New and Noteworthy

Here are descriptions of some of the more interesting or significant changes made to Eclipse Memory Analyzer for the 1.15.0 release.

Latest version of this document

The latest New and Noteworthy document for version 1.15.0 is available here.

Enhancements and fixes

The leak suspects report has been improved with additional details of possible paths to suspects including local variables and more information for leaks of a group of objects.
There is an option to have stack frames processed as pseudo-objects and methods as pseudo-classes when parsing a HPROF dump. This can be useful when examining the snapshot as there will be a path from each thread to the stack frames to the local variables.
The values of BigInteger and BigDecimal objects are now displayed in the inspector view and next to the object in trees and tables.
A one line description of a heap dump is displayed in the heap dump details view. This is taken from the first line of the notes for the snapshot entered by the user.
Report and exported HTML,CSV and text files are now generated in the default workspace character encoding rather than the JVM file encoding. This means that usually those files will be generated in UTF-8, which will expand the range of characters that can be displayed, particularly on Windows.
Other issues have been fixed. See Memory Analyzer 1.15.0 issue list

Security fixes

Eclipse Memory Analyzer 1.15.0 includes the security fixes first included in Eclipse Memory Analyzer 1.9.2. We recommend users of stand-alone Eclipse Memory Analyzer version 1.14.0 or earlier and highly recommend users of Eclipse Memory Analyzer version 1.9.1 or earlier to update to version 1.15.0 or subsequent versions.

CVE-2023-6194

PROBLEMTYPE CWE-611: The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. (XXE)
DESCRIPTION: In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.

CVE-2019-17634

PROBLEMTYPE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DESCRIPTION: Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose to download, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could be specially crafted, or could come from a crafted application or from an application processing malicious data. The vulnerability is present when a report is generated and opened from the Memory Analyzer graphical user interface, or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser. The vulnerability could possibly allow code execution on the local system when the report is opened in Memory Analyzer.

CVE-2019-17635

PROBLEMTYPE CWE-502: Deserialization of Untrusted Data
DESCRIPTION: Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system.

The stand-alone Memory Analyzer 1.15.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.

CVE-2023-4218

PROBLEMTYPE: CWE-611: Improper Restriction of XML External Entity Reference
DESCRIPTION: In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).

CVE-2023-33201

PROBLEMTYPE: CWE-295: Improper Certificate Validation
DESCRIPTION: Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
NOTES: Stand-alone Eclipse Memory Analyzer version 1.14.0 and earlier ships a version of Bouncy Castle For Java. subject to this CVE. Note that stand-alone Memory Analyzer does not use LDAP, so it might not be possible to exploit this vulnerability.

CVE-2021-28170

PROBLEMTYPE: CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement; CWE-20: Improper Input Validation
DESCRIPTION: In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
NOTES: Stand-alone Eclipse Memory Analyzer version 1.14.0 and earlier ships a version of Jakata Expression Language. subject to this CVE. Note that in stand-alone Memory Analyzer does not directly use Jakata Expression Language, so it might not be possible to exploit this vulnerability.

CVE-2022-2048

PROBLEMTYPE: CWE-400: Uncontrolled Resource Consumption; CWE-664: Improper Control of a Resource Through its Lifetime; CWE-410: Insufficient Resource Pool
DESCRIPTION: In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
NOTES: Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of Jetty subject to this CVE. Note that in stand-alone Memory Analyzer the Jetty help webserver just serves HTTP/1.1, so it might not be possible to exploit this vulnerability. Also note that it only listens on localhost, so is not accessible outside the machine.

CVE-2022-2191

PROBLEMTYPE: CWE-404: Improper Resource Shutdown or Release; CWE-664: Improper Control of a Resource Through its Lifetime
DESCRIPTION: In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
NOTES: Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of Jetty subject to this CVE. Note that in stand-alone Eclipse Memory Analyzer does not have HTTPS SSL connections to the Memory Analyzer Jetty help server, so it might not be possible to exploit this vulnerability. Also note that it only listens on localhost, so is not accessible outside the machine.

CVE-2021-41033

PROBLEMTYPE: CWE-300: Channel Accessible by Non-Endpoint
DESCRIPTION: In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code
NOTES: Eclipse Memory Analyzer uses Equinox p2 to access update sites. If in Eclipse Memory Analyzer the URL of the p2 update site is specified in p2 configuration as HTTP rather than HTTPS then there is the possibility of interception or modification of traffic before the connection is upgraded to HTTPS. Stand-alone Eclipse Memory Analyzer 1.13.0 and later uses a version of Eclipse Equinox which gives a warning such as:

org.eclipse.equinox.p2.repository Warning Thu Aug 25 16:52:34 BST 2022 Using unsafe http transport to retrieve http://download.eclipse.org/mat/latest/update-site/content.xml.xz, see CVE-2021-41033. Consider using https instead.

Consult the Error Log to see these warnings. Eclipse Memory Analyzer 1.14.0 is configured to specify the supplied update sites using HTTPS rather than HTTP. It is then up to the user to specify HTTPS rather than HTTP in any new update site definition.

CVE-2022-41704

PROBLEMTYPE: CWE-918: Server-Side Request Forgery (SSRF)
DESCRIPTION: A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
NOTES: Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of Batik of Apache XML Graphics subject to this CVE. Eclipse Memory Analyzer does not directly use SVG. Batik of Apache XML Graphics is a dependency of Eclipse E4 RCP and BIRT, which are dependencies of Eclipse Memory Analyzer.

CVE-2022-42890

PROBLEMTYPE: CWE-918: Server-Side Request Forgery (SSRF)
DESCRIPTION: A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
NOTES: Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of Batik of Apache XML Graphics subject to this CVE. Eclipse Memory Analyzer does not directly use SVG. Batik of Apache XML Graphics is a dependency of Eclipse E4 RCP and BIRT, which are dependencies of Eclipse Memory Analyzer.

The stand-alone Memory Analyzer 1.13.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.

CVE-2021-34429

PROBLEMTYPE CWE-863: Incorrect Authorization
PROBLEMTYPE CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
PROBLEMTYPE CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
DESCRIPTION: Stand-alone Eclipse Memory Analyzer version 1.12.0 and earlier includes a copy of Jetty subject to CVE-2021-34429. For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. Eclipse Memory Analyzer just uses Jetty as a web server to display help. If Eclipse Memory Analyzer is installed into an existing Eclipse installation it uses the copy of Jetty in that installation.

The stand-alone Memory Analyzer 1.12.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.

CVE-2020-27225

PROBLEMTYPE: CWE-306: Missing Authentication for Critical Function
DESCRIPTION: In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich Client Platform process.

New and Noteworthy for Memory Analyzer 1.15.0

The latest New and Noteworthy document for version 1.15.0 is available here.

New and Noteworthy for Memory Analyzer 1.14.0

The latest New and Noteworthy document for version 1.14.0 is available here.

New and Noteworthy for Memory Analyzer 1.13.0

The New and Noteworthy document for version 1.13.0 is available here.

New and Noteworthy for Memory Analyzer 1.12.0

The New and Noteworthy document for version 1.12.0 is available here.