufficient Resource Pool</dd>
<dt class="dt dlterm">DESCRIPTION</dt>
<dd class="dd">In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request,
the error handling has a bug that can wind up not properly cleaning up the active connections
and associated resources. This can lead to a Denial of Service scenario where there are no enough
resources left to process good requests.</dd>
<dt class="dt dlterm">NOTES</dt>
<dd class="dd">Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of Jetty
subject to this CVE.
Note that in stand-alone Memory Analyzer the Jetty help webserver just serves HTTP/1.1, so it might not
be possible to exploit this vulnerability.
Also note that it only listens on localhost, so is not accessible outside the machine.</dd>
</dl>
</dd>
<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2022-2191" target="_blank">CVE-2022-2191</a></dt>
<dd class="dd">
<dl class="dl">
<dt class="dt dlterm">PROBLEMTYPE</dt>
<dd class="dd">CWE-404: Improper Resource Shutdown or Release</dd>
<dd class="dd ddexpand">CWE-664: Improper Control of a Resource Through its Lifetime</dd>
<dt class="dt dlterm">DESCRIPTION</dt>
<dd class="dd">In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection
does not release ByteBuffers from configured ByteBufferPool in case of error code paths.</dd>
<dt class="dt dlterm">NOTES</dt>
<dd class="dd">Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of Jetty
subject to this CVE. Note that in stand-alone Eclipse Memory Analyzer does not have
HTTPS SSL connections to the Memory Analyzer Jetty help server, so it might not
be possible to exploit this vulnerability.
Also note that it only listens on localhost, so is not accessible outside the machine.</dd>
</dl>
</dd>
<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2021-41033" target="_blank">CVE-2021-41033</a></dt>
<dd class="dd">
<dl class="dl">
<dt class="dt dlterm">PROBLEMTYPE</dt>
<dd class="dd">CWE-300: Channel Accessible by Non-Endpoint</dd>
<dt class="dt dlterm">DESCRIPTION</dt>
<dd class="dd">In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021),
installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP;
that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code
</dd>
<dt class="dt dlterm">NOTES</dt>
<dd class="dd">Eclipse Memory Analyzer uses Equinox p2 to access update sites.
If in Eclipse Memory Analyzer the URL of the p2 update site is specified in p2 configuration as
HTTP rather than HTTPS then there is the possibility
of interception or modification of traffic before the connection is upgraded to HTTPS.
Stand-alone Eclipse Memory Analyzer 1.13.0 and later uses a version of Eclipse Equinox which gives a
warning such as:
<p class="lines"><br />
<samp class="ph systemoutput"><br />
org.eclipse.equinox.p2.repository<br />
Warning<br />
Thu Aug 25 16:52:34 BST 2022<br />
Using unsafe http transport to retrieve http://download.eclipse.org/mat/latest/update-site/content.xml.xz, see CVE-2021-41033. Consider using https instead.<br />
</samp><br />
</p>
Consult the <a class="xref" href="reference/support.html">Error Log</a> to see these warnings.
Eclipse Memory Analyzer 1.14.0 is configured to specify the supplied update sites
using HTTPS rather than HTTP.
It is then up to the user to specify HTTPS rather than HTTP in any new update site definition.
</dd>
</dl>
</dd>
<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2022-41704" target="_blank">CVE-2022-41704</a></dt>
<dd class="dd">
<dl class="dl">
<dt class="dt dlterm">PROBLEMTYPE</dt>
<dd class="dd">CWE-918: Server-Side Request Forgery (SSRF)</dd>
<dt class="dt dlterm">DESCRIPTION</dt>
<dd class="dd">A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code
from an SVG. This issue affects Apache XML Graphics prior to 1.16.
It is recommended to update to version 1.16.
</dd>
<dt class="dt dlterm">NOTES</dt>
<dd class="dd">Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of
Batik of Apache XML Graphics subject to this CVE.
Eclipse Memory Analyzer does not directly use SVG.
Batik of Apache XML Graphics is a dependency of Eclipse E4 RCP and BIRT,
which are dependencies of Eclipse Memory Analyzer.
</dd>
</dl>
</dd>
<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2022-42890" target="_blank">CVE-2022-42890</a></dt>
<dd class="dd">
<dl class="dl">
<dt class="dt dlterm">PROBLEMTYPE</dt>
<dd class="dd">CWE-918: Server-Side Request Forgery (SSRF)</dd>
<dt class="dt dlterm">DESCRIPTION</dt>
<dd class="dd">A vulnerability in Batik of Apache XML Graphics allows an attacker
to run Java code from untrusted SVG via JavaScript.
This issue affects Apache XML Graphics prior to 1.16.
Users are recommended to upgrade to version 1.16.
</dd>
<dt class="dt dlterm">NOTES</dt>
<dd class="dd">Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of
Batik of Apache XML Graphics subject to this CVE.
Eclipse Memory Analyzer does not directly use SVG.
Batik of Apache XML Graphics is a dependency of Eclipse E4 RCP and BIRT,
which are dependencies of Eclipse Memory Analyzer.
</dd>
</dl>
</dd>
</dl>
The stand-alone Memory Analyzer 1.13.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
<dl class="dl">
<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2021-34429" target="_blank">CVE-2021-34429</a></dt>
<dd class="dd">
<dl class="dl">
<dt class="dt dlterm">PROBLEMTYPE CWE-863</dt>
<dd class="dd">Incorrect Authorization</dd>
<dt class="dt dlterm">PROBLEMTYPE CWE-200</dt>
<dd class="dd">Exposure of Sensitive Information to an Unauthorized Actor</dd>
<dt class="dt dlterm">PROBLEMTYPE CWE-551</dt>
<dd class="dd">Incorrect Behavior Order: Authorization Before Parsing and Canonicalization</dd>
<dt class="dt dlterm">DESCRIPTION</dt>
<dd class="dd">Stand-alone Eclipse Memory Analyzer version 1.12.0 and earlier includes a copy of Jetty subject to CVE-2021-34429.
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
Eclipse Memory Analyzer just uses Jetty as a web server to display help.
If Eclipse Memory Analyzer is installed into an existing Eclipse installation it
uses the copy of Jetty in that installation.</dd>
</dl>
</dd>
</dl>
The stand-alone Memory Analyzer 1.12.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
<dl class="dl">
<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2020-27225" target="_blank">CVE-2020-27225</a></dt>
<dd class="dd"><dl class="dl">
<dt class="dt dlterm">PROBLEMTYPE</dt>
<dd class="dd">CWE-306: Missing Authentication for Critical Function</dd>
<dt class="dt dlterm">DESCRIPTION</dt>
<dd class="dd">In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests
to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated
Eclipse Platform process or Eclipse Rich Client Platform process.</dd>
</dl>
</dd>
</dl>
</div>
<div class="section"><h2 class="title sectiontitle">New and Noteworthy for Memory Analyzer 1.14.0</h2>
<p class="p">
The latest New and Noteworthy document for version 1.14.0 is available
<a class="xref" href="http://www.eclipse.org/mat/1.14.0/noteworthy.html">here</a>.
</p>
</div>
<div class="section"><h2 class="title sectiontitle">New and Noteworthy for Memory Analyzer 1.13.0</h2>
<p class="p">
The New and Noteworthy document for version 1.13.0 is available
<a class="xref" href="http://www.eclipse.org/mat/1.13.0/noteworthy.html">here</a>.
</p>
</div>
<div class="section"><h2 class="title sectiontitle">New and Noteworthy for Memory Analyzer 1.12.0</h2>
<p class="p">
The New and Noteworthy document for version 1.12.0 is available
<a class="xref" href="http://www.eclipse.org/mat/1.12.0/noteworthy.html">here</a>.
</p>
</div>
<div class="section"><h2 class="title sectiontitle">New and Noteworthy for Memory Analyzer 1.11.0</h2>
<p class="p">
The New and Noteworthy document for version 1.11.0 is available
<a class="xref" href="http://www.eclipse.org/mat/1.11.0/noteworthy.html">here</a>.
</p>
</div>
</div>
</body>
</html>