Here are descriptions of some of the more interesting or
significant changes made to Eclipse Memory Analyzer for the 1.12 release.
Enhancements and fixes
- Compressed HPROF dumps created by OpenJDK 15 and later VMs are now read by Memory Analyzer.
Also, the performance of Memory Analyzer reading HPROF dumps compressed by Gzip has been improved.
- Huge heap dumps can be handled in Memory Analyzer by discarding some of the objects from the heap dump.
Users of Memory Analyzer can now examine some of those unindexed and discarded objects through the inspector view and OQL.
- The Leaks Suspects Report and the Component Report have been improved with
additional sections and details. The reports are now more accessible with a screen reader.
- Other bugs have been fixed. See Memory Analyzer 1.12 issue list
Security fixes
Memory Analyzer 1.12 includes the security fixes first included in Memory Analyzer 1.9.2.
We highly recommend users of Eclipse Memory Analyzer version 1.9.1 or earlier to update to version 1.12.0 or subsequent versions.
- CVE-2019-17634
- PROBLEMTYPE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- DESCRIPTION
- Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose to download, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could be specially crafted, or could come from a crafted application or from an application processing malicious data. The vulnerability is present when a report is generated and opened from the Memory Analyzer graphical user interface, or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser. The vulnerability could possibly allow code execution on the local system when the report is opened in Memory Analyzer.
- CVE-2019-17635
- PROBLEMTYPE
- CWE-502: Deserialization of Untrusted Data
- DESCRIPTION
- Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system.
The stand-alone Memory Analyzer 1.12 also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
- CVE-2020-27225
- PROBLEMTYPE
- CWE-306: Missing Authentication for Critical Function
- DESCRIPTION
- In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests
to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated
Eclipse Platform process or Eclipse Rich Client Platform process.
New and Noteworthy for Memory Analyzer 1.12
The latest New and Noteworthy document for version 1.12 is available
here.
New and Noteworthy for Memory Analyzer 1.11
The New and Noteworthy document for version 1.11 is available
here.