You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JDK bug https://bugs.openjdk.org/browse/JDK-8292158 could cause corruption of AES-CTR streams when running on CPUs with AVX-512 vectorized AES support (e.g. Intel Ice Lake, as used in AWS 6th generation EC2 instances).
This issue should be resolved in OpenJDK 11.0.18, 15.0.10, 17.0.6, 19.0.2, and 20.0.0 when released.
One can temporarily workaround this issue be adding one of the following sets of JVM arguments:
-XX:+UnlockDiagnosticVMOptions -XX:-UseAESCTRIntrinsics to disable only AES-CTR intrinsics
-XX:+UnlockDiagnosticVMOptions -XX:-UseAESIntrinsics to disable all AES intrinsics
-XX:-UseAES to disable all AES native instructions
==COMMIT_MSG==
To avoid potential stream corruption, throw if JDK-8292158 may cause AES-CTR encryption corruption.
Determine if JVM is impacted by JDK-8292158 which can corrupt AES-CTR encryption streams. This bug impacts JDKs up to 11.0.18, 15.0.10, 17.0.6, 19.0.2 and when running on CPUs with AVX-512 vectorized AES support.
Determine if JVM is impacted by JDK-8292158 which can corrupt AES-CTR
encryption streams. This bug impacts JDKs up to 11.0.18, 15.0.10,
17.0.6, 19.0.2 and when running on CPUs with AVX-512 vectorized AES
support.
See https://bugs.openjdk.org/browse/JDK-8292158
To avoid potential stream corruption, throw if JDK-8292158 may cause AES-CTR encryption corruption.
Determine if JVM is impacted by JDK-8292158 which can corrupt AES-CTR encryption streams. This bug impacts JDKs up to 11.0.18, 15.0.10, 17.0.6, 19.0.2 and when running on CPUs with AVX-512 vectorized AES support.
Determine if JVM is impacted by JDK-8292158 which can corrupt AES-CTR
encryption streams. This bug impacts JDKs up to 11.0.18, 15.0.10,
17.0.6, 19.0.2 and when running on CPUs with AVX-512 vectorized AES
support.
See https://bugs.openjdk.org/browse/JDK-8292158
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Before this PR
JDK bug https://bugs.openjdk.org/browse/JDK-8292158 could cause corruption of AES-CTR streams when running on CPUs with AVX-512 vectorized AES support (e.g. Intel Ice Lake, as used in AWS 6th generation EC2 instances).
This issue should be resolved in OpenJDK 11.0.18, 15.0.10, 17.0.6, 19.0.2, and 20.0.0 when released.
One can temporarily workaround this issue be adding one of the following sets of JVM arguments:
-XX:+UnlockDiagnosticVMOptions -XX:-UseAESCTRIntrinsicsto disable only AES-CTR intrinsics-XX:+UnlockDiagnosticVMOptions -XX:-UseAESIntrinsicsto disable all AES intrinsics-XX:-UseAESto disable all AES native instructions-XX:UseAVX=2to disable all AVX-512 instructionsSee palantir/sls-packaging#1411
After this PR
==COMMIT_MSG==
To avoid potential stream corruption, throw if JDK-8292158 may cause AES-CTR encryption corruption.
Determine if JVM is impacted by JDK-8292158 which can corrupt AES-CTR encryption streams. This bug impacts JDKs up to 11.0.18, 15.0.10, 17.0.6, 19.0.2 and when running on CPUs with AVX-512 vectorized AES support.
See https://bugs.openjdk.org/browse/JDK-8292158 introduced by https://bugs.openjdk.org/browse/JDK-8233741
==COMMIT_MSG==
Possible downsides?
This will fail fast and trigger runtime failures when running on un-mitigated JVMs rather than possible data corruption.