I need to determine whether a user's version of OpenJDK is susceptible to a particular security vulnerability. As an example, CVE-2016-0695 was discovered in OpenJDK 8u77, as revealed in the April 2016 Critical Patch Update. Ideally, detecting whether a user's OpenJDK version is vulnerable would be as simple as checking whether it's
If the OpenJDK build comes from a vendor, the vendor may publish security information. For example, here is the CVE-2016-0695 security information from Debian. This information typically contains the first fixed package version, according to some vendor-specific versioning scheme.
However, in general, you need to obtain the sources for that OpenJDK build and review them if they have to fix.
To find the patch corresponding to a particular CVE ID (say CVE-2016-0695), in most cases, the easiest way is to go to the Red Hat Bugzilla tracker, here the flaw bug for CVE-2016-0695, and note the internal Oracle bug number listed there, 8138593 in this case. Then you need to check out the appropriate OpenJDK sub-tree, in this case for the
hg clone http://hg.openjdk.java.net/jdk8u/jdk8u/jdk
And look in the history for the appropriate commit, based on the Oracle bug number (8138593):
changeset: 11581:594e8dca337c user: igerasim date: Thu Dec 24 08:42:10 2015 +0300 summary: 8138593: Make DSA more fair
The commit themselves do not contain CVE IDs (which are often not available when the fix is written, so this is understandable), so the detour via the Red Hat bug tracker is needed. (I have not seen a CVE-ID-to-bug-number mapping from Oracle.)
You can view the patch using another Mercurial command:
hg export 594e8dca337c
Once you have the patch, it is a matter of review the source code to check whether it has been applied. If you cannot obtain the source code for some reason, for changes to the
jdk, it is often sufficient to disassemble the relevant classes using
javap -c. For native code, you need a different disassembler (such as