Here are descriptions of some of the more interesting or
significant changes made to Eclipse Memory Analyzer for the 1.13.0 release.
Enhancements and fixes
- The inspector view now allows sorting on the type, name or value in the
statics and attributes tab. If there are many statics or attributes
there is now an option to expand 25 more, or all the entries.
- Other bugs have been fixed. See Memory Analyzer 1.13.0 issue list
Security fixes
Memory Analyzer 1.13.0 includes the security fixes first included in Memory Analyzer 1.9.2.
We recommend users of stand-alone Eclipse Memory Analyzer version 1.12.0 or earlier and
highly recommend users of Eclipse Memory Analyzer version 1.9.1 or earlier to update to version 1.13.0 or subsequent versions.
- CVE-2019-17634
- PROBLEMTYPE CWE-79
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- DESCRIPTION
- Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose to download, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could be specially crafted, or could come from a crafted application or from an application processing malicious data. The vulnerability is present when a report is generated and opened from the Memory Analyzer graphical user interface, or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser. The vulnerability could possibly allow code execution on the local system when the report is opened in Memory Analyzer.
- CVE-2019-17635
- PROBLEMTYPE CWE-502
- Deserialization of Untrusted Data
- DESCRIPTION
- Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system.
The stand-alone Memory Analyzer 1.13.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
- CVE-2021-34429
-
- PROBLEMTYPE CWE-863
- Incorrect Authorization
- PROBLEMTYPE CWE-200
- Exposure of Sensitive Information to an Unauthorized Actor
- PROBLEMTYPE CWE-551
- Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
- DESCRIPTION
- Stand-alone Eclipse Memory Analyzer version 1.12.0 and earlier includes a copy of Jetty subject to CVE-2021-34429.
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
Eclipse Memory Analyzer just uses Jetty as a web server to display help.
If Eclipse Memory Analyzer is installed into an existing Eclipse installation it
uses the copy of Jetty in that installation.
The stand-alone Memory Analyzer 1.12.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
- CVE-2020-27225
- PROBLEMTYPE
- CWE-306: Missing Authentication for Critical Function
- DESCRIPTION
- In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests
to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated
Eclipse Platform process or Eclipse Rich Client Platform process.
New and Noteworthy for Memory Analyzer 1.13.0
The latest New and Noteworthy document for version 1.13.0 is available
here.
New and Noteworthy for Memory Analyzer 1.12.0
The New and Noteworthy document for version 1.12.0 is available
here.
New and Noteworthy for Memory Analyzer 1.11.0
The New and Noteworthy document for version 1.11.0 is available
here.