APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: N/A . Within the login method of IBMPKCS11Impl, a copy of the PKCS#11 User PIN (password) is retrieved from the PasswordCallback class and stored into password which has a datatype of char<OSB><CSB>. A copy of the password is then created within a new String object which is then passed to the login method of PCKS11Session. The PKCS11Session.login method accepts an Object as the password (PIN), and looks to support the password as an array of bytes or a String object. A more secure solution is to convert the array of characters into an array of bytes (without constructing a temporary Java object such as a String or ByteBuffer). That array of bytes can then be zeroed out in a finally clause.
Local fix
Problem summary
Within the login method of IBMPKCS11Impl, a copy of the PKCS#11 User PIN (password) is retrieved from the PasswordCallback class and stored into password which has a datatype of char<OSB><CSB>. A copy of the password is then created within a new String object which is then passed to the login method of PCKS11Session. The PKCS11Session.login method accepts an Object as the password (PIN), and looks to support the password as an array of bytes or a String object. A more secure solution is to convert the array of characters into an array of bytes (without constructing a temporary Java object such as a String or ByteBuffer). That array of bytes can then be zeroed out in a finally clause.
Problem conclusion
Within the login method of IBMPKCS11Impl, a copy of the PKCS#11 User PIN (password) is retrieved from the PasswordCallback class and stored into password which has a datatype of char<OSB><CSB>. A copy of the password is then created within a new String object which is then passed to the login method of PCKS11Session. The PKCS11Session.login method accepts an Object as the password (PIN), and looks to support the password as an array of bytes or a String object. A more secure solution is to convert the array of characters into an array of bytes (without constructing a temporary Java object such as a String or ByteBuffer). That array of bytes can then be zeroed out in a finally clause. . This APAR will be fixed in the following Java Releases: 8 SR1 FP10 (8.0.1.10) 7 SR9 FP 10 (7.0.9.10) 5.0 SR16 FP11 (5.0.16.11) 6 SR16 FP5 (6.0.16.5) 7 R1 SR3 FP10 (7.1.3.10) 6 R1 SR8 FP5 (6.1.8.5) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV73462
Reported component name
JAVA 5 SECURITY
Reported component ID
620500125
Reported release
500
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-05-20
Closed date
2015-05-20
Last modified date
2015-05-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA 5 SECURITY
Fixed component ID
620500125
Applicable component levels
R500 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020