New and Noteworthy

Here are descriptions of some of the more interesting or significant changes made to Eclipse Memory Analyzer for the 1.13.0 release.

Enhancements and fixes

Security fixes

Memory Analyzer 1.13.0 includes the security fixes first included in Memory Analyzer 1.9.2. We recommend users of stand-alone Eclipse Memory Analyzer version 1.12.0 or earlier and highly recommend users of Eclipse Memory Analyzer version 1.9.1 or earlier to update to version 1.13.0 or subsequent versions.
CVE-2019-17634
PROBLEMTYPE CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DESCRIPTION
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose to download, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could be specially crafted, or could come from a crafted application or from an application processing malicious data. The vulnerability is present when a report is generated and opened from the Memory Analyzer graphical user interface, or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser. The vulnerability could possibly allow code execution on the local system when the report is opened in Memory Analyzer.
CVE-2019-17635
PROBLEMTYPE CWE-502
Deserialization of Untrusted Data
DESCRIPTION
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system.
The stand-alone Memory Analyzer 1.13.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
CVE-2021-34429
PROBLEMTYPE CWE-863
Incorrect Authorization
PROBLEMTYPE CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
PROBLEMTYPE CWE-551
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
DESCRIPTION
Stand-alone Eclipse Memory Analyzer version 1.12.0 and earlier includes a copy of Jetty subject to CVE-2021-34429. For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. Eclipse Memory Analyzer just uses Jetty as a web server to display help. If Eclipse Memory Analyzer is installed into an existing Eclipse installation it uses the copy of Jetty in that installation.
The stand-alone Memory Analyzer 1.12.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
CVE-2020-27225
PROBLEMTYPE
CWE-306: Missing Authentication for Critical Function
DESCRIPTION
In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich Client Platform process.

New and Noteworthy for Memory Analyzer 1.13.0

The latest New and Noteworthy document for version 1.13.0 is available here.

New and Noteworthy for Memory Analyzer 1.12.0

The New and Noteworthy document for version 1.12.0 is available here.

New and Noteworthy for Memory Analyzer 1.11.0

The New and Noteworthy document for version 1.11.0 is available here.