Details

      Description

      The default of the flag ShowCodeDetailsInExceptionMessages was changed to 'true'. The helpful NullPointerException messages of [JEP 358](http://openjdk.java.net/jeps/358) are now printed by default. The messages contain snippets of the code where the NullPointerException was raised.

      App deployers should double check the output of their web applications and similar usage scenarios.
      The NullPointerException message could be included in application error messages or be displayed by other means in the app. This could give remote attackers valuable hints about a potential vulnerable state of the software components being used.

      An example message is 'Cannot read field "c" because "a.b" is null'. The attacker knows that field b of a contains null which might be unintended and offer an opportunity for an attack. For more details of what the message can contain see the above mentioned [JEP 358](http://openjdk.java.net/jeps/358).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                goetz Goetz Lindenmaier
                Reporter:
                darcy Joe Darcy
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: