APAR status
Closed as program error.
Error description
Error Message: An ArrayIndexOutOfBoundsException occurs while using AES/GCM cipher suites for an SSL/TLS connection. This failure can occur while using either the IBMJCEFIPS crypto provider, or the IBMJCE crypto provider. . Stack Trace: Stack trace seen while using the IBMJCEFIPS crypto provider: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 4096 at java.lang.System.arraycopy(Native Method) at com.ibm.crypto.fips.provider.AESGCMCrypt.a(Unknown Source) at com.ibm.crypto.fips.provider.AESGCMCipher.a(Unknown Source) at com.ibm.crypto.fips.provider.AESGCMCipher.engineDoFinal(Unknown Source) at javax.crypto.CipherSpi.a(Unknown Source) at javax.crypto.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.jsse2.m.a(m.java:41) at com.ibm.jsse2.d.a(d.java:5) at com.ibm.jsse2.d.a(d.java:57) at com.ibm.jsse2.s.a(s.java:48) at com.ibm.jsse2.ap.a(ap.java:433) at com.ibm.jsse2.ap.c(ap.java:154) at com.ibm.jsse2.ap.wrap(ap.java:277) Stack trace seen while using the IBMJCE crypto provider: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 4096 at java.lang.System.arraycopy(Native Method) at com.ibm.crypto.provider.ay.a(Unknown Source) at com.ibm.crypto.provider.AESGCMCipherInHardware.engineDoFinal(Unk nown Source) at javax.crypto.CipherSpi.a(Unknown Source) at javax.crypto.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.jsse2.m.a(m.java:41) at com.ibm.jsse2.d.a(d.java:5) at com.ibm.jsse2.d.a(d.java:57) at com.ibm.jsse2.s.a(s.java:48) at com.ibm.jsse2.ap.a(ap.java:433) at com.ibm.jsse2.ap.c(ap.java:154) at com.ibm.jsse2.ap.wrap(ap.java:277) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:33) .
Local fix
Problem summary
An ArrayIndexOutOfBoundsException occurs while using AES/GCM cipher suites for an SSL/TLS connection.
Problem conclusion
For some tests with AES/GCM encryption operations, the output buffer used to hold the encrypted data is too short to hold the tag. This results in the ArrayIndexOutOfBoundsException. A fix has been applied to the IBMJCE crypto provider to detect this situation and to resize the output buffer. . This APAR will be fixed in the following Java Releases: 8 SR3 FP11 (8.0.3.11) 7 SR9 FP60 (7.0.9.60) 6 R1 SR8 FP35 (6.1.8.35) 6 SR16 FP35 (6.0.16.35) 7 R1 SR3 FP60 (7.1.3.60) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
For the benefit of users of the IBMJCEFIPS security provider, a temporary fix has also been applied to the CipherSpi.java class of the IBMJCE framework (ibmjcefw.jar) for Java 6, 7, and 8 to workaround this problem. For customers wanting to run with the IBMJCEFIPS crypto provider, the fix for APAR IV84129 will also be required. The IBMJCEFIPS crypto provider will be repaired prior to its next release/update.
Comments
APAR Information
APAR number
IV87773
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-08-08
Closed date
2016-08-12
Last modified date
2016-09-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R270 PSY
UP
R260 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020