IBM Support

IV87773: JAVA.LANG.ARRAYINDEXOUTOFBOUNDSEXCEPTION WITH AES/GCM CIPHER

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Error Message: An ArrayIndexOutOfBoundsException occurs while
    using AES/GCM cipher suites for an SSL/TLS connection.  This
    failure can occur while using either the IBMJCEFIPS crypto
    provider, or the IBMJCE crypto provider.
    .
    Stack Trace: Stack trace seen while using the IBMJCEFIPS crypto
    provider:
    java.lang.ArrayIndexOutOfBoundsException: Array index out of
    range: 4096
        at java.lang.System.arraycopy(Native Method)
        at com.ibm.crypto.fips.provider.AESGCMCrypt.a(Unknown
    Source)
        at com.ibm.crypto.fips.provider.AESGCMCipher.a(Unknown
    Source)
        at
    com.ibm.crypto.fips.provider.AESGCMCipher.engineDoFinal(Unknown
    Source)
        at javax.crypto.CipherSpi.a(Unknown Source)
        at javax.crypto.CipherSpi.engineDoFinal(Unknown Source)
        at javax.crypto.Cipher.doFinal(Unknown Source)
        at com.ibm.jsse2.m.a(m.java:41)
        at com.ibm.jsse2.d.a(d.java:5)
        at com.ibm.jsse2.d.a(d.java:57)
        at com.ibm.jsse2.s.a(s.java:48)
        at com.ibm.jsse2.ap.a(ap.java:433)
        at com.ibm.jsse2.ap.c(ap.java:154)
        at com.ibm.jsse2.ap.wrap(ap.java:277)
    Stack trace seen while using the IBMJCE crypto provider:
    java.lang.ArrayIndexOutOfBoundsException: Array index out of
    range: 4096
        at java.lang.System.arraycopy(Native Method)
        at com.ibm.crypto.provider.ay.a(Unknown Source)
        at
    com.ibm.crypto.provider.AESGCMCipherInHardware.engineDoFinal(Unk
    nown Source)
        at javax.crypto.CipherSpi.a(Unknown Source)
        at javax.crypto.CipherSpi.engineDoFinal(Unknown Source)
        at javax.crypto.Cipher.doFinal(Unknown Source)
        at com.ibm.jsse2.m.a(m.java:41)
        at com.ibm.jsse2.d.a(d.java:5)
        at com.ibm.jsse2.d.a(d.java:57)
        at com.ibm.jsse2.s.a(s.java:48)
        at com.ibm.jsse2.ap.a(ap.java:433)
        at com.ibm.jsse2.ap.c(ap.java:154)
        at com.ibm.jsse2.ap.wrap(ap.java:277)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:33)
    .
    

Local fix

Problem summary

  • An ArrayIndexOutOfBoundsException occurs while using AES/GCM
    cipher suites for an SSL/TLS connection.
    

Problem conclusion

  • For some tests with AES/GCM encryption operations, the output
    buffer used to hold the encrypted data is too short to hold the
    tag.  This results in the ArrayIndexOutOfBoundsException.
    A fix has been applied to the IBMJCE crypto provider to detect
    this situation and to resize the output buffer.
    .
    This APAR will be fixed in the following Java Releases:
       8    SR3 FP11  (8.0.3.11)
       7    SR9 FP60  (7.0.9.60)
       6 R1 SR8 FP35  (6.1.8.35)
       6    SR16 FP35 (6.0.16.35)
       7 R1 SR3 FP60  (7.1.3.60)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the available
    Service Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

  • For the benefit of users of the IBMJCEFIPS security provider, a
    temporary fix has also been applied to the CipherSpi.java class
    of the IBMJCE framework (ibmjcefw.jar) for Java 6, 7, and 8 to
    workaround this problem.
    For customers wanting to run with the IBMJCEFIPS crypto
    provider, the fix for APAR IV84129 will also be required.
    The IBMJCEFIPS crypto provider will be repaired prior to its
    next release/update.
    

Comments

APAR Information

  • APAR number

    IV87773

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    270

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-08-08

  • Closed date

    2016-08-12

  • Last modified date

    2016-09-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

  • R270 PSY

       UP

  • R260 PSY

       UP

  • R600 PSY

       UP



Document information

More support for: Runtimes for Java Technology
Security

Software version: 270

Reference #: IV87773

Modified date: 13 September 2016