Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

corretto/corretto-8
develop @ a1180f6
424
Fixes
0
CVEs
CRITICAL
Peak severity
Highlights
Auth Bypass: 99 prior fixes. Scrutinize any change in this area.
Security: most-fixed (17 issues). Treat as high-risk during review.
252 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Remote Code Execution: JNDI LDAP lookups historically allowed unsafe deserialization of arbitrary objects or remote class loading via 'javaSerializedData' and 'trustURLCodebase' properties. This represents the highest-severity path to full remote code execution if untrusted LDAP lookups are processed.
Sandbox Escape: The MethodHandle and Reflection subsystem contains numerous vulnerabilities where type verification, caller-sensitive access checks, or domain combiners could be bypassed, allowing untrusted code to elevate privileges.
Side-Channel Attack: Timing side-channels (Bleichenbacher attacks) in RSA decryption and verification paths allow attackers to recover plaintexts. Fixes require constant-time unpadding and avoiding the early instantiation of BadPaddingException objects inside sensitive paths.