VOOZH about

URL: https://www.ibm.com/support/pages/apar/IJ48301

⇱ IJ48301: ZIP REGRESSION DUE TO FIX FOR CVE-2023-22036: INVALID CEN HEADER

IJ48301: ZIP REGRESSION DUE TO FIX FOR CVE-2023-22036: INVALID CEN HEADER

APAR status

  • Closed as program error.

Error description

  • Error Message: java.util.zip.ZipException: Invalid CEN header
(invalid zip64 extra data field size)
.
Stack Trace: java.util.zip.ZipException: Invalid CEN header
(invalid zip64 extra data field size)
 at
java.base/java.util.zip.ZipFile$Source.zerror(ZipFile.java:1728)
 at
java.base/java.util.zip.ZipFile$Source.checkExtraFields(ZipFile.
java:1261)
 at
java.base/java.util.zip.ZipFile$Source.checkAndAddEntry(ZipFile.
java:1212)
 at
java.base/java.util.zip.ZipFile$Source.initCEN(ZipFile.java:1667
)
 at
java.base/java.util.zip.ZipFile$Source.<init>(ZipFile.java:1445)
 ...
.

Local fix

  • The regression can be circumvented with the following command
line option, but this disables the fix for CVE-2023-22036 so it
must be used with care:
 -Djdk.util.zip.disableZip64ExtraFieldValidation=true

Problem summary

  • The fix for CVE-2023-22036 under APAR IJ47678 caused a
regression which causes an ZipException when attempting to open
ZIP files produced by some third party tools.
The Exception will look similar to this:
java.util.zip.ZipException: Invalid CEN header (invalid zip64
extra data field size)
 at
java.base/java.util.zip.ZipFile$Source.zerror(ZipFile.java:1728)
 at
java.base/java.util.zip.ZipFile$Source.checkExtraFields(ZipFile.
java:1261)
 at
java.base/java.util.zip.ZipFile$Source.checkAndAddEntry(ZipFile.
java:1212)
 at
java.base/java.util.zip.ZipFile$Source.initCEN(ZipFile.java:1667
)
 at
java.base/java.util.zip.ZipFile$Source.<init>(ZipFile.java:1445)
 ...
See OpenJDK bug 8313765 for more information.

Problem conclusion

  • The issue has been addressed with the fix for OpenJDK bug
8313765.
.
This APAR will be fixed in the following Releases:
.
IBM Semeru Runtimes
 11 11.0.20.1
 17 17.0.8.1
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
maintenance can be found at:
 https://www.ibm.com/support/pages/java-sdk

Temporary fix



Comments


    



APAR Information




    

  • APAR number
    IJ48301
    • 

  • Reported component name
    OPENJDK CLASS L
    • 

  • Reported component ID
    621800100
    • 

  • Reported release
    B00
    • 

  • Status
    CLOSED PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-08-31
    • 

  • Closed date
    2023-08-31
    • 

  • Last modified date
    2023-09-10
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    OPENJDK CLASS L
    • 

  • Fixed component ID
    621800100
    • 



Applicable component levels







 
 
 
 

 [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
 

 

 
 
 

 

 

 

 

 

 
Document Information


 

 

 Modified date:
 

 11 September 2023